.gitlab-ci/create-rootfs.sh

   1 #!/bin/bash
   2
   3 set -ex
   4
   5 LLVM=libllvm8
   6
   7 # LLVMPipe on armhf is broken with LLVM 8
   8 if [ `dpkg --print-architecture` = "armhf" ]; then
   9         LLVM=libllvm7
  10 fi
  11
  12 apt-get -y install --no-install-recommends \
  13     initramfs-tools \
  14     libpng16-16 \
  15     strace \
  16     libsensors5 \
  17     libexpat1 \
  18     libdrm2 \
  19     libdrm-nouveau2 \
  20     $LLVM
  21 passwd root -d
  22 chsh -s /bin/sh
  23 ln -s /bin/sh /init
  24
  25 #######################################################################
  26 # Strip the image to a small minimal system without removing the debian
  27 # toolchain.
  28
  29 # Copy timezone file and remove tzdata package
  30 rm -rf /etc/localtime
  31 cp /usr/share/zoneinfo/Etc/UTC /etc/localtime
  32
  33 UNNEEDED_PACKAGES="libfdisk1
  34                    tzdata
  35                    diffutils"
  36
  37 export DEBIAN_FRONTEND=noninteractive
  38
  39 # Removing unused packages
  40 for PACKAGE in ${UNNEEDED_PACKAGES}
  41 do
  42         echo ${PACKAGE}
  43         if ! apt-get remove --purge --yes "${PACKAGE}"
  44         then
  45                 echo "WARNING: ${PACKAGE} isn't installed"
  46         fi
  47 done
  48
  49 apt-get autoremove --yes || true
  50
  51 # Dropping logs
  52 rm -rf /var/log/*
  53
  54 # Dropping documentation, localization, i18n files, etc
  55 rm -rf /usr/share/doc/*
  56 rm -rf /usr/share/locale/*
  57 rm -rf /usr/share/man
  58 rm -rf /usr/share/i18n/*
  59 rm -rf /usr/share/info/*
  60 rm -rf /usr/share/lintian/*
  61 rm -rf /usr/share/common-licenses/*
  62 rm -rf /usr/share/mime/*
  63
  64 # Dropping reportbug scripts
  65 rm -rf /usr/share/bug
  66
  67 # Drop udev hwdb not required on a stripped system
  68 rm -rf /lib/udev/hwdb.bin /lib/udev/hwdb.d/*
  69
  70 # Drop all gconv conversions && binaries
  71 rm -rf usr/bin/iconv
  72 rm -rf usr/sbin/iconvconfig
  73 rm -rf usr/lib/*/gconv/
  74
  75 # Remove libusb database
  76 rm -rf usr/sbin/update-usbids
  77 rm -rf var/lib/usbutils/usb.ids
  78 rm -rf usr/share/misc/usb.ids
  79
  80 #######################################################################
  81 # Crush into a minimal production image to be deployed via some type of image
  82 # updating system.
  83 # IMPORTANT: The Debian system is not longer functional at this point,
  84 # for example, apt and dpkg will stop working
  85
  86 UNNEEDED_PACKAGES="apt libapt-pkg5.0 "\
  87 "ncurses-bin ncurses-base libncursesw5 libncurses5 "\
  88 "perl-base "\
  89 "debconf libdebconfclient0 "\
  90 "e2fsprogs e2fslibs libfdisk1 "\
  91 "insserv "\
  92 "udev "\
  93 "init-system-helpers "\
  94 "bash "\
  95 "cpio "\
  96 "passwd "\
  97 "libsemanage1 libsemanage-common "\
  98 "libsepol1 "\
  99 "gzip "\
 100 "gpgv "\
 101 "hostname "\
 102 "adduser "\
 103 "debian-archive-keyring "\
 104
 105 # Removing unneeded packages
 106 for PACKAGE in ${UNNEEDED_PACKAGES}
 107 do
 108         echo "Forcing removal of ${PACKAGE}"
 109         if ! dpkg --purge --force-remove-essential --force-depends "${PACKAGE}"
 110         then
 111                 echo "WARNING: ${PACKAGE} isn't installed"
 112         fi
 113 done
 114
 115 # Show what's left package-wise before dropping dpkg itself
 116 COLUMNS=300 dpkg-query -W --showformat='${Installed-Size;10}\t${Package}\n' | sort -k1,1n
 117
 118 # Drop dpkg
 119 dpkg --purge --force-remove-essential --force-depends  dpkg
 120
 121 # No apt or dpkg, no need for its configuration archives
 122 rm -rf etc/apt
 123 rm -rf etc/dpkg
 124
 125 # Drop directories not part of ostree
 126 # Note that /var needs to exist as ostree bind mounts the deployment /var over
 127 # it
 128 rm -rf var/* opt srv share
 129
 130 # ca-certificates are in /etc drop the source
 131 rm -rf usr/share/ca-certificates
 132
 133 # No bash, no need for completions
 134 rm -rf usr/share/bash-completion
 135
 136 # No zsh, no need for comletions
 137 rm -rf usr/share/zsh/vendor-completions
 138
 139 # drop gcc-6 python helpers
 140 rm -rf usr/share/gcc-6
 141
 142 # Drop sysvinit leftovers
 143 rm -rf etc/init.d
 144 rm -rf etc/rc[0-6S].d
 145
 146 # Drop upstart helpers
 147 rm -rf etc/init
 148
 149 # Various xtables helpers
 150 rm -rf usr/lib/xtables
 151
 152 # Drop all locales
 153 # TODO: only remaining locale is actually "C". Should we really remove it?
 154 rm -rf usr/lib/locale/*
 155
 156 # partition helpers
 157 rm usr/sbin/*fdisk
 158
 159 # local compiler
 160 rm usr/bin/localedef
 161
 162 # Systemd dns resolver
 163 find usr etc -name '*systemd-resolve*' -prune -exec rm -r {} \;
 164
 165 # Systemd network configuration
 166 find usr etc -name '*networkd*' -prune -exec rm -r {} \;
 167
 168 # systemd ntp client
 169 find usr etc -name '*timesyncd*' -prune -exec rm -r {} \;
 170
 171 # systemd hw database manager
 172 find usr etc -name '*systemd-hwdb*' -prune -exec rm -r {} \;
 173
 174 # No need for fuse
 175 find usr etc -name '*fuse*' -prune -exec rm -r {} \;
 176
 177 # lsb init function leftovers
 178 rm -rf usr/lib/lsb
 179
 180 # Only needed when adding libraries
 181 rm usr/sbin/ldconfig*
 182
 183 # Games, unused
 184 rmdir usr/games
 185
 186 # Remove pam module to authenticate against a DB
 187 # plus libdb-5.3.so that is only used by this pam module
 188 rm usr/lib/*/security/pam_userdb.so
 189 rm usr/lib/*/libdb-5.3.so
 190
 191 # remove NSS support for nis, nisplus and hesiod
 192 rm usr/lib/*/libnss_hesiod*
 193 rm usr/lib/*/libnss_nis*
 194
 195 rm bin/tar