.gitlab-ci/create-rootfs.sh

   1 #!/bin/sh
   2
   3 set -ex
   4
   5 apt-get -y install --no-install-recommends initramfs-tools libpng16-16 strace libsensors5 libexpat1 libdrm2
   6 passwd root -d
   7 chsh -s /bin/sh
   8 ln -s /bin/sh /init
   9
  10 #######################################################################
  11 # Strip the image to a small minimal system without removing the debian
  12 # toolchain.
  13
  14 # Copy timezone file and remove tzdata package
  15 rm -rf /etc/localtime
  16 cp /usr/share/zoneinfo/Etc/UTC /etc/localtime
  17
  18 UNNEEDED_PACKAGES="libfdisk1
  19                    tzdata
  20                    diffutils"
  21
  22 export DEBIAN_FRONTEND=noninteractive
  23
  24 # Removing unused packages
  25 for PACKAGE in ${UNNEEDED_PACKAGES}
  26 do
  27         echo ${PACKAGE}
  28         if ! apt-get remove --purge --yes "${PACKAGE}"
  29         then
  30                 echo "WARNING: ${PACKAGE} isn't installed"
  31         fi
  32 done
  33
  34 apt-get autoremove --yes || true
  35
  36 # Dropping logs
  37 rm -rf /var/log/*
  38
  39 # Dropping documentation, localization, i18n files, etc
  40 rm -rf /usr/share/doc/*
  41 rm -rf /usr/share/locale/*
  42 rm -rf /usr/share/man
  43 rm -rf /usr/share/i18n/*
  44 rm -rf /usr/share/info/*
  45 rm -rf /usr/share/lintian/*
  46 rm -rf /usr/share/common-licenses/*
  47 rm -rf /usr/share/mime/*
  48
  49 # Dropping reportbug scripts
  50 rm -rf /usr/share/bug
  51
  52 # Drop udev hwdb not required on a stripped system
  53 rm -rf /lib/udev/hwdb.bin /lib/udev/hwdb.d/*
  54
  55 # Drop all gconv conversions && binaries
  56 rm -rf usr/bin/iconv
  57 rm -rf usr/sbin/iconvconfig
  58 rm -rf usr/lib/*/gconv/
  59
  60 # Remove libusb database
  61 rm -rf usr/sbin/update-usbids
  62 rm -rf var/lib/usbutils/usb.ids
  63 rm -rf usr/share/misc/usb.ids
  64
  65 #######################################################################
  66 # Crush into a minimal production image to be deployed via some type of image
  67 # updating system.
  68 # IMPORTANT: The Debian system is not longer functional at this point,
  69 # for example, apt and dpkg will stop working
  70
  71 UNNEEDED_PACKAGES="apt libapt-pkg5.0 "\
  72 "ncurses-bin ncurses-base libncursesw5 libncurses5 "\
  73 "perl-base "\
  74 "debconf libdebconfclient0 "\
  75 "e2fsprogs e2fslibs libfdisk1 "\
  76 "insserv "\
  77 "udev "\
  78 "init-system-helpers "\
  79 "bash "\
  80 "cpio "\
  81 "passwd "\
  82 "libsemanage1 libsemanage-common "\
  83 "libsepol1 "\
  84 "gzip "\
  85 "gnupg "\
  86 "gpgv "\
  87 "hostname "\
  88 "adduser "\
  89 "debian-archive-keyring "\
  90 "libgl1 libgl1-mesa-dri libglapi-mesa libglvnd0 libglx-mesa0 libegl-mesa0 libgles2 "\
  91 "libllvm7 "\
  92 "libx11-data libthai-data "\
  93 "systemd dbus "\
  94
  95 # Removing unneeded packages
  96 for PACKAGE in ${UNNEEDED_PACKAGES}
  97 do
  98         echo "Forcing removal of ${PACKAGE}"
  99         if ! dpkg --purge --force-remove-essential --force-depends "${PACKAGE}"
 100         then
 101                 echo "WARNING: ${PACKAGE} isn't installed"
 102         fi
 103 done
 104
 105 # Show what's left package-wise before dropping dpkg itself
 106 COLUMNS=300 dpkg-query -W --showformat='${Installed-Size;10}\t${Package}\n' | sort -k1,1n
 107
 108 # Drop dpkg
 109 dpkg --purge --force-remove-essential --force-depends  dpkg
 110
 111 # No apt or dpkg, no need for its configuration archives
 112 rm -rf etc/apt
 113 rm -rf etc/dpkg
 114
 115 # Drop directories not part of ostree
 116 # Note that /var needs to exist as ostree bind mounts the deployment /var over
 117 # it
 118 rm -rf var/* opt srv share
 119
 120 # ca-certificates are in /etc drop the source
 121 rm -rf usr/share/ca-certificates
 122
 123 # No bash, no need for completions
 124 rm -rf usr/share/bash-completion
 125
 126 # No zsh, no need for comletions
 127 rm -rf usr/share/zsh/vendor-completions
 128
 129 # drop gcc-6 python helpers
 130 rm -rf usr/share/gcc-6
 131
 132 # Drop sysvinit leftovers
 133 rm -rf etc/init.d
 134 rm -rf etc/rc[0-6S].d
 135
 136 # Drop upstart helpers
 137 rm -rf etc/init
 138
 139 # Various xtables helpers
 140 rm -rf usr/lib/xtables
 141
 142 # Drop all locales
 143 # TODO: only remaining locale is actually "C". Should we really remove it?
 144 rm -rf usr/lib/locale/*
 145
 146 # partition helpers
 147 rm usr/sbin/*fdisk
 148
 149 # local compiler
 150 rm usr/bin/localedef
 151
 152 # Systemd dns resolver
 153 find usr etc -name '*systemd-resolve*' -prune -exec rm -r {} \;
 154
 155 # Systemd network configuration
 156 find usr etc -name '*networkd*' -prune -exec rm -r {} \;
 157
 158 # systemd ntp client
 159 find usr etc -name '*timesyncd*' -prune -exec rm -r {} \;
 160
 161 # systemd hw database manager
 162 find usr etc -name '*systemd-hwdb*' -prune -exec rm -r {} \;
 163
 164 # No need for fuse
 165 find usr etc -name '*fuse*' -prune -exec rm -r {} \;
 166
 167 # lsb init function leftovers
 168 rm -rf usr/lib/lsb
 169
 170 # Only needed when adding libraries
 171 rm usr/sbin/ldconfig*
 172
 173 # Games, unused
 174 rmdir usr/games
 175
 176 # Remove pam module to authenticate against a DB
 177 # plus libdb-5.3.so that is only used by this pam module
 178 rm usr/lib/*/security/pam_userdb.so
 179 rm usr/lib/*/libdb-5.3.so
 180
 181 # remove NSS support for nis, nisplus and hesiod
 182 rm usr/lib/*/libnss_hesiod*
 183 rm usr/lib/*/libnss_nis*
 184
 185 rm bin/tar