scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-08 22:33:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e8b5be6e83099043a4aa51460154940af3ee7ce2
secureblue/scripts/build.sh
Arcitec e8b5be6e83 fix!: optimize container layers and reduce image size 
Every individual RUN, COPY and ADD action creates an extra container layer, so there was plenty of room for improvement in our Containerfile.

This optimization gets rid of 4 useless layers from our final container image, and shrinks the final OCI download size as follows:

- Removing the "mkdir /tmp/scripts" layer. It's not necessary to manually create the target directory for the container copy action.

- Removing the manual "chmod +x" for the scripts, and putting that step inside "build.sh" instead.

- Removing the manual copying of "build.sh", by instead placing it at "scripts/build.sh" so that it's automatically copied together with all the other scripts in one layer instead.

- Removing the separate "chmod +x build.sh && run build script" step by merging it with the "cleanup temp files and then finalize the container" step, so that we don't create a pointless extra filesystem layer just for the build.sh script execution.

These changes also reduce the size of the final image, because we're cleaning up the image in the exact same step that we run the "build.sh". If we didn't combine these steps, we'd still be keeping a useless extra layer with all the /tmp/ and /var/ junk files that were left over after the build.

Most seriously, the "/var/cache" folder contained copies of ALL RPM FILES that build.sh installed via "rpm-ostree install". This meant that we were generating a very big layer with a lot of junk data that shipped in the final image.

Our build now only generates 7 layers (instead of 11), and users will have a much smaller OCI download since we aren't shipping the cached RPM "build leftovers" or temp files via useless extra layers anymore.
2023-05-20 08:07:46 +00:00

110 lines
3.9 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
# Helper functions.
RECIPE_FILE="/usr/share/ublue-os/recipe.yml"
get_yaml_array() {
mapfile -t "${1}" < <(yq -- "${2}" "${RECIPE_FILE}")
}
get_yaml_string() {
yq -- "${1}" "${RECIPE_FILE}"
}
# Automatically determine which Fedora version we're building.
FEDORA_VERSION="$(cat /usr/lib/os-release | grep '^VERSION_ID=' | head -1 | sed 's,^VERSION_ID=,,')"
# Read configuration variables.
BASE_IMAGE="$(get_yaml_string '.base-image')"
YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')"
# Welcome.
echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"."
# Add custom repos.
get_yaml_array repos '.rpm.repos[]'
if [[ ${#repos[@]} -gt 0 ]]; then
echo "-- Adding repos defined in recipe.yml --"
for repo in "${repos[@]}"; do
repo="${repo//%FEDORA_VERSION%/${FEDORA_VERSION}}"
wget "${repo}" -P "/etc/yum.repos.d/"
done
echo "---"
fi
# Ensure that all script files are executable.
find /tmp/scripts -type f -exec chmod +x {} \;
# Run "pre" scripts.
run_scripts() {
script_mode="$1"
get_yaml_array buildscripts ".scripts.${script_mode}[]"
if [[ ${#buildscripts[@]} -gt 0 ]]; then
echo "-- Running [${script_mode}] scripts defined in recipe.yml --"
for script in "${buildscripts[@]}"; do
echo "Running [${script_mode}]: ${script}"
"/tmp/scripts/${script}" "${script_mode}"
done
echo "---"
fi
}
run_scripts "pre"
# Remove RPMs.
get_yaml_array remove_rpms '.rpm.remove[]'
if [[ ${#remove_rpms[@]} -gt 0 ]]; then
echo "-- Removing RPMs defined in recipe.yml --"
echo "Removing: ${remove_rpms[@]}"
rpm-ostree override remove "${remove_rpms[@]}"
echo "---"
fi
# Install RPMs.
get_yaml_array install_rpms '.rpm.install[]'
if [[ ${#install_rpms[@]} -gt 0 ]]; then
echo "-- Installing RPMs defined in recipe.yml --"
echo "Installing: ${install_rpms[@]}"
rpm-ostree install "${install_rpms[@]}"
echo "---"
fi
# Toggle yafti, which provides the "first boot" experience, https://github.com/ublue-os/yafti.
FIRSTBOOT_DATA="/usr/share/ublue-os/firstboot"
FIRSTBOOT_LINK="/usr/etc/profile.d/ublue-firstboot.sh"
if [[ "${YAFTI_ENABLED}" == "true" ]]; then
echo "-- firstboot: Installing and enabling \"yafti\" --"
pip install --prefix=/usr yafti
# Create symlink to our profile script, which creates the per-user "autorun yafti" links.
mkdir -p "$(dirname "${FIRSTBOOT_LINK}")"
ln -s "${FIRSTBOOT_DATA}/launcher/login-profile.sh" "${FIRSTBOOT_LINK}"
else
echo "-- firstboot: Removing all \"firstboot\" components --"
# Removes the script symlink that creates the per-user autostart symlinks.
# We must forcibly remove this here, in case it was added by an upstream image.
rm -f "${FIRSTBOOT_LINK}"
# Remove all of the launcher-scripts and yafti config, to de-clutter image and
# ensure it can't run by accident due to lingering symlinks or upstream image.
rm -rf "${FIRSTBOOT_DATA}"
fi
# Add a new yafti "package group" called Custom, for the packages defined in recipe.yml.
# Only adds the package group if yafti is enabled and Flatpaks are defined in the recipe.
if [[ "${YAFTI_ENABLED}" == "true" ]]; then
YAFTI_FILE="${FIRSTBOOT_DATA}/yafti.yml"
get_yaml_array flatpaks '.firstboot.flatpaks[]'
if [[ ${#flatpaks[@]} -gt 0 ]]; then
echo "-- yafti: Adding Flatpaks defined in recipe.yml --"
yq -i '.screens.applications.values.groups.Custom.description = "Flatpaks suggested by the image maintainer."' "${YAFTI_FILE}"
yq -i '.screens.applications.values.groups.Custom.default = true' "${YAFTI_FILE}"
for pkg in "${flatpaks[@]}"; do
echo "Adding to yafti: ${pkg}"
yq -i ".screens.applications.values.groups.Custom.packages += [{\"${pkg}\": \"${pkg}\"}]" "${YAFTI_FILE}"
done
echo "---"
fi
fi
# Run "post" scripts.
run_scripts "post"
Reference in New Issue View Git Blame Copy Permalink