It seems as though the `/usr/share/keyrings/debian-archive-keyring.gpg`
on Debian 13/trixie is actually a symlink to
`debian-archive-keyring.pgp` in the same directory. This means that the
`cp -a` in `mkimage` copies the symlink and not the actual keyring,
resulting in the following error:
E: specified keyring file (/<tmpdir>/debian-archive-keyring.gpg) not found
Using `cp -aL` ensures the file that is symlink source actually gets
copied.
Signed-off-by: John Kristensen <john@jerrykan.com>
The `update-rc.d` command in the `init-system-helpers` package is
required by the `linux-util` postinst script, but `init-system-helpers`
doesn't seem to be installed by default in 11/bullseye.
The suite name for the updates repository has also changed in
11/bullseye.
/usr/share/doc contains a structure that might be like
```
foo/copyright
foo/other
bar -> foo
```
In this case we want to delete `foo/other`, but leave `bar` alone.
The previous code would delete `bar` as it is not a directory.
However, the structure of `/usr/share/doc` is such that the first
level is a per-package directory (or symlink) and the directory
contains the files. We therefore want to only consider files in the
package directories, so look a level further down the tree before
deleting.
These depend on the build environment, but differences
don't show up inside the docker image as docker sets the
content of these files when starting a container.
We can put static values in the files to stop the image
layers differing without affecting the running containers
in any way.
This wasn't caught by the reproducibility check as the values
will be pretty static when built on the same host. (hostname
will be fixed, and resolv.conf will only change if the networking
configration changes enough, and that is unlikely to happen)
The builds were reproducible provided they were done on the same day.
However if they were done on different days they had different dates
in /etc/shadow and so changed. This meant that the images were
updated every day, and sometimes the reproducibility check would
fail if the day ticked over between the builds.
Tweak the tests so that they use default-mysql-server
on newer dists as it replaced the mysql-server package.
Also add explicit import of the buster signing key
as the Travis agent doesn't have it available.
Thanks to Filippo Giunchedi (@filippog) for the initial
work on this.
Change the mkimage script so that the produced image is
reproducible. This involves:
- removing the ldconfig aux-cache as it changes on every build.
- set the mtimes of the files to a specific date so that the
resulting tar file will have the same contents.
- The `strings` guard around the unsafe-io tweak seems to be
non-deterministic. It was sometimes not adding the tweak
for the same file. Remove it as we don't care about older
than jessie.
- Importing the image by constructing a docker image with
a specific timestamp and doing `docker load`.
Also change the buildall script to build each image twice and
confirm that the same tarball is produced, and that results
in the layers in the imported images matching.
Add a dockerdiff script that checks that two images are equivalent,
and tries to show the differences if not. This is useful when the
build script reports differences, as it can point to what the
differences are.
We were using a bashism in install_packages, but it was
a `/bin/sh` script. This meant there was a syntax error, but
it didn't kill the script so it would loop forever.
Add a test for the install_packages loop by installing something
that doesn't exist. This will trigger the loop, and should hit
the maximum loop count and error out. If it doesn't then the timeout
command will kill it and the test will fail. Using a timeout
isn't ideal, but better than looping forever.
Also clean up the test script a little bit and print a description
of each test before running it.
Sometimes apt will fail due a transient network issue. Often that
will be fixed by retrying.
This is particularly useful as part of an automated build pipeline.
sysv-rc and util-linux are used in the postinst scripts
of some packages, and so those packages won't install
if they aren't available.
sysv-rc contains update-rc.d, so any package that installs
a service would fail to install. Those packages are common
to install in to containers.
util-linux contains the getopt command which some scripts
expect to find.
Some licences require that the binaries be shipped with a copy
of the license. Debian does this in the copyright files in
/usr/share/doc. We need to leave those files there to keep
the image distributable.
John Kristensen