Revising keys for server, attempting to base server on bootc
This commit is contained in:
Ben Radey
@@ -10,25 +10,28 @@ WORKDIR /gocryptfs
|
|||||||
RUN ./build-without-openssl.bash
|
RUN ./build-without-openssl.bash
|
||||||
|
|
||||||
# ====== Stage 2: Server image ======
|
# ====== Stage 2: Server image ======
|
||||||
FROM quay.io/fedora/fedora-silverblue:43
|
FROM quay.io/fedora/fedora-bootc:43
|
||||||
|
|
||||||
COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs
|
COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs
|
||||||
|
|
||||||
# Install ZFS repository & build deps & zfs
|
COPY gpg-keys/* /keys/
|
||||||
RUN dnf5 install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-3-0$(rpm --eval "%{dist}").noarch.rpm && \
|
|
||||||
|
# Import keys, install ZFS repository & build deps & zfs
|
||||||
|
RUN rpm --import \
|
||||||
|
/keys/OpenZFS \
|
||||||
|
/keys/Smallstep \
|
||||||
|
/keys/zrepl-rpm-pkgs \
|
||||||
|
/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \
|
||||||
|
rm -rf /keys && \
|
||||||
|
dnf5 install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-3-0$(rpm --eval "%{dist}").noarch.rpm && \
|
||||||
dnf5 install -y \
|
dnf5 install -y \
|
||||||
kernel-devel kernel-devel-matched kernel-headers kernel-srpm-macros && \
|
kernel-devel kernel-devel-matched kernel-headers kernel-srpm-macros && \
|
||||||
dnf5 install -y zfs && \
|
dnf5 install -y zfs && \
|
||||||
dkms autoinstall -k $(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}') && \
|
dkms autoinstall -k $(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}') && \
|
||||||
dnf5 clean all
|
dnf5 clean all
|
||||||
|
|
||||||
# Install zrepl repository
|
# Install smallstep & zrepl repository
|
||||||
COPY supermicro-x10drh/zrepl.asc /var/roothome/zrepl.asc
|
COPY supermicro-x10drh/*.repo /etc/yum.repos.d/
|
||||||
RUN rpm --import /var/roothome/zrepl.asc
|
|
||||||
COPY supermicro-x10drh/zrepl.repo /etc/yum.repos.d/zrepl.repo
|
|
||||||
|
|
||||||
# Install smallstep repository
|
|
||||||
COPY supermicro-x10drh/smallstep.repo /etc/yum.repos.d/smallstep.repo
|
|
||||||
|
|
||||||
RUN dnf5 install -y \
|
RUN dnf5 install -y \
|
||||||
ansible \
|
ansible \
|
||||||
@@ -67,6 +70,10 @@ RUN dnf5 install -y \
|
|||||||
RUN test -f /usr/lib/sysusers.d/libvirt.conf || echo -e 'g libvirt 963' > /usr/lib/sysusers.d/libvirt.conf && \
|
RUN test -f /usr/lib/sysusers.d/libvirt.conf || echo -e 'g libvirt 963' > /usr/lib/sysusers.d/libvirt.conf && \
|
||||||
test -f /usr/lib/sysusers.d/qat.conf || echo -e 'g qat 995' > /usr/lib/sysusers.d/qat.conf
|
test -f /usr/lib/sysusers.d/qat.conf || echo -e 'g qat 995' > /usr/lib/sysusers.d/qat.conf
|
||||||
|
|
||||||
# Cleanup image for linting & verify image is good
|
# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones from the base image).
|
||||||
RUN rm -rf /var /boot && mkdir /var /boot && \
|
# Any more than that means that dnf automatically added a new one, which is shady!
|
||||||
|
# Then: cleanup image for linting
|
||||||
|
# Finally: verify image is good
|
||||||
|
RUN [[ 4 -eq $(rpm -qa gpg-pubkey* | wc -l) ]] && \
|
||||||
|
rm -rf /var /boot && mkdir /var /boot && \
|
||||||
bootc container lint --fatal-warnings --skip baseimage-composefs
|
bootc container lint --fatal-warnings --skip baseimage-composefs
|
||||||
|
|||||||
@@ -0,0 +1,56 @@
|
|||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBGLYiZQBEADFiO0tDOd+EOS2tLvLI+0fvX8xWPR+cohAnvMJFWciUt0ucN3c
|
||||||
|
XHkEwbTkZNzJJ3s2AIVzq+zhi8SF3t/y0VIiK4pba5OOp14HvzkxBPStPw6Q7KNG
|
||||||
|
x07QZxrQ5BwKW2IU1HNUm+bsj8pKjoYWFc2XAzvOR8I/247RyiNVHLD385oHRR6T
|
||||||
|
DQKv0ZLwEekokgqqtJwapjCm5nUmwxr4FmBQKzu7bHYS/hqv4q1z2d5YY23UQ9B0
|
||||||
|
gazILmenU/xgIHWkPl/7HHetq0zbFrgFao9TfRkaMHLubmX34N7xJD99wszy8ZR0
|
||||||
|
yf+b/16oQrNY3BRsD2ZMO5I3elRPYdaXvRvwuzYGVpULWdEEaDr2FaA+JnEJHZac
|
||||||
|
v9EdZhROROKIZI1BxPOeNxIlumAgSXTIvFIC2sRGWb7/a/WbI+N7bGXcMENn2s7d
|
||||||
|
+xiRHhAkdehqY6iWwLFX7jmueesL46Qzsaqn+547aHivuBxETPWuvLs+ANzmqBP4
|
||||||
|
T5NP2VVpux9in5VOP5JbE+kRZRH3HrTMQJBMIqFhUFYlkfFBbVDsgZLEFMBpNbZx
|
||||||
|
4+xcIp2Qe3ODv1+gL2ocOaYmPdMKDoLk/+qecDiZGChHJlUk2MWLEJ+yZ0ZN3RWw
|
||||||
|
hb+JB8xoJVTRQrOgToPHaVeRTSwRmwMTGICLIG3KRxZ6aKgBEfjqGyeKLwARAQAB
|
||||||
|
tB1PcGVuWkZTIDxyZWxlYXNlQG9wZW56ZnMub3JnPokCNwQTAQoAIQUCYtiJlAIb
|
||||||
|
AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRClmf1enbhBQTixD/9IxQ/StgUv
|
||||||
|
pf/qybWa38dEI2Iri+UvR6zy9Nja9SJ2rBrSF5umNNsuRxTD2qvbjNcvOt40sFoj
|
||||||
|
pM8aS8JO0Rv5ouMh/Kxbpn0fyzvXVpx3c/ulCHRC38Dnw9G/HijYwxGy+WbysbGF
|
||||||
|
HwxepI5MTdImbSJnteNx0q/2SPWCK+KdSTXcbKM113QDXM9b8mJFdOvRa0Mxfu0y
|
||||||
|
7qFz+yNmTDZ/tCNoWCCa4G3lmpDosCIjnDoHoethwVvf/M1THRYeXLT8SQEOXJDp
|
||||||
|
gT5K0ffzFbqnbio+3r4EDjCZFM+ZKfaRb5kSDdt+xYreW6Q35OIsoVZsEHeAy+J8
|
||||||
|
gmk2HGmHCZ8nzO2iUFkq4OQWtOubmYpSB49CDn8zEplhy72BNFL6MTBH9RsaLOBH
|
||||||
|
uJbmZFwrFRA6aq5c/NKY2PsgWlxKx3no2grScQC/VmGWu1YZ/rnkiPSf2l+PmFWo
|
||||||
|
EvJyElSj52NmpJv0KfggDNGm4j7Axo9uxRMetO0g0Ee1xS0d2ApcpgCd5DmRYcEt
|
||||||
|
bUoj/qDdtlTJSLJLClWswEjxYM54NmPE2/Fp8qv58iFJgQsrgaB9RK0VShA8+zK2
|
||||||
|
/lbv7aTlQ1SUBdryvMXb9W+xupjzBW1M4rJACZyJegQlnuBYmtlcYW2RarESWmEY
|
||||||
|
5vBCc5OBlsKFDLkmHITiFIvotDsDsDS+tokBHAQQAQoABgUCYtiNdgAKCRCp1aHA
|
||||||
|
8Uq2IM4EB/oCB0Wwysk08Xgl3nfpZccliG+QSL8Rj4FVV/eJUq+V8kxlkFDGeql/
|
||||||
|
f5Qhji0ma8jIJyB8gsi6g/3HVJK7ry5XwHWBPyTv6NR+PrfB2tGrbN7S4R+S5rd7
|
||||||
|
yfgRkvsP7+DjUQcMkzY8oXvy0YR84QcO2f+zcqZmY6trwn+p1S4HNjpG/28vZrix
|
||||||
|
Ytdogg8b9F1OFtfJiCQABC1XnT3R8mvIcwCjtkvwJY8L30CNkBZ6svOyVfRVsEG1
|
||||||
|
HQl1bPo8LTLpDQU52uC41J89i0heBxv9tIUTrbxJIPx5l9QvQYSJ8pKTRxyAFrlR
|
||||||
|
n5ANBdk+deEpazZWoZmbDVsPMYXnTwzGuQINBGLYiZQBEACyqsd/q4GWA8MJuk2h
|
||||||
|
q/qqKGBf6xU3GBPDm0CF0EWB1sTKx17Rl9cwe7wyDrB0iw4w4bcfujO/k7y6rNGQ
|
||||||
|
7PuBpG17dMsQM9H5DBPptO0e00jn5DBNcgSvgTSJpXIzC0VBrfPRDTpZmBP6GWuI
|
||||||
|
/Xqa8RahhpEZmXOqxfOi1qZsD8+gDAv2G595025/9nf/KfbYZTibVWurkzHx/URG
|
||||||
|
GASMnip3Y0q7Plo3CjEP28EvtyK3fA+OpCOuHYbhJVJGKsVszP/ZRppjjh2yS4hz
|
||||||
|
EB6u41Zv0h5/imBFxMyCF3Q44ZvxeMyEXRZG9Omh7swqu3HW/BspEnefxCvc+zp5
|
||||||
|
CW6Pjs5yVx4CKzb+Uo7fR7tnUwbKXvUnKJLWO+POFUn7sc3wtY8WpS9XSXIfwLHX
|
||||||
|
oiDqirGO3sKG/Mm9ydQL794zykjm6tM32A1VJT7Lz9eLAyo4BQl04X8na/O+kBbR
|
||||||
|
0LB7EEhpHokx5cD3NALfKa6S7ZK0/rsrH5n/7RsKnEunyoUjViOnSRbfuz19bV7b
|
||||||
|
A6SxrLkY+RRW7GVUHvPIYwOAlifCUQVFnezc9HEMMr5aM0D0PppKwDoJhisLttQN
|
||||||
|
FLp9pagcIAg7bxTtvRPJxPgXSeAbI0WOYpyD1dHy4YN1OpY4x0kONB+6rxAKEwUp
|
||||||
|
HzDmDSXXLYcFyXFDiNDPwWTaKwARAQABiQIeBBgBCgAJBQJi2ImUAhsMAAoJEKWZ
|
||||||
|
/V6duEFBeP8P9Ah4NUIX9AetziaKsG9nxMSc6O1C3BFr05ZRXT1ochHlJZEkI850
|
||||||
|
EdLZv5e6cxO4Xuobb0DsdmsMavd0v739SpBqzXh+xvr5Y7JmwTiMzTrcJumHEVbs
|
||||||
|
9bUxCIrB2ORgbR3ZrgCK2tjB8EtTQRAaDnh3UdQIY58KVpgVLtY1uOEuP3Vi76i+
|
||||||
|
RgPZtLSooPrIyL9uFD3bfn5Ebuml2mHlw/MEBTLCMh2gKqnYzYbB1C7OmqwM5RtM
|
||||||
|
SeVWFTctFHo/P9nkE8OSr29MCx7MKalYrS1rU6O8Cg2S7CIOQ/MHpepcs8Z7M1jn
|
||||||
|
suYWBkgzX/hnOwCNkoWQv/LRh9HTcRe4bYctsGKb35dUAArah0xB2BpQ+srw5IOf
|
||||||
|
C2spzYmFB2rx/wNSftEmAT7YwDlhFsS0/fGAPkW6Um2h3H0L2lLVG5XgBbfpY1my
|
||||||
|
o80d20LSVbvftDhAeR9/Dj3Plgve5tIdUZLNN6CXmAUJYlGkLdv03hQ69lIFkwPO
|
||||||
|
dn3ycQkk86Pnwt+DY2nUHsxFcEstZIASCr+htCv2YI/MYDWfDpO7j2TfCqspXV+7
|
||||||
|
FgeCqkEZ1d8uha1/3VQmGXKHOQwc2YZ42k+at8LzlgseGdez+OBh4rc2WM3csB34
|
||||||
|
yBGA1C8bQc8pIpWQ/eR8VGdmg1BYhrrSlyhepSjhBZ3UP3HjPL9WhoA=
|
||||||
|
=g37Q
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
@@ -0,0 +1,35 @@
|
|||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mDMEY26u4hYJKwYBBAHaRw8BAQdA7LMqWx9TbSPUghA98U/9B8J/GYk8DENiYUod
|
||||||
|
fuHDALC0J1NtYWxsc3RlcCBPcHMgPHRlY2hhZG1pbkBzbWFsbHN0ZXAuY29tPoiO
|
||||||
|
BBMWCgA2FiEEeOgokNQNXTl9GTmfiJsZOR93REMFAmNuruICGwMECwkIBwQVCgkI
|
||||||
|
BRYCAwEAAh4FAheAAAoJEIibGTkfd0RDQSsBAOhuUfoizetfeAVoJUwn1Px1h+OD
|
||||||
|
dQNpzf8o2tF+fwm8AP428LeFCZG5LQQXk5SZFCcOvfQU6fpk1Zd8TlsaREDWDrkC
|
||||||
|
DQRjbq9xARAAux27pk6Zw+4PoOBw+s0jUbbPZwyo3jTzJgxv9pH96kofY13xAuD8
|
||||||
|
T2m5wh7/ZHmg1IBTXL3pwgxGs28RF4YjQgfwk2svvcBNpG221Tci1M6Yg8zwqNfy
|
||||||
|
Z2KSAEGfoazITOdcAj4IhAiR9oZ8GE6ODN3T77VEavsGy1q8OgVrRlQuz418LSsd
|
||||||
|
oVH75wPIDNrj0IRCHj8SI/1aZhDsZCbiIT9w7QQI1rtKqxZVUe5MtHSQmQb7lLvq
|
||||||
|
HBkfJHgr+qLMw/7w7PVSZ62aZ5UlnE+gtSAxjGEqPzexMiikMkZ3pmC0u+R5h9dE
|
||||||
|
wawHSYWcgRluIeeKJ5q/xxx1PtYaGCBqBrubBI1xEhgOBbdFmhZnfJYRSYXkxWtX
|
||||||
|
PIeZeHWoeteuMtlmEza91kU3ypcxLLGMbkAHpon92amj1lVre9yZOCRliLfoHTa3
|
||||||
|
HWgrjqjGCYk+4fxxjLxcm0GMXc/R0rPn2ISVhPM+3uic0EECya36IBCN6CR7cy7Z
|
||||||
|
MSzU/ycEuTBCpqoCMiyxpVsnrkIAoesHD/znoB4rv8FM6sJpE4nA7PSXdcdGOf/j
|
||||||
|
F2pJLgLAaLyoKflvYJ+g8mPJMwWw+FmUV7PgVIl/vajDiULD6T+B7DQfWszXSdqG
|
||||||
|
HQvHTv9zh1C4+hFRRiseY24o5577COgzwLK56j7Afzh1uBMyoO5wRKsAEQEAAYkC
|
||||||
|
rgQYFgoAIBYhBHjoKJDUDV05fRk5n4ibGTkfd0RDBQJjbq9xAhsCAkAJEIibGTkf
|
||||||
|
d0RDwXQgBBkBCgAdFiEExj6yRTZfoHtxBoBJHkOFnLhVIjwFAmNur3EACgkQHkOF
|
||||||
|
nLhVIjx/lhAAtj+HraJ5i8WzYFvmdYXq8klQIh7gC8cNPJP6+JML0rEEyrZOlA6t
|
||||||
|
rpFHpYLO2qAbH9anDceOAIiqL5TBZ406BhTVitU29S/XjL570r0JiXbfxokV31If
|
||||||
|
e2GyxMbPDmIH8JzyVCDRG1xI+pHPytJqa09C2YJSLXrN1jTRx66TlzRzD52JOB05
|
||||||
|
TcICEuJvl0nnBmvLLjLkI7JJ1qFiZSsv39ceoLPQxYf0/WkXzBAkS9ij52xNWhJP
|
||||||
|
RSX6/wlu1FcZ1uhTC8ZYkPhSf1wtimdNSef056FH3FokrLOdRTBz61nXv85rpJYy
|
||||||
|
xXnoVFJgUeUKXurO7Wkdvo620VqYOWgiF0AQpSk4yinCiYlj8QkUbX13C2p3tnKh
|
||||||
|
WtzS4/oRu9/fReaY3Lx6ILL204Tnn9Tgn+FEAL+P5pioUcUMrui5IUChMzlreKuT
|
||||||
|
mXBOu2gbq5kS0qfY61xfJrsI+ShpfHyW51QaH8tei3l4QeJlrExKFo4oyZOhbFOK
|
||||||
|
P3hBOkfPL0N7fYb9qj2zhBsdhVWUbFvUG4UofY6f9Wgch7IVzy57yNfxrDq7Ctul
|
||||||
|
wd2S6YgJ2qXppFedNlykehlIWpH3bpXQ9kUyhvwWCTqaNW/q1FzsF2V7LsK0vHsV
|
||||||
|
XgewEYGB+XCDZ/AznaiBQr5jS7ynDeC8vOL+FB7XRxATbc46W6QQ7gph1wEAi35H
|
||||||
|
YS9tkQp7dOKrIUW2DxzG9pKhXMhGTqtpjVNd8doA/0IpycvsqLpY7Jfxb2CT3s+C
|
||||||
|
Z6N4GhcQKQkHVsV4Nm4P
|
||||||
|
=YjzQ
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
Reference in New Issue
Block a user