From d5b80b6a03abfd6897b14a54716405ca7a67030d Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sat, 5 Feb 2022 14:24:32 -0500
Subject: [PATCH] Initial work for building alpine image.

We are downloading a base alpine filesystem and launching a jail inside of it. Still need to install docker, build an initfs, set up EFI, and actually dump it all into an image.
---
 scripts/build_image/build_alpine.bash | 175 ++++++++++++++++++++++++++
 1 file changed, 175 insertions(+)
 create mode 100755 scripts/build_image/build_alpine.bash

diff --git a/scripts/build_image/build_alpine.bash b/scripts/build_image/build_alpine.bash
new file mode 100755
index 0000000..d6c46f7
--- /dev/null
+++ b/scripts/build_image/build_alpine.bash
@@ -0,0 +1,175 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+############## Setup #########################
+
+function cleanup {
+    for f in "${folders[@]}"; do
+        >&2 echo "Deleting $f"
+        rm -rf "$f"
+    done
+}
+folders=()
+for sig in EXIT INT QUIT HUP TERM; do
+  trap "set +e; cleanup" "$sig"
+done
+
+function die {
+    local status_code="$1"
+    shift
+    >&2 echo "${@}"
+    exit "$status_code"
+}
+
+function log {
+    >&2 echo "${@}"
+}
+
+############## Config Settings ###############
+
+# These are below the Setup in case I end up creating things that need
+# to be cleaned up
+
+# Cache for local development to avoid stressing alpine servers
+: ${NETIZEN_CACHE:="/tmp"}
+: ${LOCAL_DEV:="false"}
+
+: ${ALPINE_TARBALL:="alpine-minirootfs-3.15.0-x86_64.tar.gz"}
+: ${ALPINE_SHA256:="ec7ec80a96500f13c189a6125f2dbe8600ef593b87fc4670fe959dc02db727a2"}
+: ${ALPINE_SIGNATURE:="-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEBILYQCL1LfHE581DKTrNCQfZSVoFAmGeGqEACgkQKTrNCQfZ
+SVp4Ww/+MzjBfj+33+0QxesuW/4ZGTShK6E+Hi7bXH04kparCEL77pdBnyYTfTjW
+Myt2BdPPze6upbsTJjDezpoKkza47ODD5MwsT22Utm4+zJUcHVAUiRKkm57lUuF0
+60DldhNj1K5sUrZgfPq+QIkJLsKZtUEoCx3lf1Ou0cRb+5P6nxnRNqqqpcwXaoJr
+mhoH/YCH6f+HydbXRcHX9hwdAlCj3LnOn2m6kwppdl6sWSp7yUXkjn1grKN7bnzy
+lzevA2aJJGc1S4qATYflaQcsWCcBJZ/Y1cAAl8OPLB+SYtmXbEJyluH5O7PsMGRg
+Ni0XQvqvYT8RosleRLuJKu7dc2626cwHRZj6CJhfpjvFvPvwvnHWSjRrXYmcERpj
+MWlyYbubF167mUb3qB2MlS58G6nsHmruejkLLe0+CJsNw7AGu2D/kB2MrJylLLvj
+CV3aFJoqrsAbaUrAl9kmgE2UPjOaUl1lld+y/tnDmN4o0FsBCPLc+Zve29qkNP8P
+AUeit46pKrAPEQpHFNE5bPZsZA6aR6SLRMPnVNQl57O8F+wAGe5gpvNeb24Q80PY
+CB/YX6tY0dlY352Vd1kveO73YZuLzyuP35yKreFUQEyWlGYEgivkI9AZLX+LGS0f
+QsATDB/JXW6pEivbW3r5v/iH0633JE2xMbI9rsP2nSrtXT5uMCw=
+=Wb5G
+-----END PGP SIGNATURE-----"}
+: ${ALPINE_KEY:="-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBFSIEDwBEADbib88gv1dBgeEez1TIh6A5lAzRl02JrdtYkDoPr5lQGYv0qKP
+lWpd3jgGe8n90krGmT9W2nooRdyZjZ6UPbhYSJ+tub6VuKcrtwROXP2gNNqJA5j3
+vkXQ40725CVig7I3YCpzjsKRStwegZAelB8ZyC4zb15J7YvTVkd6qa/uuh8H21X2
+h/7IZJz50CMxyz8vkdyP2niIGZ4fPi0cVtsg8l4phbNJ5PwFOLMYl0b5geKMviyR
+MxxQ33iNa9X+RcWeR751IQfax6xNcbOrxNRzfzm77fY4KzBezcnqJFnrl/p8qgBq
+GHKmrrcjv2MF7dCWHGAPm1/vdPPjUpOcEOH4uGvX7P4w2qQ0WLBTDDO47/BiuY9A
+DIwEF1afNXiJke4fmjDYMKA+HrnhocvI48VIX5C5+C5aJOKwN2EOpdXSvmsysTSt
+gIc4ffcaYugfAIEn7ZdgcYmTlbIphHmOmOgt89J+6Kf9X6mVRmumI3cZWetf2FEV
+fS9v24C2c8NRw3LESoDT0iiWsCHcsixCYqqvjzJBJ0TSEIVCZepOOBp8lfMl4YEZ
+BVMzOx558LzbF2eR/XEsr3AX7Ga1jDu2N5WzIOa0YvJl1xcQxc0RZumaMlZ81dV/
+uu8G2+HTrJMZK933ov3pbxaZ38/CbCA90SBk5xqVqtTNAHpIkdGj90v2lwARAQAB
+tCVOYXRhbmFlbCBDb3BhIDxuY29wYUBhbHBpbmVsaW51eC5vcmc+iQI2BBMBCAAg
+BQJUiBA8AhsDBQsJCAcCBhUICQoLAgMWAgECHgECF4AACgkQKTrNCQfZSVrcNxAA
+mEzX9PQaczzlPAlDe3m1AN0lP6E/1pYWLBGs6qGh18cWxdjyOWsO47nA1P+cTGSS
+AYe4kIOIx9kp2SxObdKeZTuZCBdWfQu/cuRE12ugQQFERlpwVRNd6NYuT3WyZ7v8
+ZXRw4f33FIt4CSrW1/AyM/vrA+tWNo7bbwr/CFaIcL8kINPccdFOpWh14erONd/P
+Eb3gO81yXIA6c1Vl4mce2JS0hd6EFohxS5yMQJMRIS/Zg8ufT3yHJXIaSnG+KRP7
+WWLR0ZaLraCykYi/EW9mmQ49LxQqvKOgjpRW9aNgDA+arKl1umjplkAFI1GZ0/qA
+sgKm4agdvLGZiCZqDXcRWNolG5PeOUUpim1f59pGnupZ3Rbz4BF84U+1uL+yd0OR
+5Y98AxWFyq0dqKz/zFYwQkMVnl9yW0pkJmP7r6PKj0bhWksQX+RjYPosj3wxPZ7i
+SKMX7xZaqon/CHpH9/Xm8CabGcDITrS6h+h8x0FFT/MV/LKgc3q8E4mlXelew1Rt
+xK4hzXFpXKl0WcQg54fj1Wqy47FlkArG50di0utCBGlmVZQA8nqE5oYkFLppiFXz
+1SXCXojff/XZdNF2WdgV8aDKOYTK1WDPUSLmqY+ofOkQL49YqZ9M5FR8hMAbvL6e
+4CbxVXCkWJ6Q9Lg79AzS3pvOXCJ/CUDQs7B30v026Ba5Ag0EVIgQPAEQAMHuPAv/
+B0KP9SEA1PsX5+37k46lTP7lv7VFd7VaD1rAUM/ZyD2fWgrJprcCPEpdMfuszfOH
+jGVQ708VQ+vlD3vFoOZE+KgeKnzDG9FzYXXPmxkWzEEqI168ameF/LQhN12VF1mq
+5LbukiAKx2ytb1I8onvCvNJDvH1D/3BxSj7ThV9bP/bFufcOHFBMFwtyBmUaR5Wx
+96Bq+7DEbTrxhshoQgUqILEudUyhZa05/TrpUvC4f8qc0deaqJFO1zD6guZxRWZd
+SWJdcFzTadyg36P4eyFMxa1Ft7BlDKdKLAFlCGgR0jfOnKRmdRKGRNFTLQ68aBld
+N4wxBuMwe0tmRw9zYwWwD43Aq9E26YtuxVR1wb3zUmi+47QH4ANAzMioimE9Mj5S
+qYrgzQJ0IGwIjBt+HNzHvYX+kyMuVFK41k2Vo6oUOVHuQMu3UgLvSPMsyw69d+Iw
+K/rrsQwuutrvJ8Qcda3rea1HvWBVcY/uyoRsOsCS7itS6MK6KKTKaW8iskmEb2/h
+Q1ZB1QaWm2sQ8Xcmb3QZgtyBfZKuC95T/mAXPT0uET6bTpP5DdEi3wFs+qw/c9FZ
+SNDZ4hfNuS24d2u3Rh8LWt/U83ieAutNntOLGhvuZm1jLYt2KvzXE8cLt3V75/ZF
+O+xEV7rLuOtrHKWlzgJQzsDp1gM4Tz9ULeY7ABEBAAGJAh8EGAEIAAkFAlSIEDwC
+GwwACgkQKTrNCQfZSVrIgBAArhCdo3ItpuEKWcxx22oMwDm+0dmXmzqcPnB8y9Tf
+NcocToIXP47H1+XEenZdTYZJOrdqzrK6Y1PplwQv6hqFToypgbQTeknrZ8SCDyEK
+cU4id2r73THTzgNSiC4QAE214i5kKd6PMQn7XYVjsxvin3ZalS2x4m8UFal2C9nj
+o8HqoTsDOSRy0mzoqAqXmeAe3X9pYme/CUwA6R8hHEgX7jUhm/ArVW5wZboAinw5
+BmKBjWiIwT1vxfvwgbC0EA1O24G4zQqEJ2ILmcM3RvWwtFFWasQqV7qnKdpD8EIb
+oPa8Ocl7joDc5seK8BzsI7tXN4Yjw0aHCOlZ15fWHPYKgDFRQaRFffODPNbxQNiz
+Yru3pbEWDLIUoQtJyKl+o2+8m4aWCYNzJ1WkEQje9RaBpHNDcyen5yC73tCEJsvT
+ZuMI4Xqc4xgLt8woreKE57GRdg2fO8fO40X3R/J5YM6SqG7y2uwjVCHFBeO2Nkkr
+8nOno+Rbn2b03c9MapMT4ll8jJds4xwhhpIjzPLWd2ZcX/ZGqmsnKPiroe9p1VPo
+lN72Ohr9lS+OXfvOPV2N+Ar5rCObmhnYbXGgU/qyhk1qkRu+w2bBZOOQIdaCfh5A
+Hbn3ZGGGQskgWZDFP4xZ3DWXFSWMPuvEjbmUn2xrh9oYsjsOGy9tyBFFySU2vyZP
+Mkc=
+=FcYC
+-----END PGP PUBLIC KEY BLOCK-----"}
+
+############## Main Script ###################
+
+function precheck {
+    # Checks to run before building the image
+    if ! grep -q 'linux.ko' <<<"$(kldstat)"; then
+        die 1 "Need linux kernel module for building initramfs."
+    fi
+
+    for bin in gpg sha256; do
+        if ! command -V "$bin" &> /dev/null; then
+            die 1 "Need $bin installed."
+        fi
+    done
+}
+
+function make_chroot {
+    bsdtar -C "$chroot" -xpf "${download_directory}/${ALPINE_TARBALL}"
+
+    # Steal the DNS info from the host
+    (umask 022 && resolvconf -l > "${chroot}/etc/resolv.conf")
+
+    # Enter the jail
+    # install mkinitfs
+    sudo jail -c path="$chroot" ip4=inherit ip6=inherit host=inherit allow.raw_sockets=true command=/bin/sh
+
+    # Remove the resolv.conf file since it should get populated via dhcp
+    rm "${chroot}/etc/resolv.conf"
+}
+
+function download_alpine {
+    if [ "$LOCAL_DEV" == "true" ] && [ -e "${NETIZEN_CACHE}/${ALPINE_TARBALL}" ]; then
+        # Cache for local development to avoid stressing alpine servers
+        fetch -o "${download_directory}/" "file://${NETIZEN_CACHE}/${ALPINE_TARBALL}"
+    else
+        fetch -o "${download_directory}/" "https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/x86_64/${ALPINE_TARBALL}"
+        if [ "$LOCAL_DEV" == "true" ]; then
+            cp "${download_directory}/${ALPINE_TARBALL}" /tmp/
+        fi
+    fi
+
+    # Validate
+    sha256 -c "$ALPINE_SHA256" "${download_directory}/${ALPINE_TARBALL}"
+
+    local keyring="$work_directory/keyring"
+    gpg --no-default-keyring --keyring "$keyring" --trust-model always --import <<<"$ALPINE_KEY"
+    gpg --no-default-keyring --keyring "$keyring" --trust-model always --verify <(cat <<<"$ALPINE_SIGNATURE") "${download_directory}/${ALPINE_TARBALL}"
+}
+
+function main {
+    precheck
+
+    work_directory=$(mktemp -d -t dib)
+    folders+=("$work_directory")
+
+    download_directory="${work_directory}/downloads"
+    mkdir "$download_directory"
+    download_alpine
+    
+    chroot="${work_directory}/chroot"
+    mkdir "$chroot"
+    log "Building chroot in $chroot"
+    make_chroot
+}
+
+main