Delete vm-builder folder, and make build-image.sh build the dangerzone image

2025-04-28 18:02:38 +02:00 · 2021-11-22 14:23:17 -08:00 · 2021-11-22 14:23:17 -08:00 · 83759d1a33
commit 83759d1a33
parent 42ce884419
14 changed files with 20 additions and 410 deletions
--- a/.gitignore
+++ b/.gitignore
@ -134,9 +134,6 @@ deb_dist
 .DS_Store
 install/windows/Dangerzone.wxs
 test_docs/sample-safe.pdf
-share/bin
+share/dangerzone-converter.tar
-share/vm
+share/dangerzone-converter.tar.gz
-share/container
+share/image-id.txt
 vm-builder/vm
 vm-builder/.vagrant
 vm-builder/dangerzone.docker_image
--- a/BUILD.md
+++ b/BUILD.md
@ -54,13 +54,6 @@ Create a .rpm:
 ## macOS
 Ensure you have the git submodules checked out:
 ```
 git submodule init
 git submodule update
 ```
 Install Xcode from the App Store.
 Install [Docker Desktop](https://www.docker.com/products/docker-desktop). Make sure to choose your correct CPU, either Intel Chip or Apple Chip.
@ -77,21 +70,13 @@ poetry install
 Install [Homebrew](https://brew.sh/) dependencies:
 ```sh
-brew install create-dmg wget pkg-config
+brew install create-dmg
 ```
-Install opam dependencies (you can skip this step if you are using an Apple M1 chip Mac):
+Build the dangerzone container image:
 ```
 brew install opam dune ocaml
 opam init -y
 opam install -y alcotest astring base64 bigarray-compat charrua-client-mirage charrua-core cmdliner cohttp-lwt cstruct cstruct-lwt datakit-server datakit-server-9p duration ezjsonm fd-send-recv fmt hvsock io-page io-page-unix ipaddr logs lwt lwt-dllist mirage-channel mirage-channel-lwt mirage-clock-lwt mirage-clock-unix mirage-flow-lwt mirage-kv-lwt mirage-profile mirage-protocols-lwt mirage-random mirage-stack-lwt mirage-time-lwt mirage-vnetif oUnit pcap-format ppx_cstruct ppx_sexp_conv protocol-9p re rresult sexplib sha tar tcpip uri uuidm uwt
 ```
 Run this to compile hyperkit and vpnkit, and build a custom Alpine Linux ISO for Dangerzone, and copy it into the `share` folder:
 ```sh
-./install/macos/make-vm.sh
+./install/build-image.sh
 ```
 Run from source tree:
--- a/dangerzone/global_common.py
+++ b/dangerzone/global_common.py
@ -494,7 +494,7 @@ class GlobalCommon(object):
        See if the podman container is installed. Linux only.
        """
        # Get the image id
-        with open(self.get_resource_path("container/image_id.txt")) as f:
+        with open(self.get_resource_path("image-id.txt")) as f:
            image_id = f.read().strip()
        # See if this image is already installed
--- a/install/build-image.sh
+++ b/install/build-image.sh
@ -0,0 +1,13 @@
 #!/bin/sh
 echo "Building dangerzone-converter image"
 docker build dangerzone-converter --tag dangerzone.rocks/dangerzone
 echo "Saving dangerzone-converter image"
 docker save dangerzone.rocks/dangerzone -o share/dangerzone-converter.tar
 echo "Compressing dangerzone-converter image"
 gzip -f share/dangerzone-converter.tar
 echo "Looking up the image id"
 docker image ls dangerzone.rocks/dangerzone | grep "dangerzone.rocks/dangerzone" | tr -s ' ' | cut -d' ' -f3 > share/image-id.txt
--- a/install/macos/make-vm.sh
+++ b/install/macos/make-vm.sh
@ -1,39 +0,0 @@
 #!/bin/sh
 # Compile hyperkit
 cd vendor/hyperkit/
 make || { echo 'Failed to compile hyperkit' ; exit 1; }
 cd ../..
 # Compile vpnkit (on Intel chips, it's too hard to compile in Apple chips)
 ARCH=$(/usr/bin/arch)
 if [ "$ARCH" == "i386" ]; then
    cd vendor/vpnkit/
    make -f Makefile.darwin || { echo 'Failed to compile vpnkit' ; exit 1; }
    cd ../..
 fi
 # Copy binaries to share
 mkdir -p share/bin
 cp vendor/hyperkit/build/hyperkit share/bin/hyperkit
 if [ "$ARCH" == "i386" ]; then
    cp vendor/vpnkit/_build/install/default/bin/vpnkit share/bin/vpnkit
 elif [ "$ARCH" == "arm64" ]; then
    # On Apple chips we copy the binary from Docker Desktop
    cp /Applications/Docker.app/Contents/Resources/bin/com.docker.vpnkit share/bin/vpnkit
 fi
 # Build the dangerzone-converter image
 echo "Building dangerzone-converter image"
 docker build dangerzone-converter --tag dangerzone.rocks/dangerzone
 echo "Saving dangerzone-converter image"
 docker save dangerzone.rocks/dangerzone -o vm-builder/dangerzone-converter.tar
 echo "Compressing dangerzone-converter image"
 gzip -f vm-builder/dangerzone-converter.tar
 # Build the ISO
 docker run -v $(pwd)/vm-builder:/vm-builder alpine:latest /vm-builder/build-iso.sh
 # Copy the ISO to resources
 mkdir -p share/vm
 cp vm-builder/vm/* share/vm
--- a/vm-builder/README.md
+++ b/vm-builder/README.md
@ -1,26 +0,0 @@
 # Build the Dangerzone VM for running podman
 ## Build the ISO
 You need vagrant: `brew install vagrant`
 ```sh
 vagrant up
 vagrant ssh -- /vagrant/build-iso.sh
 vagrant destroy
 ```
 This takes awhile to run. It:
 - Builds a new `dangerzone-converter` docker image
 - Builds an ISO, which includes a copy of this image
 - Outputs files in the `vm` folder
 ## Run the VM
 ```sh
 ./run-vm.sh
 ```
 # How the VM works
--- a/vm-builder/build-iso.sh
+++ b/vm-builder/build-iso.sh
@ -1,47 +0,0 @@
 #!/bin/sh
 ALPINE_TAG=v3.14.3
 # Install dependencies
 apk add alpine-sdk build-base apk-tools alpine-conf busybox fakeroot xorriso squashfs-tools mtools dosfstools grub-efi p7zip abuild sudo
 # Make keys for build
 abuild-keygen -i -a -n
 # Setup aports
 cd ~/
 wget https://gitlab.alpinelinux.org/alpine/aports/-/archive/master/aports-master.tar.gz
 tar -xf ~/aports-master.tar.gz
 mv ~/aports-master ~/aports
 cp /vm-builder/mkimg.dz.sh ~/aports/scripts/
 cp /vm-builder/genapkovl-dz.sh ~/aports/scripts/
 chmod +x ~/aports/scripts/mkimg.dz.sh
 chmod +x ~/aports/scripts/genapkovl-dz.sh
 # Set up the vm dir
 rm -r /vm-builder/vm
 mkdir -p /vm-builder/vm
 chmod 777 /vm-builder/vm
 # Make the iso
 cd ~/aports/scripts
 ./mkimage.sh --tag "$ALPINE_TAG" \
    --outdir /vm-builder/vm \
    --arch $(uname -m) \
    --repository http://dl-cdn.alpinelinux.org/alpine/v3.14/main \
    --repository http://dl-cdn.alpinelinux.org/alpine/v3.14/community \
    --profile dz
 mv /vm-builder/vm/alpine-dz-${ALPINE_TAG}-$(uname -m).iso /vm-builder/vm/dangerzone.iso
 # Fix permissions
 chmod 755 /vm-builder/vm
 chmod 644 /vm-builder/vm/*
 # Extract vmlinuz and initramfs
 cd /vm-builder/vm
 7z x dangerzone.iso boot/vmlinuz-virt
 7z x dangerzone.iso boot/initramfs-virt
 mv boot/* .
 rm -r boot
 mv vmlinuz-virt kernel
 mv initramfs-virt initramfs.img
--- a/vm-builder/etc/apk/world
+++ b/vm-builder/etc/apk/world
@ -1,6 +0,0 @@
 alpine-base
 podman
 dropbear
 autossh
 python3
 sudo
--- a/vm-builder/etc/init.d/dangerzone
+++ b/vm-builder/etc/init.d/dangerzone
@ -1,37 +0,0 @@
 #!/sbin/openrc-run
 name="Dangerzone init script"
 start() {
    # Hostname
 	echo "dangerzone" > /etc/hostname
 	echo "127.0.0.1 dangerzone" >> /etc/hosts
 	hostname dangerzone
 	# Networking	
 	cat > /etc/network/interfaces << EOF
 auto lo
 iface lo inet loopback
 auto eth0
 iface eth0 inet dhcp
    hostname dangerzone
 EOF
 	setup-interfaces -a
 	echo -e "\n" | setup-dns 4.4.4.4
 	rc-service networking restart
 	# Timezone
 	setup-timezone -z UTC
    # Create user
    /usr/sbin/adduser -D -u 1001 user
 	# Load the dangerzone container
 	sudo -u user podman load -i /etc/dangerzone-converter.tar.gz
 	# Allow podman containers to run
 	echo "user:100000:65536" >> /etc/subuid
    echo "user:100000:65536" >> /etc/subgid
 	# SSH reverse tunnel to host
 	/etc/setup-ssh.py &
 }
--- a/vm-builder/etc/setup-ssh.py
+++ b/vm-builder/etc/setup-ssh.py
@ -1,74 +0,0 @@
 #!/usr/bin/env python3
 import os
 import json
 import subprocess
 import shutil
 def main():
    if not os.path.exists("/dev/vda"):
        print("Disk is not mounted, skipping")
        return
    # Read data
    with open("/dev/vda", "rb") as f:
        s = f.read()
    info = json.loads(s[0 : s.find(b"\0")])
    # Create root's SSH files
    os.makedirs("/root/.ssh", exist_ok=True)
    with open("/root/.ssh/id_ed25519", "w") as f:
        f.write(info["id_ed25519"])
        f.write("\n")
    with open("/root/.ssh/id_ed25519.pub", "w") as f:
        f.write(info["id_ed25519.pub"])
        f.write("\n")
    with open("/root/.ssh/config", "w") as f:
        f.write("Host hostbox\n")
        f.write(f"  Hostname {info['ip']}\n")
        f.write(f"  Port {info['port']}\n")
        f.write(f"  User {info['user']}\n")
        f.write(f"  RemoteForward {info['tunnel_port']} 127.0.0.1:22\n")
        f.write("  IdentityFile /root/.ssh/id_ed25519\n")
        f.write("  ServerAliveInterval 30\n")
        f.write("  ServerAliveCountMax 3\n")
        f.write("  StrictHostKeyChecking no\n")
        f.write("\n")
    os.chmod("/root/.ssh", 0o700)
    os.chmod("/root/.ssh/id_ed25519", 0o600)
    os.chmod("/root/.ssh/id_ed25519.pub", 0o600)
    os.chmod("/root/.ssh/config", 0o600)
    # Create user's SSH files
    os.makedirs("/home/user/.ssh", exist_ok=True)
    with open("/home/user/.ssh/authorized_keys", "w") as f:
        f.write(info["id_ed25519.pub"])
        f.write("\n")
    os.chmod("/home/user/.ssh", 0o700)
    os.chmod("/home/user/.ssh/authorized_keys", 0o600)
    shutil.chown("/home/user/.ssh", "user", "user")
    shutil.chown("/home/user/.ssh/authorized_keys", "user", "user")
    # Start SSH reverse port forward
    subprocess.run(
        [
            "/usr/bin/autossh",
            "-M",
            "0",
            "-f",
            "-N",
            "hostbox",
        ]
    )
 if __name__ == "__main__":
    main()
--- a/vm-builder/genapkovl-dz.sh
+++ b/vm-builder/genapkovl-dz.sh
@ -1,55 +0,0 @@
 #!/bin/sh -e
 HOSTNAME="$1"
 if [ -z "$HOSTNAME" ]; then
 	echo "usage: $0 hostname"
 	exit 1
 fi
 cleanup() {
 	rm -rf "$tmp"
 }
 rc_add() {
 	mkdir -p "$tmp"/etc/runlevels/"$2"
 	ln -sf /etc/init.d/"$1" "$tmp"/etc/runlevels/"$2"/"$1"
 }
 tmp="$(mktemp -d)"
 trap cleanup EXIT
 # Copy /etc
 cp -r /vm-builder/etc "$tmp"
 chown -R root:root "$tmp"/etc
 # Copy container image to /etc, temporarily
 cp /vm-builder/dangerzone-converter.tar.gz "$tmp"/etc
 # Start cgroups, required by podman
 rc_add cgroups default
 # Start dropbear (ssh server)
 rc_add dropbear default
 # Initialize the dangerzone VM
 rc_add dangerzone default
 # Other init scripts
 rc_add devfs sysinit
 rc_add dmesg sysinit
 rc_add mdev sysinit
 rc_add hwdrivers sysinit
 rc_add modloop sysinit
 rc_add hwclock boot
 rc_add modules boot
 rc_add sysctl boot
 rc_add hostname boot
 rc_add bootmisc boot
 rc_add syslog boot
 rc_add mount-ro shutdown
 rc_add killprocs shutdown
 rc_add savecache shutdown
 tar -c -C "$tmp" etc | gzip -9n > $HOSTNAME.apkovl.tar.gz
--- a/vm-builder/mkimg.dz.sh
+++ b/vm-builder/mkimg.dz.sh
@ -1,8 +0,0 @@
 profile_dz() {
 	profile_virt
 	profile_abbrev="dz"
 	title="Dangerzone"
 	desc="Copied from virt but with extra apks and an apkovl"
 	apkovl="genapkovl-dz.sh"
 	apks="$apks podman dropbear autossh python3 sudo"
 }
--- a/vm-builder/run-vm.sh
+++ b/vm-builder/run-vm.sh
@ -1,81 +0,0 @@
 #!/bin/bash
 ROOT=$(pwd)/vm
 HYPERKIT=$(pwd)/../share/bin/hyperkit
 VPNKIT=$(pwd)/../share/bin/vpnkit
 SSHD_PORT=4445
 SSHD_TUNNEL_PORT=4446
 tmp="$(mktemp -d)"
 trap rm -rf "$tmp" EXIT
 # make ssh keys
 /usr/bin/ssh-keygen \
    -t ed25519 \
    -C dangerzone-host \
    -N "" \
    -f "$tmp/host_ed25519"
 /usr/bin/ssh-keygen \
    -t ed25519 \
    -C dangerzone-client \
    -N "" \
    -f "$tmp/client_ed25519"
 # run sshd
 SSHD_PIDFILE=$ROOT/sshd.pid
 /usr/sbin/sshd \
    -4 \
    -E $ROOT/sshd.log \
    -o PidFile=$ROOT/sshd.pid \
    -o HostKey=$tmp/host_ed25519 \
    -o ListenAddress=127.0.0.1:$SSHD_PORT \
    -o AllowUsers=$(whoami) \
    -o PasswordAuthentication=no \
    -o PubkeyAuthentication=yes \
    -o Compression=yes \
    -o ForceCommand=/usr/bin/whoami \
    -o UseDNS=no \
    -o AuthorizedKeysFile=$tmp/client_ed25519.pub &
 echo $! > $SSHD_PIDFILE
 trap 'test -f $SSHD_PIDFILE && kill `cat $SSHD_PIDFILE` && rm $SSHD_PIDFILE' EXIT
 # create disk image
 cd $ROOT
 cat > info.json << EOF
 {
    "id_ed25519": "$(cat $tmp/client_ed25519 | awk '{printf "%s\\n", $0}')",
    "id_ed25519.pub": "$(cat $tmp/client_ed25519.pub)",
    "user": "$(whoami)",
    "ip": "192.168.65.2",
    "port": $SSHD_PORT,
    "tunnel_port": $SSHD_TUNNEL_PORT
 }
 EOF
 python3 -c 's=open("info.json").read(); open("disk.img", "wb").write(s.encode()+b"\x00"*(512*1024-len(s)))'
 # run vpnkit
 VPNKIT_SOCK=$ROOT/vpnkit.eth.sock
 VPNKIT_PIDFILE=$ROOT/vpnkit.pid
 $VPNKIT \
    --ethernet=$VPNKIT_SOCK \
    --gateway-ip 192.168.65.1 \
    --host-ip 192.168.65.2 \
    --lowest-ip 192.168.65.3 \
    --highest-ip 192.168.65.254 &
 echo $! > $VPNKIT_PIDFILE
 trap 'test -f $VPNKIT_PIDFILE && kill `cat $VPNKIT_PIDFILE` && rm $VPNKIT_PIDFILE' EXIT
 # run hyperkit
 $HYPERKIT \
    -F $ROOT/hyperkit.pid \
    -A -u \
    -m 4G \
    -c 2 \
    -s 0:0,hostbridge -s 31,lpc \
    -l com1,stdio \
    -s 1:0,ahci-cd,$ROOT/dangerzone.iso \
    -s 2:0,virtio-vpnkit,path=$VPNKIT_SOCK \
    -s 3:0,virtio-blk,$ROOT/disk.img \
    -U 9efa82d7-ebd5-4287-b1cc-ac4160a39fa7 \
    -f kexec,$ROOT/kernel,$ROOT/initramfs.img,"earlyprintk=serial console=ttyS0 modules=loop,squashfs,sd-mod"
--- a/vm-builder/windows.sh
+++ b/vm-builder/windows.sh
@ -1,12 +0,0 @@
 #!/bin/sh
 VAGRANT_FILES=$(find /vagrant -type f | grep -v /vagrant/.vagrant | grep -v /vagrant/vm | grep -v /vagrant/windows.sh)
 DANGERZONE_CONVERTER_FILES=$(find /opt/dangerzone-converter -type f)
 for FILE in $VAGRANT_FILES; do dos2unix $FILE; done
 for FILE in $DANGERZONE_CONVERTER_FILES; do dos2unix $FILE; done
 /vagrant/build-iso.sh
 for FILE in $VAGRANT_FILES; do unix2dos $FILE; done
 for FILE in $DANGERZONE_CONVERTER_FILES; do unix2dos $FILE; done