Merge d7c01e755a into 53a952235c

FIXUP: Add comment for needs: prepare
FIXUP: Remove extraneous comments
2025-05-15 17:51:50 +02:00 · 2025-03-10 18:42:30 +02:00 · 2025-03-10 18:42:24 +02:00 · 2025-03-10 18:35:43 +02:00 · 2025-03-10 18:34:30 +02:00 · 2025-03-10 15:16:49 +02:00
5 changed files with 20 additions and 40 deletions
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@ -10,12 +10,7 @@ on:

 jobs:
  security-scan-container:
-    strategy:
-      matrix:
-        runs-on:
-          - ubuntu-24.04
-          - ubuntu-24.04-arm
-    runs-on: ${{ matrix.runs-on }}
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@ -56,12 +51,7 @@ jobs:
          severity-cutoff: critical

  security-scan-app:
-    strategy:
-      matrix:
-        runs-on:
-          - ubuntu-24.04
-          - ubuntu-24.04-arm
-    runs-on: ${{ matrix.runs-on }}
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
--- a/.github/workflows/scan_released.yml
+++ b/.github/workflows/scan_released.yml
@ -9,10 +9,11 @@ jobs:
    strategy:
      matrix:
        include:
-          - runs-on: ubuntu-24.04
+          - runs-on: ubuntu-latest
            arch: i686
-          - runs-on: ubuntu-24.04-arm
-            arch: arm64
+          # Do not scan Silicon mac for now to avoid masking release scan results for other plaforms.
+          # - runs-on: macos-latest
+          #   arch: arm64
    runs-on: ${{ matrix.runs-on }}
    steps:
      - name: Checkout
@ -54,12 +55,7 @@ jobs:
          severity-cutoff: critical

  security-scan-app:
-    strategy:
-      matrix:
-        runs-on:
-          - ubuntu-24.04
-          - ubuntu-24.04-arm
-    runs-on: ${{ matrix.runs-on }}
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
--- a/2
+++ b/2
@ -185,7 +185,7 @@ RUN mkdir -p \
 # Copy the /etc and /var directories under the new root directory. Also,
 # copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
 #
-# NOTE: We also have to remove the resolv.conf file, in order to not leak any DNS
+# XXX: We also have to remove the resolv.conf file, in order to not leak any DNS
 # servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
    && rm /new_root/etc/resolv.conf
--- a/Dockerfile.in
+++ b/Dockerfile.in
@ -185,8 +185,8 @@ RUN mkdir -p \
 # Copy the /etc and /var directories under the new root directory. Also,
 # copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
 #
-# NOTE: We also have to remove the resolv.conf file, in order to not leak any
-# DNS servers added there during image build time.
+# XXX: We also have to remove the resolv.conf file, in order to not leak any DNS
+# servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
    && rm /new_root/etc/resolv.conf
 RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \
--- a/tests/isolation_provider/test_container.py
+++ b/tests/isolation_provider/test_container.py
@ -8,7 +8,6 @@ from pytest_subprocess import FakeProcess
 from dangerzone import container_utils, errors
 from dangerzone.isolation_provider.container import Container
 from dangerzone.isolation_provider.qubes import is_qubes_native_conversion
-from dangerzone.util import get_resource_path

 from .base import IsolationProviderTermination, IsolationProviderTest

@ -48,7 +47,7 @@ class TestContainer(IsolationProviderTest):
        provider.is_available()

    def test_install_raise_if_image_cant_be_installed(
-        self, provider: Container, fp: FakeProcess
+        self, mocker: MockerFixture, provider: Container, fp: FakeProcess
    ) -> None:
        """When an image installation fails, an exception should be raised"""

@ -69,13 +68,11 @@ class TestContainer(IsolationProviderTest):
            occurrences=2,
        )

+        # Make podman load fail
+        mocker.patch("builtins.open", mocker.mock_open(read_data=""))
+
        fp.register_subprocess(
-            [
-                container_utils.get_runtime(),
-                "load",
-                "-i",
-                get_resource_path("container.tar"),
-            ],
+            [container_utils.get_runtime(), "load"],
            returncode=-1,
        )

@ -83,7 +80,7 @@ class TestContainer(IsolationProviderTest):
            provider.install()

    def test_install_raises_if_still_not_installed(
-        self, provider: Container, fp: FakeProcess
+        self, mocker: MockerFixture, provider: Container, fp: FakeProcess
    ) -> None:
        """When an image keep being not installed, it should return False"""
        fp.register_subprocess(
@ -108,13 +105,10 @@ class TestContainer(IsolationProviderTest):
            occurrences=2,
        )

+        # Patch open and podman load so that it works
+        mocker.patch("builtins.open", mocker.mock_open(read_data=""))
        fp.register_subprocess(
-            [
-                container_utils.get_runtime(),
-                "load",
-                "-i",
-                get_resource_path("container.tar"),
-            ],
+            [container_utils.get_runtime(), "load"],
        )
        with pytest.raises(errors.ImageNotPresentException):
            provider.install()
@ -201,7 +195,7 @@ class TestContainer(IsolationProviderTest):
        reason="Linux specific",
    )
    def test_linux_skips_desktop_version_check_returns_true(
-        self, provider: Container
+        self, mocker: MockerFixture, provider: Container
    ) -> None:
        assert (True, "") == provider.check_docker_desktop_version()
Author	SHA1	Message	Date
Alex Pyrgiotis	34f8813075	Merge `d7c01e755a` into `53a952235c`	2025-03-10 18:42:30 +02:00
Alex Pyrgiotis	d7c01e755a	FIXUP: Add comment for needs: prepare Some checks are pending Tests / run tests (ubuntu 20.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions Details Tests / run-lint (push) Waiting to run Details Tests / build-container-image (push) Waiting to run Details Tests / Download and cache Tesseract data (push) Waiting to run Details Tests / windows (push) Blocked by required conditions Details Tests / macOS (arch64) (push) Blocked by required conditions Details Tests / macOS (x86_64) (push) Blocked by required conditions Details Tests / build-deb (debian bookworm) (push) Blocked by required conditions Details Tests / build-deb (debian bullseye) (push) Blocked by required conditions Details Tests / build-deb (debian trixie) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / install-deb (debian bookworm) (push) Blocked by required conditions Details Tests / install-deb (debian bullseye) (push) Blocked by required conditions Details Tests / install-deb (debian trixie) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions Details Tests / run tests (debian bookworm) (push) Blocked by required conditions Details Tests / run tests (debian bullseye) (push) Blocked by required conditions Details Tests / run tests (debian trixie) (push) Blocked by required conditions Details Release multi-arch container image / build-push-image (push) Waiting to run Details	2025-03-10 18:42:24 +02:00
Alex Pyrgiotis	cede19ca90	FIXUP: Remove extraneous comments	2025-03-10 18:35:43 +02:00
Alex Pyrgiotis	f1702ab560	FIXUP: Specify platform by full name	2025-03-10 18:34:30 +02:00
Alex Pyrgiotis	bb66e9a2e9	FIXUP: Handle tarballs with ./ prefix	2025-03-10 15:16:49 +02:00
Alex Pyrgiotis	094d876dba	FIXUP: Rename repro-build to repro-build.py	2025-03-10 14:53:49 +02:00
Alex Pyrgiotis	5f4f82a7a4	FIXUP: Rename compressed_container_path envvar	2025-03-10 14:48:33 +02:00
Alex Pyrgiotis	c0ff351a2e	FIXUP: Use 'load -i'	2025-03-10 14:45:03 +02:00
Alex Pyrgiotis	8ca1357a41	FIXUP: Document removal of resolv.conf	2025-03-10 14:26:50 +02:00
Alex Pyrgiotis	ab0bee5688	FIXUP: Change digest with manifest_type	2025-03-10 14:09:30 +02:00
Alex Pyrgiotis	af8ba74294	FIXUP: Move buildkit image alongw with other envvars	2025-03-10 14:05:50 +02:00
Alex Pyrgiotis	93b8bb0444	FIXUP: Remove command that checks github token	2025-03-10 14:04:57 +02:00
Alex Pyrgiotis	2e2b6cf308	FIXUP: Make release image job reusable	2025-03-10 13:47:32 +02:00
Alex Pyrgiotis	ce9353814b	ci: Create a CI job that does the following 1. Create a multi-architecture container image for Dangerzone, instead of having two different tarballs (or no option at all) 2. Build the Dangerzone container image on our supported architectures (linux/amd64 and linux/arm64). It so happens that GitHub also offers ARM machine runners, which speeds up the build. 3. Combine the images from these two architectures into one, multi-arch image. 4. Generate provenance info for each manifest, and the root manifest list. 5. Check the image's reproduciblity. Also, remove an older CI action, that is now obsolete. Fixes #1035	2025-02-27 00:24:49 +02:00
Alex Pyrgiotis	52789275c2	Completely overhaul the `reproduce-image.py` script Make a major change to the `reproduce-image.py` script: drop `diffoci`, build the container image, and ensure it has the exact same hash as the source image. We can drop the `diffoci` script when comparing the two images, because we are now able build bit-for-bit reproducible images.	2025-02-27 00:24:49 +02:00
Alex Pyrgiotis	1a5f56324f	Fix a Podman regression regarding Buildkit images Loading an image built with Buildkit in Podman 3.4 messes up its name. The tag somehow becomes the name of the loaded image. We know that older Podman versions are not generally affected, since Podman v3.0.1 on Debian Bullseye works properly. Also, Podman v4.0 is not affected, so it makes sense to target only Podman v3.4 for a fix. The fix is simple, tag the image properly based on the expected tag from `share/image-id.txt` and delete the incorrect tag. Refs containers/podman/#16490	2025-02-27 00:24:49 +02:00
Alex Pyrgiotis	8c24fca028	Fix references to container.tar.gz Find all references to the `container.tar.gz` file, and replace them with references to `container.tar`. Moreover, remove the `--no-save` argument of `build-image.py` since we now always save the image. Finally, fix some stale references to Poetry, which are not necessary anymore.	2025-02-27 00:24:49 +02:00
Alex Pyrgiotis	dc10527a2a	Build container image using `repro-build` Invoke the `repro-build` script when building a container image, instead of the underlying Docker/Podman commands. The `repro-build` script handles the underlying complexity to call Docker/Podman in a manner that makes the image reproducible. Moreover, mirror some arguments from the `repro-build` script, so that consumers of `build-image.py` can pass them to it. Important: the resulting image will be in .tar format, not .tar.gz, starting from this commit. This means that our tests will be broken for the next few commits. Fixes #1074	2025-02-27 00:24:37 +02:00
Alex Pyrgiotis	a9de671615	Vendor `repro-build` script Vendor the `repro-build` script in our codebase, which will be used to build our container image in a reproducible manner. We prefer to copy it verbatim for the time-being, since its interface is not stable enough, and the repro-build repo is not reviewed after all. In the future, we want to store this script in a separate place, and pull it when necessary. Refs #1085	2025-02-26 23:37:46 +02:00
Alex Pyrgiotis	4cb51b835b	Remove sources of non-determinism from our image Make our container image more reproducible, by changing the following in our Dockerfile: 1. Touch `/etc/apt/sources.list` with a UTC timestamp. Else, builds on different countries (!?) may result to different Unix epochs for the same date, and therefore different modification time for the file. 2. Turn the third column of `/etc/shadow` (date of last password change) for the `dangerzone` user into a constant number. 3. Fix r-s file permissions in some copied files, due to inconsistent COPY behavior in containerized vs non-containerized Buildkit. This requires creating a full file hierarchy in a separate directory (see new_root/). 4. Set a specific modification time for the entrypoint script, because rewrite-timestamp=true does not overwrite it.	2025-02-26 23:20:36 +02:00
Alex Pyrgiotis	8275d5aa42	Bump container image parameters Bump all the values in Dockerfile.env, since there are new releases out for all of them.	2025-02-26 23:20:29 +02:00