Upload stages to releng-incoming.gentoo.org

Most architecture's build systems are hosted at OSUOSL. The place the
stages need to end up is ultimately masterreleases.gentoo.org, also at
OSUOSL. For some unknown reason, instead of rsync'ing from one system to
another in the same building, we were sending the stages first (slowly,
I might add) to nightheron in France, before sending them back to
OSUOSL.

robbat2 has added a releng-incoming.gentoo.org DNS record that currently
points to nightheron. This will allow us to switch the record in the
future and save the stages from needing to circumnavigate the globe
before reaching the mirrors.

Signed-off-by: Matt Turner <mattst88@gentoo.org>

tools/catalyst-auto

@@ -229,6 +229,22 @@ git_update() {
 	fi
 }
 
+# Stages are uploaded to <arch>@releng-incoming.gentoo.org and in order to
+# allow us to change what system this domain points to, we will retrieve the
+# SSH fingerprint from DNS. To do this securely, we need to ensure DNSSEC is
+# working.
+verify_dnssec() {
+	which dig >/dev/null || {
+		echo "net-dns/bind-tools is needed to verify DNSSEC is working"
+		exit 1
+	}
+
+	if ! dig +noall +comments dev.gentoo.org. IN SSHFP | egrep -q '^;; flags: [ a-z]+\<ad\>'; then
+		echo "DNSSEC does not appear to be working. Bailing out"
+		exit 1
+	fi
+}
+
 run_catalyst_commands() {
 	doneconfig=0
 	for config_file in "${config_files[@]}"; do
@@ -441,6 +457,9 @@ main() {
 	# Update the release git dir if possible.
 	git_update "$@"
 
+	# Verify DNSSEC works
+	verify_dnssec
+
 	# Try to isolate ourselves from the rest of the system.
 	containerize "$@"
 

tools/catalyst-auto-alpha.conf

@@ -33,7 +33,7 @@ update_symlinks() {
 
 upload() {
 	echo Uploading "$@"
-	rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" alpha@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" alpha@releng-incoming.gentoo.org:
 }
 
 post_build() {

tools/catalyst-auto-amd64-experimental.conf

@@ -64,7 +64,7 @@ update_symlinks() {
 post_build() {
 	cmd=(
 		rsync
-		-e 'ssh -i /root/.ssh/id_rsa'
+		-e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no'
 		-a
 		--omit-dir-times
 		--delay-updates
@@ -75,8 +75,8 @@ post_build() {
 			DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened
 			;;
 		*)
-			DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}
-			DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
+			DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}
+			DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
 			;;
 	esac
 	pushd ${BUILD_SRCDIR_BASE}/default >/dev/null

tools/catalyst-auto-amd64.conf

@@ -65,7 +65,7 @@ update_symlinks() {
 post_build() {
 	cmd=(
 		rsync
-		-e 'ssh -i /root/.ssh/id_rsa'
+		-e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no'
 		-a
 		--omit-dir-times
 		--delay-updates
@@ -76,8 +76,8 @@ post_build() {
 			DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened
 			;;
 		*)
-			DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}
-			DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
+			DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}
+			DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
 			;;
 	esac
 	pushd ${BUILD_SRCDIR_BASE}/default >/dev/null

tools/catalyst-auto-arm64.conf

@@ -29,7 +29,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" arm@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" arm@releng-incoming.gentoo.org:
 }
 
 post_build() {

tools/catalyst-auto-armv4tl.conf

@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

tools/catalyst-auto-armv5tel.conf

@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

tools/catalyst-auto-armv6j.conf

@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

tools/catalyst-auto-armv6j_hardfp.conf

@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

tools/catalyst-auto-armv7a.conf

@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

tools/catalyst-auto-armv7a_hardfp.conf

@@ -30,5 +30,5 @@ update_symlinks() {
 
 
 post_build() {
-  rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org:
+  rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org:
 }

tools/catalyst-auto-hppa.conf

@@ -33,7 +33,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/buildsync.key' "$@" hppa@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/buildsync.key -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" hppa@releng-incoming.gentoo.org:
 }
 
 post_build() {

tools/catalyst-auto-ia64.conf

@@ -26,7 +26,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" ia64@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" ia64@releng-incoming.gentoo.org:
 }
 
 post_build() {

tools/catalyst-auto-s390.conf

@@ -26,7 +26,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" s390@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" s390@releng-incoming.gentoo.org:
 }
 
 post_build() {

tools/catalyst-auto-s390x.conf

@@ -26,7 +26,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" s390@nightheron.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" s390@releng-incoming.gentoo.org:
 }
 
 post_build() {

tools/catalyst-auto-sparc64.conf

@@ -28,7 +28,7 @@ update_symlinks() {
 }
 
 upload() {
-	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes' "$@" sparc@releng-incoming.gentoo.org:
+	rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" sparc@releng-incoming.gentoo.org:
 }
 
 post_build() {

tools/catalyst-auto-x86-experimental.conf

@@ -43,7 +43,7 @@ update_symlinks() {
 post_build() {
 	cmd=(
 		rsync
-		-e 'ssh -i /root/.ssh/id_rsa'
+		-e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no'
 		-a
 		--omit-dir-times
 		--delay-updates
@@ -54,8 +54,8 @@ post_build() {
 			DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened
 			;;
 		*)
-			DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}
-			DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
+			DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}
+			DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
 			;;
 	esac
 	pushd ${BUILD_SRCDIR_BASE}/default >/dev/null

tools/catalyst-auto-x86.conf

@@ -51,7 +51,7 @@ update_symlinks() {
 post_build() {
 	cmd=(
 		rsync
-		-e 'ssh -i /root/.ssh/id_rsa'
+		-e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no'
 		-a
 		--omit-dir-times
 		--delay-updates
@@ -62,8 +62,8 @@ post_build() {
 			DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened
 			;;
 		*)
-			DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}
-			DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
+			DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}
+			DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened
 			;;
 	esac
 	pushd ${BUILD_SRCDIR_BASE}/default >/dev/null