From e9ea15ab8baf47f34b508fe02f5135f3063e0dc5 Mon Sep 17 00:00:00 2001 From: Matt Turner Date: Sat, 25 Apr 2020 21:52:40 -0700 Subject: [PATCH] Upload stages to releng-incoming.gentoo.org Most architecture's build systems are hosted at OSUOSL. The place the stages need to end up is ultimately masterreleases.gentoo.org, also at OSUOSL. For some unknown reason, instead of rsync'ing from one system to another in the same building, we were sending the stages first (slowly, I might add) to nightheron in France, before sending them back to OSUOSL. robbat2 has added a releng-incoming.gentoo.org DNS record that currently points to nightheron. This will allow us to switch the record in the future and save the stages from needing to circumnavigate the globe before reaching the mirrors. Signed-off-by: Matt Turner --- tools/catalyst-auto | 19 +++++++++++++++++++ tools/catalyst-auto-alpha.conf | 2 +- tools/catalyst-auto-amd64-experimental.conf | 6 +++--- tools/catalyst-auto-amd64.conf | 6 +++--- tools/catalyst-auto-arm64.conf | 2 +- tools/catalyst-auto-armv4tl.conf | 2 +- tools/catalyst-auto-armv5tel.conf | 2 +- tools/catalyst-auto-armv6j.conf | 2 +- tools/catalyst-auto-armv6j_hardfp.conf | 2 +- tools/catalyst-auto-armv7a.conf | 2 +- tools/catalyst-auto-armv7a_hardfp.conf | 2 +- tools/catalyst-auto-hppa.conf | 2 +- tools/catalyst-auto-ia64.conf | 2 +- tools/catalyst-auto-s390.conf | 2 +- tools/catalyst-auto-s390x.conf | 2 +- tools/catalyst-auto-sparc64.conf | 2 +- tools/catalyst-auto-x86-experimental.conf | 6 +++--- tools/catalyst-auto-x86.conf | 6 +++--- 18 files changed, 44 insertions(+), 25 deletions(-) diff --git a/tools/catalyst-auto b/tools/catalyst-auto index de0afd69..509917c7 100755 --- a/tools/catalyst-auto +++ b/tools/catalyst-auto @@ -229,6 +229,22 @@ git_update() { fi } +# Stages are uploaded to @releng-incoming.gentoo.org and in order to +# allow us to change what system this domain points to, we will retrieve the +# SSH fingerprint from DNS. To do this securely, we need to ensure DNSSEC is +# working. +verify_dnssec() { + which dig >/dev/null || { + echo "net-dns/bind-tools is needed to verify DNSSEC is working" + exit 1 + } + + if ! dig +noall +comments dev.gentoo.org. IN SSHFP | egrep -q '^;; flags: [ a-z]+\'; then + echo "DNSSEC does not appear to be working. Bailing out" + exit 1 + fi +} + run_catalyst_commands() { doneconfig=0 for config_file in "${config_files[@]}"; do @@ -441,6 +457,9 @@ main() { # Update the release git dir if possible. git_update "$@" + # Verify DNSSEC works + verify_dnssec + # Try to isolate ourselves from the rest of the system. containerize "$@" diff --git a/tools/catalyst-auto-alpha.conf b/tools/catalyst-auto-alpha.conf index b218fa0e..c8090e97 100644 --- a/tools/catalyst-auto-alpha.conf +++ b/tools/catalyst-auto-alpha.conf @@ -33,7 +33,7 @@ update_symlinks() { upload() { echo Uploading "$@" - rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" alpha@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" alpha@releng-incoming.gentoo.org: } post_build() { diff --git a/tools/catalyst-auto-amd64-experimental.conf b/tools/catalyst-auto-amd64-experimental.conf index 37e01bd1..5e444764 100644 --- a/tools/catalyst-auto-amd64-experimental.conf +++ b/tools/catalyst-auto-amd64-experimental.conf @@ -64,7 +64,7 @@ update_symlinks() { post_build() { cmd=( rsync - -e 'ssh -i /root/.ssh/id_rsa' + -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' -a --omit-dir-times --delay-updates @@ -75,8 +75,8 @@ post_build() { DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened ;; *) - DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE} - DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened + DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE} + DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened ;; esac pushd ${BUILD_SRCDIR_BASE}/default >/dev/null diff --git a/tools/catalyst-auto-amd64.conf b/tools/catalyst-auto-amd64.conf index c2e0c8b1..31cb48b0 100644 --- a/tools/catalyst-auto-amd64.conf +++ b/tools/catalyst-auto-amd64.conf @@ -65,7 +65,7 @@ update_symlinks() { post_build() { cmd=( rsync - -e 'ssh -i /root/.ssh/id_rsa' + -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' -a --omit-dir-times --delay-updates @@ -76,8 +76,8 @@ post_build() { DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened ;; *) - DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE} - DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened + DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE} + DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened ;; esac pushd ${BUILD_SRCDIR_BASE}/default >/dev/null diff --git a/tools/catalyst-auto-arm64.conf b/tools/catalyst-auto-arm64.conf index 0d1506a4..15a4a0c4 100644 --- a/tools/catalyst-auto-arm64.conf +++ b/tools/catalyst-auto-arm64.conf @@ -29,7 +29,7 @@ update_symlinks() { } upload() { - rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" arm@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" arm@releng-incoming.gentoo.org: } post_build() { diff --git a/tools/catalyst-auto-armv4tl.conf b/tools/catalyst-auto-armv4tl.conf index fa20b5ca..0727b830 100644 --- a/tools/catalyst-auto-armv4tl.conf +++ b/tools/catalyst-auto-armv4tl.conf @@ -30,5 +30,5 @@ update_symlinks() { post_build() { - rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org: } diff --git a/tools/catalyst-auto-armv5tel.conf b/tools/catalyst-auto-armv5tel.conf index 79975984..9956a033 100644 --- a/tools/catalyst-auto-armv5tel.conf +++ b/tools/catalyst-auto-armv5tel.conf @@ -30,5 +30,5 @@ update_symlinks() { post_build() { - rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org: } diff --git a/tools/catalyst-auto-armv6j.conf b/tools/catalyst-auto-armv6j.conf index 0db433fa..97406f65 100644 --- a/tools/catalyst-auto-armv6j.conf +++ b/tools/catalyst-auto-armv6j.conf @@ -30,5 +30,5 @@ update_symlinks() { post_build() { - rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org: } diff --git a/tools/catalyst-auto-armv6j_hardfp.conf b/tools/catalyst-auto-armv6j_hardfp.conf index ca12d89d..6f26e2fa 100644 --- a/tools/catalyst-auto-armv6j_hardfp.conf +++ b/tools/catalyst-auto-armv6j_hardfp.conf @@ -30,5 +30,5 @@ update_symlinks() { post_build() { - rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org: } diff --git a/tools/catalyst-auto-armv7a.conf b/tools/catalyst-auto-armv7a.conf index 1b13c6b5..0e7a6126 100644 --- a/tools/catalyst-auto-armv7a.conf +++ b/tools/catalyst-auto-armv7a.conf @@ -30,5 +30,5 @@ update_symlinks() { post_build() { - rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org: } diff --git a/tools/catalyst-auto-armv7a_hardfp.conf b/tools/catalyst-auto-armv7a_hardfp.conf index c3037712..e9c893d2 100644 --- a/tools/catalyst-auto-armv7a_hardfp.conf +++ b/tools/catalyst-auto-armv7a_hardfp.conf @@ -30,5 +30,5 @@ update_symlinks() { post_build() { - rsync -e 'ssh -i /root/.ssh/id_rsa' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' ${BUILD_SRCDIR_BASE}/builds/default/stage3-${SUBARCH}-*${DATESTAMP}*.tar.bz2* arm@releng-incoming.gentoo.org: } diff --git a/tools/catalyst-auto-hppa.conf b/tools/catalyst-auto-hppa.conf index 5444cc4e..850cf411 100644 --- a/tools/catalyst-auto-hppa.conf +++ b/tools/catalyst-auto-hppa.conf @@ -33,7 +33,7 @@ update_symlinks() { } upload() { - rsync -e 'ssh -i /root/.ssh/buildsync.key' "$@" hppa@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/buildsync.key -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" hppa@releng-incoming.gentoo.org: } post_build() { diff --git a/tools/catalyst-auto-ia64.conf b/tools/catalyst-auto-ia64.conf index b3328ed3..e441cfc8 100644 --- a/tools/catalyst-auto-ia64.conf +++ b/tools/catalyst-auto-ia64.conf @@ -26,7 +26,7 @@ update_symlinks() { } upload() { - rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" ia64@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" ia64@releng-incoming.gentoo.org: } post_build() { diff --git a/tools/catalyst-auto-s390.conf b/tools/catalyst-auto-s390.conf index b48c7536..4986c053 100644 --- a/tools/catalyst-auto-s390.conf +++ b/tools/catalyst-auto-s390.conf @@ -26,7 +26,7 @@ update_symlinks() { } upload() { - rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" s390@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" s390@releng-incoming.gentoo.org: } post_build() { diff --git a/tools/catalyst-auto-s390x.conf b/tools/catalyst-auto-s390x.conf index c9f3f7e9..ab10f702 100644 --- a/tools/catalyst-auto-s390x.conf +++ b/tools/catalyst-auto-s390x.conf @@ -26,7 +26,7 @@ update_symlinks() { } upload() { - rsync -e 'ssh -i /root/.ssh/id_rsa' "$@" s390@nightheron.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" s390@releng-incoming.gentoo.org: } post_build() { diff --git a/tools/catalyst-auto-sparc64.conf b/tools/catalyst-auto-sparc64.conf index 4a9a2c21..5e83a6bc 100644 --- a/tools/catalyst-auto-sparc64.conf +++ b/tools/catalyst-auto-sparc64.conf @@ -28,7 +28,7 @@ update_symlinks() { } upload() { - rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes' "$@" sparc@releng-incoming.gentoo.org: + rsync -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' "$@" sparc@releng-incoming.gentoo.org: } post_build() { diff --git a/tools/catalyst-auto-x86-experimental.conf b/tools/catalyst-auto-x86-experimental.conf index 2373041e..673e00e9 100644 --- a/tools/catalyst-auto-x86-experimental.conf +++ b/tools/catalyst-auto-x86-experimental.conf @@ -43,7 +43,7 @@ update_symlinks() { post_build() { cmd=( rsync - -e 'ssh -i /root/.ssh/id_rsa' + -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' -a --omit-dir-times --delay-updates @@ -54,8 +54,8 @@ post_build() { DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened ;; *) - DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE} - DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened + DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE} + DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened ;; esac pushd ${BUILD_SRCDIR_BASE}/default >/dev/null diff --git a/tools/catalyst-auto-x86.conf b/tools/catalyst-auto-x86.conf index 52f07b12..0aa7990a 100644 --- a/tools/catalyst-auto-x86.conf +++ b/tools/catalyst-auto-x86.conf @@ -51,7 +51,7 @@ update_symlinks() { post_build() { cmd=( rsync - -e 'ssh -i /root/.ssh/id_rsa' + -e 'ssh -i /root/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=no' -a --omit-dir-times --delay-updates @@ -62,8 +62,8 @@ post_build() { DEST_HARDENED=${BUILD_DESTDIR_BASE}/hardened ;; *) - DEST_DEFAULT=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE} - DEST_HARDENED=${ARCH}@nightheron.gentoo.org:${BUILD_DESTDIR_BASE}/hardened + DEST_DEFAULT=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE} + DEST_HARDENED=${ARCH}@releng-incoming.gentoo.org:${BUILD_DESTDIR_BASE}/hardened ;; esac pushd ${BUILD_SRCDIR_BASE}/default >/dev/null