From be9fcf752593f00284904f84faea0b5c30e6632e Mon Sep 17 00:00:00 2001 From: Antonin Hildebrand Date: Wed, 11 Nov 2020 16:53:42 +0100 Subject: [PATCH] build: review the build script [skip ci] 1. make it work on macOS hosts 2. add quoting to paths to prevent failures if user was foolish enough to put the repo on a path with spaces 3. use -o pipefail for robustness 4. use wget --no-config to prevent surprises from ~/.wgetrc 5. add --init to docker run for better signals 6. detect effective USER:GROUP like a grown up 7. break fs download url into multiple configurable parts 8. make the script independent on launch location 9. build: generate nix-shell scripts with HEREDOC 9.1. this is easier on eyes, one could review generated script in ./build 9.2. we don't have to escape quotes and chain commands with && 9.4. added some extra quoting for user-specified values --- build-docker.sh | 117 ++++++++++++++++++++++++++++-------------------- 1 file changed, 69 insertions(+), 48 deletions(-) diff --git a/build-docker.sh b/build-docker.sh index b26d7097b..06a3bcb61 100755 --- a/build-docker.sh +++ b/build-docker.sh @@ -1,27 +1,31 @@ #!/usr/bin/env bash -set -e +set -e -o pipefail -CONTAINER_NAME=trezor-firmware-env.nix +cd "$(dirname "${BASH_SOURCE[0]}")" + +CONTAINER_NAME=${CONTAINER_NAME:-trezor-firmware-env.nix} +ALPINE_CDN=${ALPINE_CDN:-http://dl-cdn.alpinelinux.org/alpine} +ALPINE_RELEASE=${ALPINE_RELEASE:-3.12} +ALPINE_ARCH=${ALPINE_ARCH:-x86_64} +ALPINE_VERSION=${ALPINE_VERSION:-3.12.0} +CONTAINER_FS_URL=${CONTAINER_FS_URL:-"$ALPINE_CDN/v$ALPINE_RELEASE/releases/$ALPINE_ARCH/alpine-minirootfs-$ALPINE_VERSION-$ALPINE_ARCH.tar.gz"} TAG=${1:-master} -REPOSITORY=${2:-local} +REPOSITORY=${2:-/local} PRODUCTION=${PRODUCTION:-1} MEMORY_PROTECT=${MEMORY_PROTECT:-1} -if [ "$REPOSITORY" = "local" ]; then - REPOSITORY=file:///local/ -else - REPOSITORY=https://github.com/$REPOSITORY/trezor-firmware.git -fi - -wget -nc -P ci/ http://dl-cdn.alpinelinux.org/alpine/v3.12/releases/x86_64/alpine-minirootfs-3.12.0-x86_64.tar.gz +wget --no-config -nc -P ci/ "$CONTAINER_FS_URL" docker build -t "$CONTAINER_NAME" ci/ -USER=$(ls -lnd . | awk '{ print $3 }') -GROUP=$(ls -lnd . | awk '{ print $4 }') +# stat under macOS has slightly different cli interface +USER=$(stat -c "%u" . 2>/dev/null || stat -f "%u" .) +GROUP=$(stat -c "%g" . 2>/dev/null || stat -f "%g" .) + +mkdir -p build/core build/legacy +mkdir -p build/core-bitcoinonly build/legacy-bitcoinonly -mkdir -p $(pwd)/build/core $(pwd)/build/legacy -mkdir -p $(pwd)/build/core-bitcoinonly $(pwd)/build/legacy-bitcoinonly +DIR=$(pwd) # build core @@ -30,26 +34,34 @@ for BITCOIN_ONLY in 0 1; do DIRSUFFIX=${BITCOIN_ONLY/1/-bitcoinonly} DIRSUFFIX=${DIRSUFFIX/0/} + SCRIPT_NAME=".build_core_$BITCOIN_ONLY.sh" + cat < "build/$SCRIPT_NAME" + # DO NOT MODIFY! + # this file was generated by ${BASH_SOURCE[0]} + # variant: core build BITCOIN_ONLY=$BITCOIN_ONLY + set -e -o pipefail + cd /tmp + git clone "$REPOSITORY" trezor-firmware + cd trezor-firmware/core + ln -s /build build + git checkout "$TAG" + git submodule update --init --recursive + poetry install + poetry run make clean vendor build_firmware + poetry run ../python/tools/firmware-fingerprint.py \ + -o build/firmware/firmware.bin.fingerprint \ + build/firmware/firmware.bin + chown -R $USER:$GROUP /build +EOF + docker run -it --rm \ - -v $(pwd):/local \ - -v $(pwd)/build/core"${DIRSUFFIX}":/build:z \ + -v "$DIR:/local" \ + -v "$DIR/build/core$DIRSUFFIX":/build:z \ --env BITCOIN_ONLY="$BITCOIN_ONLY" \ --env PRODUCTION="$PRODUCTION" \ + --init \ "$CONTAINER_NAME" \ - /nix/var/nix/profiles/default/bin/nix-shell --run "\ - cd /tmp && \ - git clone $REPOSITORY trezor-firmware && \ - cd trezor-firmware/core && \ - ln -s /build build && - git checkout $TAG && \ - git submodule update --init --recursive && \ - poetry install && \ - poetry run make clean vendor build_firmware && \ - poetry run ../python/tools/firmware-fingerprint.py \ - -o build/firmware/firmware.bin.fingerprint \ - build/firmware/firmware.bin && \ - chown -R $USER:$GROUP /build" - + /nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME" done # build legacy @@ -59,28 +71,37 @@ for BITCOIN_ONLY in 0 1; do DIRSUFFIX=${BITCOIN_ONLY/1/-bitcoinonly} DIRSUFFIX=${DIRSUFFIX/0/} + SCRIPT_NAME=".build_legacy_$BITCOIN_ONLY.sh" + cat < "build/$SCRIPT_NAME" + # DO NOT MODIFY! + # this file was generated by ${BASH_SOURCE[0]} + # variant: legacy build BITCOIN_ONLY=$BITCOIN_ONLY + set -e -o pipefail + cd /tmp + git clone "$REPOSITORY" trezor-firmware + cd trezor-firmware/legacy + ln -s /build build + git checkout "$TAG" + git submodule update --init --recursive + poetry install + poetry run script/cibuild + mkdir -p build/firmware + cp firmware/trezor.bin build/firmware/firmware.bin + cp firmware/trezor.elf build/firmware/firmware.elf + poetry run ../python/tools/firmware-fingerprint.py \ + -o build/firmware/firmware.bin.fingerprint \ + build/firmware/firmware.bin + chown -R $USER:$GROUP /build +EOF + docker run -it --rm \ - -v $(pwd):/local \ - -v $(pwd)/build/legacy"${DIRSUFFIX}":/build:z \ + -v "$DIR:/local" \ + -v "$DIR/build/legacy$DIRSUFFIX":/build:z \ --env BITCOIN_ONLY="$BITCOIN_ONLY" \ --env MEMORY_PROTECT="$MEMORY_PROTECT" \ + --init \ "$CONTAINER_NAME" \ - /nix/var/nix/profiles/default/bin/nix-shell --run "\ - cd /tmp && \ - git clone $REPOSITORY trezor-firmware && \ - cd trezor-firmware/legacy && \ - ln -s /build build && - git checkout $TAG && \ - git submodule update --init --recursive && \ - poetry install && \ - poetry run script/cibuild && \ - mkdir -p build/firmware && \ - cp firmware/trezor.bin build/firmware/firmware.bin && \ - cp firmware/trezor.elf build/firmware/firmware.elf && \ - poetry run ../python/tools/firmware-fingerprint.py \ - -o build/firmware/firmware.bin.fingerprint \ - build/firmware/firmware.bin && \ - chown -R $USER:$GROUP /build" + /nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME" done