chore(signing): Switch fully from /usr/etc/ to /etc/

Fixes: #319 I only tested this in non-Universal Blue image. With & without rechunk. Before: ``` [11:39:42 g.i/h/rechunk:v1.0.1] => WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY [11:39:42 g.i/h/rechunk:v1.0.1] => EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS [11:39:42 g.i/h/rechunk:v1.0.1] => The following files from /usr/etc will be merged to /etc: [11:39:42 g.i/h/rechunk:v1.0.1] => ./usr/etc [11:39:42 g.i/h/rechunk:v1.0.1] => |-- containers [11:39:42 g.i/h/rechunk:v1.0.1] => | |-- policy.json [11:39:42 g.i/h/rechunk:v1.0.1] => | `-- registries.d [11:39:42 g.i/h/rechunk:v1.0.1] => | `-- gidro-os.yaml [11:39:42 g.i/h/rechunk:v1.0.1] => `-- pki [11:39:42 g.i/h/rechunk:v1.0.1] => `-- containers [11:39:42 g.i/h/rechunk:v1.0.1] => `-- gidro-os.pub [11:39:42 g.i/h/rechunk:v1.0.1] => [11:39:42 g.i/h/rechunk:v1.0.1] => 5 directories, 3 files ``` After: ``` [18:26:31 g.i/h/rechunk:v1.0.1] => WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY [18:26:31 g.i/h/rechunk:v1.0.1] => EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS [18:26:31 g.i/h/rechunk:v1.0.1] => The following files from /usr/etc will be merged to /etc: [18:26:31 g.i/h/rechunk:v1.0.1] => ./usr/etc [18:26:31 g.i/h/rechunk:v1.0.1] => `-- pki [18:26:31 g.i/h/rechunk:v1.0.1] => `-- containers [18:26:31 g.i/h/rechunk:v1.0.1] => `-- gidro-os.pub [18:26:31 g.i/h/rechunk:v1.0.1] => [18:26:31 g.i/h/rechunk:v1.0.1] => 3 directories, 1 file ``` Only thing remaining is to see if copying .pub keys to `/etc/` only will work, as it caused issues before. That would get rid of all files in `/usr/etc/`. https://github.com/blue-build/cli/blob/a8cac2adc90fa842e4565bc1825e588df4f5bcbd/template/templates/Containerfile.j2#L26
blue-build · Dec 7, 2024 · b9ce64f · b9ce64f
1 parent 4803093
commit b9ce64f
Showing 1 changed file with 19 additions and 24 deletions.
diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh
@@ -3,40 +3,35 @@
 # Tell build process to exit if there are any errors.
 set -euo pipefail
 
-# Don't migrate this module from utilizing `/usr/etc/` to `/etc/` yet, as Ublue needs to solve this issue
-# https://github.com/ublue-os/config/pull/311
-CONTAINER_DIR="/usr/etc/containers"
+CONTAINER_DIR="/etc/containers"
 MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
 IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
 
-echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
-echo "Registry to write: $IMAGE_REGISTRY"
+echo "Setting up container signing in policy.json and cosign.yaml for ${IMAGE_NAME}"
+echo "Registry to write: ${IMAGE_REGISTRY}"
 
-if ! [ -d "$CONTAINER_DIR" ]; then
-    mkdir -p "$CONTAINER_DIR"
+if ! [ -d "${CONTAINER_DIR}" ]; then
+  mkdir -p "${CONTAINER_DIR}"
 fi
 
-if ! [ -d $CONTAINER_DIR/registries.d ]; then
-   mkdir -p "$CONTAINER_DIR/registries.d"
+if ! [ -d "${CONTAINER_DIR}/registries.d" ]; then
+  mkdir -p "${CONTAINER_DIR}/registries.d"
 fi
 
-if ! [ -d "/usr/etc/pki/containers" ]; then
-    mkdir -p "/usr/etc/pki/containers"
+if ! [ -d "/etc/pki/containers" ]; then
+  mkdir -p "/etc/pki/containers"
 fi
 
-if ! [ -f "$CONTAINER_DIR/policy.json" ]; then
-    cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json"
+if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then
+    cp "/usr/share/ublue-os/cosign.pub" "/etc/pki/containers/${IMAGE_NAME_FILE}.pub"
 fi
 
-if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then
-    cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub"
-fi
-
-POLICY_FILE="$CONTAINER_DIR/policy.json"
+TEMPLATE_POLICY="${MODULE_DIRECTORY}/signing/policy.json"
+POLICY_FILE="${CONTAINER_DIR}/policy.json"
 
-jq --arg image_registry "$IMAGE_REGISTRY" \
-   --arg image_name "$IMAGE_NAME" \
-   --arg image_name_file "$IMAGE_NAME_FILE" \
+jq --arg image_registry "${IMAGE_REGISTRY}" \
+   --arg image_name "${IMAGE_NAME}" \
+   --arg image_name_file "${IMAGE_NAME_FILE}" \
    '.transports.docker |= 
     { ($image_registry + "/" + $image_name): [
         {
@@ -46,7 +41,7 @@ jq --arg image_registry "$IMAGE_REGISTRY" \
                 "type": "matchRepository"
             }
         }
-    ] } + .' "$POLICY_FILE" > /tmp/tmp-policy.json && mv /tmp/tmp-policy.json "$POLICY_FILE"
+    ] } + .' "${TEMPLATE_POLICY}" > "${POLICY_FILE}"
 
-mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml"
-sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml"
+mv "${MODULE_DIRECTORY}/signing/registry-config.yaml" "${CONTAINER_DIR}/registries.d/${IMAGE_NAME_FILE}.yaml"
+sed -i "s ghcr.io/IMAGENAME ${IMAGE_REGISTRY} g" "${CONTAINER_DIR}/registries.d/${IMAGE_NAME_FILE}.yaml"