fdroidserver/buildserver/provision-apt-get-install

#!/bin/bash

echo $0
set -e
set -x

debian_mirror=$1
export DEBIAN_FRONTEND=noninteractive

printf 'APT::Install-Recommends "0";\nAPT::Install-Suggests "0";\n' \
       > /etc/apt/apt.conf.d/99no-install-recommends

printf 'APT::Acquire::Retries "20";\n' \
       > /etc/apt/apt.conf.d/99acquire-retries

cat <<EOF > /etc/apt/apt.conf.d/99no-auto-updates
APT::Periodic::Enable "0";
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Unattended-Upgrade "0";
EOF

printf 'APT::Get::Assume-Yes "true";\n' \
       > /etc/apt/apt.conf.d/99assumeyes

cat <<EOF > /etc/apt/apt.conf.d/99quiet
Dpkg::Use-Pty "0";
quiet "1";
EOF

cat <<EOF > /etc/apt/apt.conf.d/99confdef
Dpkg::Options { "--force-confdef"; };
EOF

if echo $debian_mirror | grep '^https' 2>&1 > /dev/null; then
    apt-get update || apt-get update
    apt-get install ca-certificates
fi

cat << EOF > /etc/apt/sources.list
deb ${debian_mirror} bullseye main
deb https://security.debian.org/debian-security bullseye-security main
deb ${debian_mirror} bullseye-updates main
EOF
echo "deb ${debian_mirror} bullseye-backports main" > /etc/apt/sources.list.d/backports.list

apt-get update || apt-get update
apt-get upgrade --download-only
apt-get upgrade

# again after upgrade in case of keyring changes
apt-get update || apt-get update

packages="
 apksigner
 default-jdk-headless
 default-jre-headless
 dexdump
 fdroidserver
 git-svn
 gnupg
 mercurial
 patch
 rsync
 sdkmanager
 sudo
"

apt-get install $packages --download-only
apt-get install $packages
apt-get purge fdroidserver

highestjava=`update-java-alternatives --list | sort -n | tail -1 | cut -d ' ' -f 1`
update-java-alternatives --set $highestjava
buildserver: move apt setup to a shell script This makes it so there is only a single `apt-get install` command run, instead of one command per-package like with the chef script. It also adds `apt-get upgrade` to make sure that the base box is fully up-to-date. 2016-07-04 13:52:19 +02:00			`#!/bin/bash`

buildserver: make provision scripts output name to log 2016-07-04 14:20:42 +02:00			`echo $0`
buildserver: move apt setup to a shell script This makes it so there is only a single `apt-get install` command run, instead of one command per-package like with the chef script. It also adds `apt-get upgrade` to make sure that the base box is fully up-to-date. 2016-07-04 13:52:19 +02:00			`set -e`
			`set -x`

			`debian_mirror=$1`
buildserver: set quiet options to stop apt-get spamming build logs https://gitlab.com/fdroid/fdroidserver/issues/636#note_266483988 2020-01-14 23:14:45 +01:00			`export DEBIAN_FRONTEND=noninteractive`
buildserver: move apt setup to a shell script This makes it so there is only a single `apt-get install` command run, instead of one command per-package like with the chef script. It also adds `apt-get upgrade` to make sure that the base box is fully up-to-date. 2016-07-04 13:52:19 +02:00
buildserver: download apt package first to increase reliability This does not have the careful result rechecking that chef has, when it installs each package in the list one at a time. So to help with failures caused by a package failing to download, first try downloading all the package, then run the install. The install pass will try to download any missing packages. Really, this should use ansible or perhaps chef again since those include lots of tricks around this stuff. 2016-09-06 14:33:13 +02:00			`printf 'APT::Install-Recommends "0";\nAPT::Install-Suggests "0";\n' \`
			`> /etc/apt/apt.conf.d/99no-install-recommends`

buildserver: retry apt-get downloads 20 times Try harder before failing the whole buildserver setup. 2016-09-15 11:12:49 +02:00			`printf 'APT::Acquire::Retries "20";\n' \`
			`> /etc/apt/apt.conf.d/99acquire-retries`

buildserver: disable all automatic apt-get updates Prevents errors due to: dpkg: error: dpkg status database is locked by another process closes #437 2018-12-08 16:57:01 +01:00			`cat <<EOF > /etc/apt/apt.conf.d/99no-auto-updates`
			`APT::Periodic::Enable "0";`
			`APT::Periodic::Update-Package-Lists "0";`
			`APT::Periodic::Unattended-Upgrade "0";`
			`EOF`
buildserver: force no auto updates of package lists or upgrades 2018-01-17 21:04:08 +01:00
provision-apt: add assumeyes config closes #600 2018-11-27 18:13:33 +01:00			`printf 'APT::Get::Assume-Yes "true";\n' \`
			`> /etc/apt/apt.conf.d/99assumeyes`
buildserver: set quiet options to stop apt-get spamming build logs https://gitlab.com/fdroid/fdroidserver/issues/636#note_266483988 2020-01-14 23:14:45 +01:00
			`cat <<EOF > /etc/apt/apt.conf.d/99quiet`
fix syntax error from ae86dc3d38f5da315a27aa0b9847676f8530557e fdroid/fdroidserver!713 [skip ci] 2020-02-11 12:48:34 +01:00			`Dpkg::Use-Pty "0";`
			`quiet "1";`
buildserver: set quiet options to stop apt-get spamming build logs https://gitlab.com/fdroid/fdroidserver/issues/636#note_266483988 2020-01-14 23:14:45 +01:00			`EOF`
provision-apt: add assumeyes config closes #600 2018-11-27 18:13:33 +01:00
[makebuildserver] run dpkg with --force-confdef There has been a whitespace change in the accessibility.properties configuration file as part of the openjdk-8-jre-headless 8u302-b08-1~deb9u1 version. As we modified the file, this broke makebuildserver, asking for confirmation. 2021-08-23 22:48:14 +02:00			`cat <<EOF > /etc/apt/apt.conf.d/99confdef`
			`Dpkg::Options { "--force-confdef"; };`
			`EOF`

buildserver: support HTTPS Debian mirrors The ever troublesome gpjenkins box needs to use HTTPS mirrors. Plus it improves the security of the buildserver, since there have been CVEs that HTTPS would protect against: https://www.debian.org/security/2016/dsa-3733 2017-03-16 14:48:08 +01:00			`if echo $debian_mirror \| grep '^https' 2>&1 > /dev/null; then`
provision-apt: add assumeyes config closes #600 2018-11-27 18:13:33 +01:00			`apt-get update \|\| apt-get update`
Drop obsolete apt-transport-https 2021-10-17 22:58:12 +02:00			`apt-get install ca-certificates`
buildserver: support HTTPS Debian mirrors The ever troublesome gpjenkins box needs to use HTTPS mirrors. Plus it improves the security of the buildserver, since there have been CVEs that HTTPS would protect against: https://www.debian.org/security/2016/dsa-3733 2017-03-16 14:48:08 +01:00			`fi`

simplify debian mirror setup 2018-11-27 14:07:19 +01:00			`cat << EOF > /etc/apt/sources.list`
Upgrade Buildserver VM Use Vagrant boxes built with cloud-team/debian-vagrant-images instead of fdroid/basebox, Use Debian Bullseye (11) instead of Debian Stretch (9) 2021-09-03 12:18:13 +02:00			`deb ${debian_mirror} bullseye main`
buildserver: use HTTPS for security.debian.org It is now officially supported: https://guardianproject.info/2021/12/08/debian-over-https/ 2022-09-05 18:45:17 +02:00			`deb https://security.debian.org/debian-security bullseye-security main`
Upgrade Buildserver VM Use Vagrant boxes built with cloud-team/debian-vagrant-images instead of fdroid/basebox, Use Debian Bullseye (11) instead of Debian Stretch (9) 2021-09-03 12:18:13 +02:00			`deb ${debian_mirror} bullseye-updates main`
simplify debian mirror setup 2018-11-27 14:07:19 +01:00			`EOF`
Upgrade Buildserver VM Use Vagrant boxes built with cloud-team/debian-vagrant-images instead of fdroid/basebox, Use Debian Bullseye (11) instead of Debian Stretch (9) 2021-09-03 12:18:13 +02:00			`echo "deb ${debian_mirror} bullseye-backports main" > /etc/apt/sources.list.d/backports.list`
buildserver: move apt setup to a shell script This makes it so there is only a single `apt-get install` command run, instead of one command per-package like with the chef script. It also adds `apt-get upgrade` to make sure that the base box is fully up-to-date. 2016-07-04 13:52:19 +02:00
provision-apt: add assumeyes config closes #600 2018-11-27 18:13:33 +01:00			`apt-get update \|\| apt-get update`
			`apt-get upgrade --download-only`
			`apt-get upgrade`
buildserver: move apt setup to a shell script This makes it so there is only a single `apt-get install` command run, instead of one command per-package like with the chef script. It also adds `apt-get upgrade` to make sure that the base box is fully up-to-date. 2016-07-04 13:52:19 +02:00
[buildserver] run update again after upgrade 2021-08-25 14:51:20 +02:00			`# again after upgrade in case of keyring changes`
			`apt-get update \|\| apt-get update`

buildserver: move apt setup to a shell script This makes it so there is only a single `apt-get install` command run, instead of one command per-package like with the chef script. It also adds `apt-get upgrade` to make sure that the base box is fully up-to-date. 2016-07-04 13:52:19 +02:00			`packages="`
buildserver: fix apksigner install Adding /bullseye-backports confuses things apparently. Without it, apt will look in bullseye-backports automatically, including for deps. But it will not look for deps in bullseye-backports if /bullseye-backports is used. !1205 2022-10-11 16:21:59 +02:00			`apksigner`
Install required packages for fdroidserver automatically 2021-09-03 13:48:36 +02:00			`default-jdk-headless`
			`default-jre-headless`
scanner: include dexdump in buildserver for APK analysis This scanner feature is not yet ready for the production buildserver but it is already useful in CI. 2022-05-19 15:43:55 +02:00			`dexdump`
Install required packages for fdroidserver automatically 2021-09-03 13:48:36 +02:00			`fdroidserver`
Pre-install git-svn and mercurial 2022-10-11 12:09:05 +02:00			`git-svn`
Install required packages for fdroidserver automatically 2021-09-03 13:48:36 +02:00			`gnupg`
Pre-install git-svn and mercurial 2022-10-11 12:09:05 +02:00			`mercurial`
Install patch and rsync (required by fdroidserver) 2021-10-17 21:47:21 +02:00			`patch`
			`rsync`
buildserver: install default SDK packages using fdroid/sdkmanager fdroid/sdkmanager provides a root of trust to verify all the packages it downloads, so it fully replaces what makebuildserver was doing. closes #927 2022-04-22 10:28:25 +02:00			`sdkmanager`
buildserver: explicitly include sudo as a dependency The basebox currently provides sudo, but that may not always be the case. This makes the sudo dependency explicit, so that this provisioning script can also be used in other settings, like GitLab CI. 2020-05-27 17:40:23 +02:00			`sudo`
buildserver: move apt setup to a shell script This makes it so there is only a single `apt-get install` command run, instead of one command per-package like with the chef script. It also adds `apt-get upgrade` to make sure that the base box is fully up-to-date. 2016-07-04 13:52:19 +02:00			`"`
Install required packages for fdroidserver automatically 2021-09-03 13:48:36 +02:00
provision-apt: add assumeyes config closes #600 2018-11-27 18:13:33 +01:00			`apt-get install $packages --download-only`
			`apt-get install $packages`
Install required packages for fdroidserver automatically 2021-09-03 13:48:36 +02:00			`apt-get purge fdroidserver`
buildserver: move apt setup to a shell script This makes it so there is only a single `apt-get install` command run, instead of one command per-package like with the chef script. It also adds `apt-get upgrade` to make sure that the base box is fully up-to-date. 2016-07-04 13:52:19 +02:00
			highestjava=`update-java-alternatives --list \| sort -n \| tail -1 \| cut -d ' ' -f 1`
			`update-java-alternatives --set $highestjava`