diff --git a/static-build/nemu/Dockerfile b/static-build/nemu/Dockerfile index f8c52f29e5..61ea52420b 100644 --- a/static-build/nemu/Dockerfile +++ b/static-build/nemu/Dockerfile @@ -12,7 +12,7 @@ ARG VIRTIOFSD ARG PREFIX WORKDIR /root/nemu -RUN apt-get update +RUN apt-get update && apt-get upgrade -y RUN apt-get install -y \ autoconf \ automake \ diff --git a/static-build/nemu/build-static-nemu.sh b/static-build/nemu/build-static-nemu.sh index 2e07da6ea4..bc1f7957ee 100755 --- a/static-build/nemu/build-static-nemu.sh +++ b/static-build/nemu/build-static-nemu.sh @@ -11,9 +11,11 @@ set -o pipefail script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "${script_dir}/../../scripts/lib.sh" +source "${script_dir}/../qemu.blacklist" config_dir="${script_dir}/../../scripts/" nemu_tar="kata-nemu-static.tar.gz" +nemu_tmp_tar="kata-nemu-static-tmp.tar.gz" Dockerfile="Dockerfile" if [ $# -ne 0 ];then @@ -74,6 +76,7 @@ https_proxy="${https_proxy:-}" prefix="${prefix:-"/opt/kata"}" sudo docker build \ + --no-cache \ --build-arg http_proxy="${http_proxy}" \ --build-arg https_proxy="${https_proxy}" \ --build-arg NEMU_REPO="${nemu_repo}" \ @@ -94,3 +97,7 @@ sudo docker run \ mv "/tmp/nemu-static/${nemu_tar}" /share/ sudo chown ${USER}:${USER} "${PWD}/${nemu_tar}" + +# Remove blacklisted binaries +gzip -d < "${nemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${nemu_tmp_tar}" +mv -f "${nemu_tmp_tar}" "${nemu_tar}" diff --git a/static-build/qemu.blacklist b/static-build/qemu.blacklist new file mode 100644 index 0000000000..5584596767 --- /dev/null +++ b/static-build/qemu.blacklist @@ -0,0 +1,38 @@ +# +# List of blacklisted files that are not +# required in kata and may have CVEs. +# +qemu_black_list=( +*/bin/qemu-pr-helper +*/bin/virtfs-proxy-helper +*/libexec/ +*/share/*/applications/ +*/share/*/*.dtb +*/share/*/efi-e1000e.rom +*/share/*/efi-e1000.rom +*/share/*/efi-eepro100.rom +*/share/*/efi-ne2k_pci.rom +*/share/*/efi-pcnet.rom +*/share/*/efi-rtl8139.rom +*/share/*/efi-vmxnet3.rom +*/share/*/icons/ +*/share/*/*.img +*/share/*/keymaps/ +*/share/*/multiboot.bin +*/share/*/openbios-ppc +*/share/*/openbios-sparc32 +*/share/*/openbios-sparc64 +*/share/*/palcode-clipper +*/share/*/ppc_rom.bin +*/share/*/pvh.bin +*/share/*/pxe-* +*/share/*/QEMU,* +*/share/*/qemu_vga.ndrv +*/share/*/sgabios.bin +*/share/*/skiboot.lid +*/share/*/slof.bin +*/share/*/spapr-rtas.bin +*/share/*/trace-events-all +*/share/*/u-boot* +*/share/*/vgabios* +) diff --git a/static-build/qemu/Dockerfile b/static-build/qemu/Dockerfile index 410a17e2c3..3d79f853d0 100644 --- a/static-build/qemu/Dockerfile +++ b/static-build/qemu/Dockerfile @@ -1,4 +1,4 @@ -from ubuntu:16.04 +from ubuntu:18.04 ARG QEMU_REPO # commit/tag/branch @@ -6,7 +6,7 @@ ARG QEMU_VERSION ARG PREFIX WORKDIR /root/qemu -RUN apt-get update +RUN apt-get update && apt-get upgrade -y RUN apt-get install -y \ autoconf \ automake \ diff --git a/static-build/qemu/build-static-qemu.sh b/static-build/qemu/build-static-qemu.sh index d2986897cd..7e46c837ec 100755 --- a/static-build/qemu/build-static-qemu.sh +++ b/static-build/qemu/build-static-qemu.sh @@ -11,9 +11,11 @@ set -o pipefail script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "${script_dir}/../../scripts/lib.sh" +source "${script_dir}/../qemu.blacklist" packaging_dir="${script_dir}/../.." qemu_tar="kata-qemu-static.tar.gz" +qemu_tmp_tar="kata-qemu-static-tmp.tar.gz" qemu_repo="${qemu_repo:-}" qemu_version="${qemu_version:-}" @@ -39,6 +41,7 @@ https_proxy="${https_proxy:-}" prefix="${prefix:-"/opt/kata"}" sudo docker build \ + --no-cache \ --build-arg http_proxy="${http_proxy}" \ --build-arg https_proxy="${https_proxy}" \ --build-arg QEMU_REPO="${qemu_repo}" \ @@ -54,3 +57,7 @@ sudo docker run \ mv "/tmp/qemu-static/${qemu_tar}" /share/ sudo chown ${USER}:${USER} "${PWD}/${qemu_tar}" + +# Remove blacklisted binaries +gzip -d < "${qemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${qemu_tmp_tar}" +mv -f "${qemu_tmp_tar}" "${qemu_tar}"