Update compat layer NESSI/2023.06

scripts/get-pkgs-NESSI.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+
+function log() {
+    echo -e "$1" | tee -a ${GLSA_LOG}
+}
+
+function error() {
+    echo -e "$1" | tee -a ${GLSA_LOG}
+    exit 1
+}
+
+glsa_tmp_dir=$(mktemp -d $TMPDIR/glsa_check.XXX)
+mkdir -p ${glsa_tmp_dir}
+echo "glsa_tmp_dir: '${glsa_tmp_dir}'"
+GLSA_LOG=${glsa_tmp_dir}/glsa.log
+GLSA_CHECK_LOG=${glsa_tmp_dir}/glsa_check.log
+
+# Check if an EESSI version has been specified
+if [ "$#" -eq 0 ]; then
+    error "usage: $0 <EESSI version> [EESSI architecture]"
+fi
+
+version="$1"
+
+# Determine architecture
+if [ ! -z "$2" ]
+then
+    arch="$2"
+else
+    arch="$(uname -m)"
+fi
+
+# Check if the EESSI version number encoded in the filename
+# is a valid, i.e. matches the format YYYY.DD
+if ! echo "${version}" | egrep -q '^20[0-9][0-9]\.(0[0-9]|1[0-2])$'
+then
+    error "${version} is not a valid EESSI version."
+fi
+
+compat_dir="/cvmfs/pilot.nessi.no/versions/${version}/compat/linux/${arch}"
+export PATH="${compat_dir}/usr/bin:${compat_dir}/bin"
+
+echo "Determining installed packages..."
+QLIST="qlist -IRv"
+if [ -f ${compat_dir}/startprefix ]; then
+    ${compat_dir}/startprefix <<< ${QLIST} | sort > ${glsa_tmp_dir}/qlist_installed_packages.log
+fi
+
+echo "Searching for updates to ${compat_dir}..."
+echo " - PATH set to '${PATH}'"
+
+# Set the gentoo repo dir to a temporary directory to prevent it from having to compare
+# all the existing files (which also means that CVMFS has to retrieve them) with new ones.
+# Also use the mirror repo, which already contains all metadata.
+gentoo_dir=${GENTOO_OVERLAY_DIR:-${glsa_tmp_dir}/gentoo}
+
+if [ -f "${compat_dir}/etc/portage/repos.conf/gentoo.conf" ];
+then
+    sed -i "s|location  = .*|location = ${gentoo_dir}|" "${compat_dir}/etc/portage/repos.conf/gentoo.conf"
+    sed -i "s|sync-uri\s*= .*|sync-uri  = https://github.com/gentoo-mirror/gentoo.git|" "${compat_dir}/etc/portage/repos.conf/gentoo.conf"
+else
+    cat > "${compat_dir}/etc/portage/repos.conf/gentoo.conf" <<EOF
+[DEFAULT]
+main-repo = gentoo
+sync-git-pull-extra-opts = --quiet
+
+[gentoo]
+priority  = 1
+location  = ${gentoo_dir}
+sync-uri  = https://github.com/gentoo-mirror/gentoo.git
+sync-type = git
+auto-sync = Yes
+clone-depth = 1
+EOF
+fi
+
+echo "Remove existing sync'ed repo data..."
+rm -f ${compat_dir}/etc/portage/repo.postsync.d/sync_gentoo_*
+
+echo "Update the gentoo overlay by downloading a tarball of the git repo to ${gentoo_dir} ..."
+mkdir -p "${gentoo_dir}"
+wget -q "https://github.com/gentoo-mirror/gentoo/archive/refs/heads/stable.tar.gz"
+tar -xzf "stable.tar.gz" --strip-components=1 -C "${gentoo_dir}"
+
+echo "Run glsa-check (see log files in '${glsa_tmp_dir}')..."
+glsa-check -n -p affected > ${GLSA_CHECK_LOG}
+echo "Checking if there are any packages without an upgrade path (processing '${GLSA_CHECK_LOG}')"
+cat ${GLSA_CHECK_LOG} | grep -A2 "No upgrade path exists for these packages"
+
+updates=$(cat ${GLSA_CHECK_LOG} | grep vulnerable | awk '{print "="$1}' | paste -s -d ' ')
+if [ ! -z "${updates}" ];
+then
+    log "Security vulnerabilities found in EESSI version ${version} for ${arch}!"
+    log "Run the following command to solve them:"
+    log '```'
+    log "emerge --ask --oneshot --verbose ${updates}"
+    log '```'
+    exitcode=1
+else
+    log "No security vulnerabilities found in EESSI version ${version} for ${arch}!"
+    exitcode=0
+fi
+echo "For details see log file '${GLSA_CHECK_LOG}'"
+
+exit ${exitcode}

scripts/update-pkgs-NESSI-2023.06-2024-01-24.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+set -e
+
+mytmpdir=$(mktemp -d --tmpdir=/tmp)
+
+if [ -z "$EPREFIX" ]; then
+    # this assumes we're running in a Gentoo Prefix environment
+    EPREFIX=$(dirname $(dirname $SHELL))
+fi
+echo "EPREFIX=${EPREFIX}"
+
+# collect list of installed packages before updating packages
+list_installed_pkgs_pre_update=${mytmpdir}/installed-pkgs-pre-update.txt
+echo "Collecting list of installed packages to ${list_installed_pkgs_pre_update}..."
+qlist -IRv | sort | tee ${list_installed_pkgs_pre_update}
+
+# update checkout of gentoo repository to sufficiently recent commit
+# this is required because we pin to a specific commit when bootstrapping the compat layer
+# see gentoo_git_commit in ansible/playbooks/roles/compatibility_layer/defaults/main.yml;
+
+# https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d2cb88c7568aa483b465e1988756e64857b41b1 (2024-01-24)
+gentoo_commit='3d2cb88c7568aa483b465e1988756e64857b41b1'
+echo "Updating $EPREFIX/var/db/repos/gentoo to recent commit (${gentoo_commit})..."
+cd $EPREFIX/var/db/repos/gentoo
+time git fetch origin
+echo "Checking out ${gentoo_commit} in ${PWD}..."
+time git checkout ${gentoo_commit}
+cd -
+
+# update libarchive due to https://glsa.gentoo.org/glsa/202309-14
+emerge --update --oneshot --verbose '=app-arch/libarchive-3.7.2'  # was app-arch/libarchive-3.6.2-r1
+
+# update glibc due to https://glsa.gentoo.org/glsa/202310-03
+emerge --update --oneshot --verbose '=sys-libs/glibc-2.37-r7'  # was sys-libs/glibc-2.37-r3
+
+# update binutils due to https://glsa.gentoo.org/glsa/202310-12
+emerge --update --oneshot --verbose '=net-misc/curl-8.4.0'  # was net-misc/curl-8.1.2
+
+# update openssl due to https://glsa.gentoo.org/glsa/202401-18
+emerge --update --oneshot --verbose '=sys-libs/zlib-1.3-r2'  # was sys-libs/zlib-1.2.13-r1
+
+# collect list of installed packages after updating packages
+list_installed_pkgs_post_update=${mytmpdir}/installed-pkgs-post-update.txt
+echo "Collecting list of installed packages to ${list_installed_pkgs_post_update}..."
+qlist -IRv | sort | tee ${list_installed_pkgs_post_update}
+
+echo
+echo "diff in installed packages:"
+diff -u ${list_installed_pkgs_pre_update} ${list_installed_pkgs_post_update}
+
+rm -rf ${mytmpdir}