17ec681f3Smrg#!/bin/bash 27ec681f3Smrg 37ec681f3Smrgset -ex 47ec681f3Smrg 57ec681f3Smrgif [ $DEBIAN_ARCH = arm64 ]; then 67ec681f3Smrg ARCH_PACKAGES="firmware-qcom-media" 77ec681f3Smrgelif [ $DEBIAN_ARCH = amd64 ]; then 87ec681f3Smrg ARCH_PACKAGES="firmware-amd-graphics 97ec681f3Smrg libelf1 107ec681f3Smrg libllvm11 117ec681f3Smrg libva2 127ec681f3Smrg libva-drm2 137ec681f3Smrg " 147ec681f3Smrgfi 157ec681f3Smrg 167ec681f3SmrgINSTALL_CI_FAIRY_PACKAGES="git 177ec681f3Smrg python3-dev 187ec681f3Smrg python3-pip 197ec681f3Smrg python3-setuptools 207ec681f3Smrg python3-wheel 217ec681f3Smrg " 227ec681f3Smrg 237ec681f3Smrgapt-get -y install --no-install-recommends \ 247ec681f3Smrg $ARCH_PACKAGES \ 257ec681f3Smrg $INSTALL_CI_FAIRY_PACKAGES \ 267ec681f3Smrg ca-certificates \ 277ec681f3Smrg firmware-realtek \ 287ec681f3Smrg initramfs-tools \ 297ec681f3Smrg libasan6 \ 307ec681f3Smrg libexpat1 \ 317ec681f3Smrg libpng16-16 \ 327ec681f3Smrg libpython3.9 \ 337ec681f3Smrg libsensors5 \ 347ec681f3Smrg libvulkan1 \ 357ec681f3Smrg libwaffle-1-0 \ 367ec681f3Smrg libx11-6 \ 377ec681f3Smrg libx11-xcb1 \ 387ec681f3Smrg libxcb-dri2-0 \ 397ec681f3Smrg libxcb-dri3-0 \ 407ec681f3Smrg libxcb-glx0 \ 417ec681f3Smrg libxcb-present0 \ 427ec681f3Smrg libxcb-randr0 \ 437ec681f3Smrg libxcb-shm0 \ 447ec681f3Smrg libxcb-sync1 \ 457ec681f3Smrg libxcb-xfixes0 \ 467ec681f3Smrg libxdamage1 \ 477ec681f3Smrg libxext6 \ 487ec681f3Smrg libxfixes3 \ 497ec681f3Smrg libxkbcommon0 \ 507ec681f3Smrg libxrender1 \ 517ec681f3Smrg libxshmfence1 \ 527ec681f3Smrg libxxf86vm1 \ 537ec681f3Smrg netcat-openbsd \ 547ec681f3Smrg python3 \ 557ec681f3Smrg python3-lxml \ 567ec681f3Smrg python3-mako \ 577ec681f3Smrg python3-numpy \ 587ec681f3Smrg python3-packaging \ 597ec681f3Smrg python3-pil \ 607ec681f3Smrg python3-renderdoc \ 617ec681f3Smrg python3-requests \ 627ec681f3Smrg python3-simplejson \ 637ec681f3Smrg python3-yaml \ 647ec681f3Smrg sntp \ 657ec681f3Smrg strace \ 667ec681f3Smrg waffle-utils \ 677ec681f3Smrg wget \ 687ec681f3Smrg xinit \ 697ec681f3Smrg xserver-xorg-core \ 707ec681f3Smrg xz-utils 717ec681f3Smrg 727ec681f3Smrg# Needed for ci-fairy, this revision is able to upload files to 737ec681f3Smrg# MinIO and doesn't depend on git 747ec681f3Smrgpip3 install git+http://gitlab.freedesktop.org/freedesktop/ci-templates@0f1abc24c043e63894085a6bd12f14263e8b29eb 757ec681f3Smrg 767ec681f3Smrgapt-get purge -y \ 777ec681f3Smrg $INSTALL_CI_FAIRY_PACKAGES 787ec681f3Smrg 797ec681f3Smrgpasswd root -d 807ec681f3Smrgchsh -s /bin/sh 817ec681f3Smrg 827ec681f3Smrgcat > /init <<EOF 837ec681f3Smrg#!/bin/sh 847ec681f3Smrgexport PS1=lava-shell: 857ec681f3Smrgexec sh 867ec681f3SmrgEOF 877ec681f3Smrgchmod +x /init 887ec681f3Smrg 897ec681f3Smrg####################################################################### 907ec681f3Smrg# Strip the image to a small minimal system without removing the debian 917ec681f3Smrg# toolchain. 927ec681f3Smrg 937ec681f3Smrg# xz compress firmware so it doesn't waste RAM at runtime on ramdisk systems 947ec681f3Smrgfind /lib/firmware -type f -print0 | \ 957ec681f3Smrg xargs -0r -P4 -n4 xz -T1 -C crc32 967ec681f3Smrg 977ec681f3Smrg# Copy timezone file and remove tzdata package 987ec681f3Smrgrm -rf /etc/localtime 997ec681f3Smrgcp /usr/share/zoneinfo/Etc/UTC /etc/localtime 1007ec681f3Smrg 1017ec681f3SmrgUNNEEDED_PACKAGES=" 1027ec681f3Smrg libfdisk1 1037ec681f3Smrg " 1047ec681f3Smrg 1057ec681f3Smrgexport DEBIAN_FRONTEND=noninteractive 1067ec681f3Smrg 1077ec681f3Smrg# Removing unused packages 1087ec681f3Smrgfor PACKAGE in ${UNNEEDED_PACKAGES} 1097ec681f3Smrgdo 1107ec681f3Smrg echo ${PACKAGE} 1117ec681f3Smrg if ! apt-get remove --purge --yes "${PACKAGE}" 1127ec681f3Smrg then 1137ec681f3Smrg echo "WARNING: ${PACKAGE} isn't installed" 1147ec681f3Smrg fi 1157ec681f3Smrgdone 1167ec681f3Smrg 1177ec681f3Smrgapt-get autoremove --yes || true 1187ec681f3Smrg 1197ec681f3Smrg# Dropping logs 1207ec681f3Smrgrm -rf /var/log/* 1217ec681f3Smrg 1227ec681f3Smrg# Dropping documentation, localization, i18n files, etc 1237ec681f3Smrgrm -rf /usr/share/doc/* 1247ec681f3Smrgrm -rf /usr/share/locale/* 1257ec681f3Smrgrm -rf /usr/share/X11/locale/* 1267ec681f3Smrgrm -rf /usr/share/man 1277ec681f3Smrgrm -rf /usr/share/i18n/* 1287ec681f3Smrgrm -rf /usr/share/info/* 1297ec681f3Smrgrm -rf /usr/share/lintian/* 1307ec681f3Smrgrm -rf /usr/share/common-licenses/* 1317ec681f3Smrgrm -rf /usr/share/mime/* 1327ec681f3Smrg 1337ec681f3Smrg# Dropping reportbug scripts 1347ec681f3Smrgrm -rf /usr/share/bug 1357ec681f3Smrg 1367ec681f3Smrg# Drop udev hwdb not required on a stripped system 1377ec681f3Smrgrm -rf /lib/udev/hwdb.bin /lib/udev/hwdb.d/* 1387ec681f3Smrg 1397ec681f3Smrg# Drop all gconv conversions && binaries 1407ec681f3Smrgrm -rf usr/bin/iconv 1417ec681f3Smrgrm -rf usr/sbin/iconvconfig 1427ec681f3Smrgrm -rf usr/lib/*/gconv/ 1437ec681f3Smrg 1447ec681f3Smrg# Remove libusb database 1457ec681f3Smrgrm -rf usr/sbin/update-usbids 1467ec681f3Smrgrm -rf var/lib/usbutils/usb.ids 1477ec681f3Smrgrm -rf usr/share/misc/usb.ids 1487ec681f3Smrg 1497ec681f3Smrg####################################################################### 1507ec681f3Smrg# Crush into a minimal production image to be deployed via some type of image 1517ec681f3Smrg# updating system. 1527ec681f3Smrg# IMPORTANT: The Debian system is not longer functional at this point, 1537ec681f3Smrg# for example, apt and dpkg will stop working 1547ec681f3Smrg 1557ec681f3SmrgUNNEEDED_PACKAGES="apt libapt-pkg6.0 "\ 1567ec681f3Smrg"ncurses-bin ncurses-base libncursesw6 libncurses6 "\ 1577ec681f3Smrg"perl-base "\ 1587ec681f3Smrg"debconf libdebconfclient0 "\ 1597ec681f3Smrg"e2fsprogs e2fslibs libfdisk1 "\ 1607ec681f3Smrg"insserv "\ 1617ec681f3Smrg"udev "\ 1627ec681f3Smrg"init-system-helpers "\ 1637ec681f3Smrg"bash "\ 1647ec681f3Smrg"cpio "\ 1657ec681f3Smrg"xz-utils "\ 1667ec681f3Smrg"passwd "\ 1677ec681f3Smrg"libsemanage1 libsemanage-common "\ 1687ec681f3Smrg"libsepol1 "\ 1697ec681f3Smrg"gpgv "\ 1707ec681f3Smrg"hostname "\ 1717ec681f3Smrg"adduser "\ 1727ec681f3Smrg"debian-archive-keyring "\ 1737ec681f3Smrg"libegl1-mesa-dev "\ 1747ec681f3Smrg"libegl-mesa0 "\ 1757ec681f3Smrg"libgl1-mesa-dev "\ 1767ec681f3Smrg"libgl1-mesa-dri "\ 1777ec681f3Smrg"libglapi-mesa "\ 1787ec681f3Smrg"libgles2-mesa-dev "\ 1797ec681f3Smrg"libglx-mesa0 "\ 1807ec681f3Smrg"mesa-common-dev "\ 1817ec681f3Smrg 1827ec681f3Smrg# Removing unneeded packages 1837ec681f3Smrgfor PACKAGE in ${UNNEEDED_PACKAGES} 1847ec681f3Smrgdo 1857ec681f3Smrg echo "Forcing removal of ${PACKAGE}" 1867ec681f3Smrg if ! dpkg --purge --force-remove-essential --force-depends "${PACKAGE}" 1877ec681f3Smrg then 1887ec681f3Smrg echo "WARNING: ${PACKAGE} isn't installed" 1897ec681f3Smrg fi 1907ec681f3Smrgdone 1917ec681f3Smrg 1927ec681f3Smrg# Show what's left package-wise before dropping dpkg itself 1937ec681f3SmrgCOLUMNS=300 dpkg-query -W --showformat='${Installed-Size;10}\t${Package}\n' | sort -k1,1n 1947ec681f3Smrg 1957ec681f3Smrg# Drop dpkg 1967ec681f3Smrgdpkg --purge --force-remove-essential --force-depends dpkg 1977ec681f3Smrg 1987ec681f3Smrg# No apt or dpkg, no need for its configuration archives 1997ec681f3Smrgrm -rf etc/apt 2007ec681f3Smrgrm -rf etc/dpkg 2017ec681f3Smrg 2027ec681f3Smrg# Drop directories not part of ostree 2037ec681f3Smrg# Note that /var needs to exist as ostree bind mounts the deployment /var over 2047ec681f3Smrg# it 2057ec681f3Smrgrm -rf var/* opt srv share 2067ec681f3Smrg 2077ec681f3Smrg# ca-certificates are in /etc drop the source 2087ec681f3Smrgrm -rf usr/share/ca-certificates 2097ec681f3Smrg 2107ec681f3Smrg# No bash, no need for completions 2117ec681f3Smrgrm -rf usr/share/bash-completion 2127ec681f3Smrg 2137ec681f3Smrg# No zsh, no need for comletions 2147ec681f3Smrgrm -rf usr/share/zsh/vendor-completions 2157ec681f3Smrg 2167ec681f3Smrg# drop gcc python helpers 2177ec681f3Smrgrm -rf usr/share/gcc 2187ec681f3Smrg 2197ec681f3Smrg# Drop sysvinit leftovers 2207ec681f3Smrgrm -rf etc/init.d 2217ec681f3Smrgrm -rf etc/rc[0-6S].d 2227ec681f3Smrg 2237ec681f3Smrg# Drop upstart helpers 2247ec681f3Smrgrm -rf etc/init 2257ec681f3Smrg 2267ec681f3Smrg# Various xtables helpers 2277ec681f3Smrgrm -rf usr/lib/xtables 2287ec681f3Smrg 2297ec681f3Smrg# Drop all locales 2307ec681f3Smrg# TODO: only remaining locale is actually "C". Should we really remove it? 2317ec681f3Smrgrm -rf usr/lib/locale/* 2327ec681f3Smrg 2337ec681f3Smrg# partition helpers 2347ec681f3Smrgrm -rf usr/sbin/*fdisk 2357ec681f3Smrg 2367ec681f3Smrg# local compiler 2377ec681f3Smrgrm -rf usr/bin/localedef 2387ec681f3Smrg 2397ec681f3Smrg# Systemd dns resolver 2407ec681f3Smrgfind usr etc -name '*systemd-resolve*' -prune -exec rm -r {} \; 2417ec681f3Smrg 2427ec681f3Smrg# Systemd network configuration 2437ec681f3Smrgfind usr etc -name '*networkd*' -prune -exec rm -r {} \; 2447ec681f3Smrg 2457ec681f3Smrg# systemd ntp client 2467ec681f3Smrgfind usr etc -name '*timesyncd*' -prune -exec rm -r {} \; 2477ec681f3Smrg 2487ec681f3Smrg# systemd hw database manager 2497ec681f3Smrgfind usr etc -name '*systemd-hwdb*' -prune -exec rm -r {} \; 2507ec681f3Smrg 2517ec681f3Smrg# No need for fuse 2527ec681f3Smrgfind usr etc -name '*fuse*' -prune -exec rm -r {} \; 2537ec681f3Smrg 2547ec681f3Smrg# lsb init function leftovers 2557ec681f3Smrgrm -rf usr/lib/lsb 2567ec681f3Smrg 2577ec681f3Smrg# Only needed when adding libraries 2587ec681f3Smrgrm -rf usr/sbin/ldconfig* 2597ec681f3Smrg 2607ec681f3Smrg# Games, unused 2617ec681f3Smrgrmdir usr/games 2627ec681f3Smrg 2637ec681f3Smrg# Remove pam module to authenticate against a DB 2647ec681f3Smrg# plus libdb-5.3.so that is only used by this pam module 2657ec681f3Smrgrm -rf usr/lib/*/security/pam_userdb.so 2667ec681f3Smrgrm -rf usr/lib/*/libdb-5.3.so 2677ec681f3Smrg 2687ec681f3Smrg# remove NSS support for nis, nisplus and hesiod 2697ec681f3Smrgrm -rf usr/lib/*/libnss_hesiod* 2707ec681f3Smrgrm -rf usr/lib/*/libnss_nis* 271