rootfs.tar.gz: Automate construction from Gentoo's amd64 stage3

.gitignore

@@ -6,6 +6,7 @@
 # Folders
 _obj
 _test
+rootfs
 
 # Architecture specific extensions/prefixes
 *.[568vq]

Makefile

@@ -8,5 +8,30 @@ all:
 install:
 	cp ocitools /usr/local/bin/ocitools
 
+rootfs.tar.gz: rootfs/bin/echo
+	tar -czf $@ -C rootfs .
+
+rootfs/bin/busybox: downloads/stage3-amd64-current.tar.bz2 rootfs-files
+	gpg --verify $<.DIGESTS.asc
+	(cd downloads && \
+		grep -A1 '^# SHA512 HASH' stage3-amd64-current.tar.bz2.DIGESTS.asc | \
+		grep -v '^--' | \
+		sha512sum -c)
+	sudo rm -rf rootfs
+	sudo mkdir rootfs
+	sudo tar -xvf downloads/stage3-amd64-current.tar.bz2 -C rootfs \
+		--no-recursion --wildcards $$(< rootfs-files)
+	sudo touch $@
+
+rootfs/bin/echo: rootfs/bin/busybox
+	sudo sh -c 'for COMMAND in $$($< --list); do \
+		ln -rs $< "rootfs/bin/$${COMMAND}"; \
+	done'
+
+downloads/stage3-amd64-current.tar.bz2: get-stage3.sh
+	./$<
+	touch downloads/stage3-amd64-*.tar.bz2
+
 clean:
-	rm ocitools runtimetest
+	rm -f ocitools runtimetest downloads/*
+	sudo rm -rf rootfs

README.md

@@ -75,3 +75,41 @@ VALIDATING RUNTIME: runc
 Runtime runc passed validation
 
 ```
+
+Building `rootfs.tar.gz`
+------------------------
+
+The root filesystem tarball is based on [Gentoo][]'s [amd64
+stage3][stage3-amd64] (which we check for a valid GnuPG
+signature][gentoo-signatures]), copying a [minimal
+subset](rootfs-files) to the root filesytem, and adding symlinks for
+all BusyBox commands.  To rebuild the tarball based on a newer stage3,
+just run:
+
+```
+$ touch get-stage3.sh
+$ make rootfs.tar.gz
+```
+
+### Getting Gentoo's Release Engineering public key
+
+If `make rootfs.tar.gz` gives an error like:
+
+```
+gpg --verify downloads/stage3-amd64-current.tar.bz2.DIGESTS.asc
+gpg: Signature made Thu 14 Jan 2016 09:00:11 PM EST using RSA key ID 2D182910
+gpg: Can't check signature: public key not found
+```
+
+you will need to [add the missing public key to your
+keystore][gentoo-signatures].  One way to do that is by [asking a
+keyserver][recv-keys]:
+
+```
+$ gpg --keyserver pool.sks-keyservers.net --recv-keys 2D182910
+```
+
+[Gentoo]: https://www.gentoo.org/
+[stage3-amd64]: http://distfiles.gentoo.org/releases/amd64/autobuilds/
+[gentoo-signatures]: https://www.gentoo.org/downloads/signatures/
+[recv-keys]: https://www.gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html

downloads/.gitignore

@@ -0,0 +1 @@
+*

get-stage3.sh

@@ -0,0 +1,51 @@
+#!/bin/sh
+#
+# Download the current Gentoo stage3
+#
+# Copyright (C) 2014-2015 W. Trevor King <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+MIRROR="${MIRROR:-http://distfiles.gentoo.org/}"
+BASE_ARCH_URL="${BASE_ARCH_URL:-${MIRROR}releases/amd64/autobuilds/}"
+LATEST=$(wget -O - "${BASE_ARCH_URL}latest-stage3.txt")
+DATE=$(echo "${LATEST}" | sed -n 's|/stage3-amd64-[0-9]*[.]tar[.]bz2.*||p')
+ARCH_URL="${ARCH_URL:-${BASE_ARCH_URL}${DATE}/}"
+STAGE3="${STAGE3:-stage3-amd64-${DATE}.tar.bz2}"
+STAGE3_CONTENTS="${STAGE3_CONTENTS:-${STAGE3}.CONTENTS}"
+STAGE3_DIGESTS="${STAGE3_DIGESTS:-${STAGE3}.DIGESTS.asc}"
+
+die()
+{
+	echo "$1"
+	exit 1
+}
+
+for FILE in "${STAGE3}" "${STAGE3_CONTENTS}" "${STAGE3_DIGESTS}"; do
+	if [ ! -f "downloads/${FILE}" ]; then
+		wget -O "downloads/${FILE}" "${ARCH_URL}${FILE}"
+		if [ "$?" -ne 0 ]; then
+			rm -f "downloads/${FILE}" &&
+			die "failed to download ${ARCH_URL}${FILE}"
+		fi
+	fi
+
+	CURRENT="${FILE/${DATE}/current}"
+	(
+		cd downloads &&
+		rm -f "${CURRENT}" &&
+		ln -s "${FILE}" "${CURRENT}" ||
+		die "failed to link ${CURRENT} -> ${FILE}"
+	)
+done
+

rootfs-files

@@ -0,0 +1,3 @@
+./bin/busybox
+./etc/group
+./etc/passwd