-
Notifications
You must be signed in to change notification settings - Fork 18
/
CONFIG_BUILD
79 lines (69 loc) · 4.52 KB
/
CONFIG_BUILD
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# Copyright (C) 2011-2012 Tresys Technology, LLC
# Copyright (C) 2013 Cubic Corporation
#
# Authors: Spencer Shimko <[email protected]>
# Spencer Shimko <[email protected]>
#
# List of RPMs that are pre-rolled. These will be linked into our custom yum repo during the build process.
# Once referenced here you can start using them in the kickstart.
# NOTE: You could perform the same task by putting the packages in a directory, creating a yum repo, then adding the path
# to CONFIG_REPOS.
# PRE_ROLLED_PACKAGES := "/home/joeuser/lha-1.14i-19.2.2.el6.rf.x86_64.rpm"
# The ISO_VERSION field doesn't alter functionality at all. The variable name and value will appear in /root/clip-info.txt.
# This provides a way to figure out what version of your repo was used to generate the ISO once it is installed. E.g.
# Tester: "My install is busted."
# Developer: "What version do you have installed?"
# Tester: "I don't know. How do I figure that out?"
# Developer: "Run '# cat /root/clip-info.txt' and send me the output."
ISO_VERSION := $(strip $(shell test -d .git && git log -1|head -1|awk '{ print substr ($$2, 0, 7); }'))
ifeq ($(strip $(ISO_VERSION)),)
ISO_VERSION := 0.1
endif
# These values can be used to tweak the build to facilitate development and debugging.
# The CONFIG_BUILD_PRODUCTION flag sets all other build configuration to production values.
# CONFIG_BUILD_ENFORCING_MODE is used to put the system in permissive mode or enforcing mode after install.
# CONFIG_BUILD_UNCONFINED_TOOR allows the toor user to run the unconfined (read->all powerful) toor_r:toor_t role.
# Normally the toor user is confined in the sysadm_r:sysadm_t role.
# CONFIG_BUILD_FIPS_MODE is used to put the system in fips mode
# ENABLE_NETWORKING is used to enable or disable networking. 'y' corresponds to enabled networking. 'n' will remove
# all networking related RPMs.
# CONFIG_REMOVE_SCAP is used to enable a boot-time SCAP review of the system. 'y' corresponds to remove SCAP and
# dependent RPMs after checks are run during kickstart. 'n' corresponds to leave SCAP
# and dependent RPMs after install and run a SCAP test during first boot. Please note
# that the 'rpm' command will be left on the running system if SCAP is not removed.
# Note: these variables and values will be inserted into /root/clip-info.txt for inspection at run-time.
CONFIG_BUILD_PRODUCTION := n
ifeq ($(CONFIG_BUILD_PRODUCTION),y)
CONFIG_BUILD_ENFORCING_MODE := y
CONFIG_BUILD_UNCONFINED_TOOR := n
CONFIG_BUILD_AIDE := n
CONFIG_BUILD_FIPS_MODE := y
ENABLE_NETWORKING := n
CONFIG_REMOVE_SCAP := y
else
CONFIG_BUILD_ENFORCING_MODE := n
CONFIG_BUILD_UNCONFINED_TOOR := y
CONFIG_BUILD_AIDE := n
CONFIG_BUILD_FIPS_MODE := y
ENABLE_NETWORKING := y
CONFIG_REMOVE_SCAP := n
endif
################################################
### STOP USER CONFIG
################################################
# The values below probably won't have to change.
# This variable can be leveraged by sub-makes (eg in the packages/foo/Makefile).
# if files at this top-level should trigger a rebuild.
ADDTL_DEPS := $(CURDIR)/CONFIG_REPOS $(CURDIR)/CONFIG_BUILD
# Translate the CONFIG_BUILD_* flags into BASH vars that we insert into things like a kickstart %post
CONFIG_BUILD_BASH_VARS := export CONFIG_BUILD_PRODUCTION=$(strip $(CONFIG_BUILD_PRODUCTION)) CONFIG_BUILD_ENFORCING_MODE=$(strip $(CONFIG_BUILD_ENFORCING_MODE)) CONFIG_BUILD_UNCONFINED_TOOR=$(strip $(CONFIG_BUILD_UNCONFINED_TOOR)) ISO_VERSION=$(strip $(ISO_VERSION)) ENABLE_NETWORKING=$(strip $(ENABLE_NETWORKING)) CONFIG_BUILD_AIDE=$(strip $(CONFIG_BUILD_AIDE)) CONFIG_BUILD_FIPS_MODE=$(strip $(CONFIG_BUILD_FIPS_MODE)) CONFIG_REMOVE_SCAP=$(strip $(CONFIG_REMOVE_SCAP))
# Typically we are rolling builds on the target arch. Changing this may have dire consequences.
# (read -> hasn't be tested at all and may result in broken builds and ultimately the end of the universe as we know it).
TARGET_ARCH := $(shell uname -i)
# If you want to reuse the same chroot for all RPMs, set CLEAN_MOCK to n
# This should decrease the build time since we won't have to install common
# packages in the chroot for each RPM
CLEAN_MOCK ?= y
# Quiet down the build output a bit.
QUIET ?= n
export TARGET_ARCH ADDTL_DEPS QUIET CONFIG_BUILD_BASH_VARS CONFIG_BUILD_ENFORCING_MODE CONFIG_BUILD_UNCONFINED_TOOR CONFIG_BUILD_PRODUCTION ISO_VERSION ENABLE_NETWORKING CONFIG_BUILD_AIDE CONFIG_BUILD_FIPS_MODE CONFIG_REMOVE_SCAP