LAB/HarborGuard_HarborGuard
1
0
Fork 0
mirror of https://github.com/HarborGuard/HarborGuard.git synced 2026-03-23 00:02:41 +08:00
Code Issues Packages Projects Releases Wiki Activity
HarborGuard_HarborGuard/scripts/buildah-patch-dev.sh
brandon 86036642e7 Fix patch commands to actually update packages 
The previous implementation reported success but packages weren't actually
being updated. The issues were:
1. Commands were failing silently with || chaining
2. Version-specific installations weren't working on old Debian releases
3. No proper error reporting for failed package installations

Changes:

PatchExecutorTarUnshare.ts:
- Simplified APT command generation
- Use dist-upgrade and upgrade for better package updates
- Group packages to avoid duplicate processing
- Remove complex version-specific logic that doesn't work on old repos

Bash Scripts (buildah-patch-dev.sh and buildah-patch-container.sh):
- Add proper error detection and reporting
- Count failed commands and report them
- Show exit codes for failed commands
- Mark package installation failures as critical errors
- Return PATCH_STATUS:PARTIAL if any commands fail

This ensures:
- Packages are actually upgraded to fix vulnerabilities
- Failures are properly detected and reported
- No false success reports when patches don't apply
- Better visibility into what's actually happening

The simplified approach uses dist-upgrade/upgrade which will update
packages to their latest available versions in the repository, which
should include the security fixes.
2025-09-29 23:19:54 -04:00

121 lines
3.6 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# Buildah patch script for development environment
# Uses buildah unshare to work in rootless mode
set -e
TAR_PATH=$1
COMMANDS_FILE=$2
OUTPUT_TAR=$3
DRY_RUN=${4:-false}
if [ -z "$TAR_PATH" ] || [ -z "$COMMANDS_FILE" ] || [ -z "$OUTPUT_TAR" ]; then
echo "Usage: $0 TAR_PATH COMMANDS_FILE OUTPUT_TAR [DRY_RUN]"
exit 1
fi
# Read commands from file
if [ ! -f "$COMMANDS_FILE" ]; then
echo "Error: Commands file not found: $COMMANDS_FILE"
exit 1
fi
PATCH_COMMANDS=$(cat "$COMMANDS_FILE")
echo "=== Starting patch operation (development mode with buildah unshare) ==="
# Run the entire operation inside buildah unshare
buildah unshare << EOF
set -e
echo "Inside buildah unshare environment"
# Import tar as container using VFS driver for development
echo "Importing image from tar: $TAR_PATH"
container=\$(buildah --storage-driver vfs from docker-archive:$TAR_PATH)
echo "Created container: \$container"
# Mount the container
echo "Mounting container filesystem..."
mountpoint=\$(buildah --storage-driver vfs mount \$container)
echo "Mounted at: \$mountpoint"
# Execute patches
if [ "$DRY_RUN" = "false" ]; then
echo "Executing patch commands..."
# Copy the commands file to a temp location accessible inside unshare
cp "$COMMANDS_FILE" /tmp/patch-commands-\$\$.sh
# Debug: Show patch context
echo "=== DEBUG: Patch Context ==="
echo " Container: \$container"
echo " Mountpoint: \$mountpoint"
echo " Commands file: /tmp/patch-commands-\$\$.sh"
echo " Number of commands: \$(wc -l < /tmp/patch-commands-\$\$.sh)"
echo "============================="
# Execute each command from the file
cmd_count=0
failed_count=0
while IFS= read -r cmd || [ -n "\$cmd" ]; do
if [ -n "\$cmd" ]; then
cmd_count=\$((cmd_count + 1))
# Replace mountpoint placeholder
actual_cmd="\${cmd//\\\$mountpoint/\$mountpoint}"
echo "[\$cmd_count] Executing: \$actual_cmd"
# Execute and capture both stdout and stderr
if eval "\$actual_cmd" 2>&1; then
echo "[\$cmd_count] Success"
else
echo "[\$cmd_count] Failed with exit code: \$?"
failed_count=\$((failed_count + 1))
# For package install commands, this is critical
if [[ "\$actual_cmd" == *"apt-get install"* ]] || [[ "\$actual_cmd" == *"apk add"* ]] || [[ "\$actual_cmd" == *"yum install"* ]]; then
echo "[\$cmd_count] ERROR: Package installation failed - this is a critical error"
fi
fi
fi
done < /tmp/patch-commands-\$\$.sh
echo "=== DEBUG: Execution complete ==="
echo " Total commands executed: \$cmd_count"
echo " Failed commands: \$failed_count"
echo "================================="
rm -f /tmp/patch-commands-\$\$.sh
# Report success only if no critical failures
if [ \$failed_count -gt 0 ]; then
echo "WARNING: \$failed_count commands failed during patching"
echo "PATCH_STATUS:PARTIAL"
else
echo "PATCH_STATUS:SUCCESS"
fi
else
echo "DRY RUN - Would execute:"
while IFS= read -r cmd || [ -n "\$cmd" ]; do
echo "\${cmd//\\\$mountpoint/\$mountpoint}"
done < "$COMMANDS_FILE"
echo "PATCH_STATUS:DRY_RUN"
fi
# Unmount
echo "Unmounting container..."
buildah --storage-driver vfs unmount \$container
# Commit changes
echo "Committing patched container..."
buildah --storage-driver vfs commit --format docker \$container patched-image
# Export to tar
echo "Exporting to tar: $OUTPUT_TAR"
buildah --storage-driver vfs push patched-image docker-archive:$OUTPUT_TAR
# Cleanup
echo "Cleaning up..."
buildah --storage-driver vfs rm \$container
buildah --storage-driver vfs rmi patched-image 2>/dev/null || true
echo "=== Patch operation completed ==="
EOF
Reference in New Issue View Git Blame Copy Permalink