Merge pull request #2 from palainp/update

Update the CI system

.github/workflows/docker.yml

@@ -23,7 +23,7 @@ jobs:
 
       - run: ./build-with.sh docker
 
-      - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
+      - run: sh -exc 'if [ "$(sha256sum ./dist/qubes-miragevpn.xen)" = "$(cat ./qubes-miragevpn.sha256)" ]; then echo "SHA256 MATCHES"; else exit 42; fi'
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v3

.github/workflows/podman.yml

@@ -23,7 +23,7 @@ jobs:
 
       - run: ./build-with.sh podman
 
-      - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
+      - run: sh -exc 'if [ "$(sha256sum ./dist/qubes-miragevpn.xen)" = "$(cat ./qubes-miragevpn.sha256)" ]; then echo "SHA256 MATCHES"; else exit 42; fi'
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v3

Dockerfile

@@ -11,22 +11,24 @@ RUN printf "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian
 # taken from https://snapshot.debian.org/archive/debian-security/
 RUN printf "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/20240419T111010Z bookworm-security main\n" >> /etc/apt/sources.list
 
-RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip bzip2 make gcc g++ libc-dev
-RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.5/opam-2.1.5-i686-linux && chmod 755 /usr/bin/opam
+RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip bzip2 xz-utils make gcc g++ libc-dev
+RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.6/opam-2.1.6-i686-linux && chmod 755 /usr/bin/opam
 # taken from https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh
 RUN test `sha512sum /usr/bin/opam | cut -d' ' -f1` = \
-"38802b3079eeceb27aab3465bfd0f9f05a710dccf9487eb35fa2c02fbaf9a0659e1447aa19dd36df9cd01f760229de28c523c08c1c86a3aa3f5e25dbe7b551dd" || exit
+"2b308e7a848252d831a1e046b70156cd901e8a5d95405fc03244fc69ce08222675871d3bcc35352b4448f15787f68a16491c574a6f9d5d8c9bcab81eb6d71ef8" || exit
 
 ENV OPAMROOT=/tmp
 ENV OPAMCONFIRMLEVEL=unsafe-yes
 # Pin last known-good version for reproducible builds.
 # Remove this line (and the base image pin above) if you want to test with the
 # latest versions.
 # taken from https://github.com/ocaml/opam-repository
-RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#f9f113a6bb242a13702859873fa0fcef9146eb6a
+RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#2926702fdd0fe7cab6ee1fa26ccecd28c3c3dd95
 RUN opam switch create myswitch 4.14.2
 RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5
-RUN opam pin https://github.com/robur-coop/miragevpn.git#cd7d999321e13993862af649977689aa96a7e114
+RUN opam exec -- opam install -y tls
+RUN opam pin add -y https://github.com/robur-coop/miragevpn.git#0a502cafd0824888c194039fae32a9e1e65cd356
+RUN opam pin add -y https://github.com/mirage/mirage-qubes.git#6d4745eb111c84d68efc8bb14e03d4c5c761df3b
 RUN mkdir /tmp/orb-build
 ADD config.ml /tmp/orb-build/config.ml
 WORKDIR /tmp/orb-build

build-with.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -eu
 
-if [[ $# -ne 1 ]] ; then
+if [ $# -ne 1 ] ; then
 	echo "Usage: build-with.sh { docker | podman }"
 	exit 1
 fi
@@ -19,6 +19,6 @@ echo Building $builder image with dependencies..
 $builder build -t qubes-miragevpn .
 echo Building MirageVPN...
 $builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-miragevpn
-echo "SHA2 of build:   $(sha256sum ./dist/qubes-firewall.xen)"
-echo "SHA2 last known: 0cbb202c1b93e10ad115c9e988f9384005656c0855ec9deaf05a5e9ac9972984"
+echo "SHA2 of build:   $(sha256sum ./dist/qubes-miragevpn.xen)"
+echo "SHA2 last known: $(cat qubes-miragevpn.sha256)"
 echo "(hashes should match for released versions)"

dao.ml

@@ -139,4 +139,4 @@ let print_network_config config =
         Ipaddr.V4.pp config.ip Ipaddr.V4.pp (fst config.dns) Ipaddr.V4.pp
         (snd config.dns))
 
-let set_iptables_error db = Qubes.DB.write db "/qubes-iptables-error"
+let _set_iptables_error db = Qubes.DB.write db "/qubes-iptables-error"

qubes-miragevpn.sha256

@@ -0,0 +1 @@
+c38251c9c0e72e891b0bffeba3ab4a14244360df3eaea4b87af778e299f1d2b7  ./dist/qubes-miragevpn.xen

unikernel.ml

@@ -1,5 +1,3 @@
-open Qubes
-
 let ( let* ) = Lwt.bind
 let ( % ) f g = fun x -> f (g x)
 
@@ -150,9 +148,8 @@ struct
       | exn -> Lwt.fail exn
     in
     Finaliser.add ~finaliser:(fun () -> Lwt.cancel listener) finalisers;
-    let rec transmit =
+    let transmit =
       let rec fn () =
-        let open Lwt.Syntax in
         Lwt_stream.get (fst ic) >>= function
         | Some packet -> (snd t.ic) (Some (vif, packet)); fn ()
         | None -> Lwt.return_unit in
@@ -214,7 +211,7 @@ struct
           msg Cstruct.hexdump_pp cs);
         Lwt.return fragments
       | Ok (hdr, payload) ->
-        let fragments, packet = Fragments.process fragments now hdr payload in
+        let fragments, _packet = Fragments.process fragments now hdr payload in
         let packet = Nat.of_ipv4 hdr payload in
         let packet = Option.map (Mirage_nat_lru.translate table) packet in
         let packet = Option.map Result.to_option packet in

vif.ml

@@ -50,7 +50,7 @@ type t =
   ; ip : Client_ip.t
   ; domid : int }
 
-let make backend { Dao.Client_vif.domid; device_id } ~gateway ipaddr =
+let make backend { Dao.Client_vif.domid; _ } ~gateway ipaddr =
   let open Lwt.Syntax in
   let* ethernet = Client_ethernet.connect backend in
   let ((my_mac, your_mac) as mac) =