From a5474e2e814966e3b5b36ed13363c632837fe787 Mon Sep 17 00:00:00 2001 From: ShifZhan <252984256+MioYuuIH@users.noreply.github.com> Date: Fri, 10 Apr 2026 13:32:38 +0800 Subject: [PATCH 1/5] fix(installer): verify downloads before use --- auplc-installer | 31 +++++++++++++++++++++++++--- scripts/test/test_auplc_installer.sh | 28 +++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 scripts/test/test_auplc_installer.sh diff --git a/auplc-installer b/auplc-installer index 2df860e..ab9b0f6 100755 --- a/auplc-installer +++ b/auplc-installer @@ -29,7 +29,12 @@ set -euo pipefail # Pinned tool versions (used by pack and offline install) K3S_VERSION="v1.32.3+k3s1" HELM_VERSION="v3.17.2" +HELM_LINUX_AMD64_SHA256="90c28792a1eb5fb0b50028e39ebf826531ebfcf73f599050dbd79bab2f277241" K9S_VERSION="v0.32.7" +K9S_LINUX_AMD64_DEB_SHA256="3f12b34557d9ed9eada465b6fad57dbe9367786f68cfd4604a6771a9f08446b8" +K3S_INSTALLER_SHA256="46177d4c99440b4c0311b67233823a8e8a2fc09693f6c89af1a7161e152fbfad" +ROCM_DEVICE_PLUGIN_COMMIT="master" +ROCM_DEVICE_PLUGIN_SHA256="b751e467feecf6118bed1de8ba80b9abff01c1f52a6b0b8f31aca3609e6e9dbd" K3S_IMAGES_DIR="/var/lib/rancher/k3s/agent/images" K3S_REGISTRIES_FILE="/etc/rancher/k3s/registries.yaml" @@ -266,6 +271,19 @@ function generate_values_overlay() { # Tool Installation (Helm, K9s) # ============================================================ +function verify_sha256() { + local file="$1" + local expected="$2" + local actual + actual=$(sha256sum "$file" | awk '{print $1}') + if [[ "$actual" != "$expected" ]]; then + echo "Checksum mismatch for $file" >&2 + echo "Expected: $expected" >&2 + echo "Actual: $actual" >&2 + exit 1 + fi +} + function install_tools() { echo "Checking/Installing tools (may require sudo)..." @@ -285,6 +303,7 @@ function install_tools() { if ! command -v helm &> /dev/null; then echo "Installing Helm..." wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz -O /tmp/helm-linux-amd64.tar.gz + verify_sha256 /tmp/helm-linux-amd64.tar.gz "$HELM_LINUX_AMD64_SHA256" tar -zxvf /tmp/helm-linux-amd64.tar.gz -C /tmp sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm rm /tmp/helm-linux-amd64.tar.gz @@ -294,6 +313,7 @@ function install_tools() { if ! command -v k9s &> /dev/null; then echo "Installing K9s..." wget "https://github.com/derailed/k9s/releases/download/${K9S_VERSION}/k9s_linux_amd64.deb" -O /tmp/k9s_linux_amd64.deb + verify_sha256 /tmp/k9s_linux_amd64.deb "$K9S_LINUX_AMD64_DEB_SHA256" sudo apt install /tmp/k9s_linux_amd64.deb -y rm /tmp/k9s_linux_amd64.deb fi @@ -398,8 +418,10 @@ function install_k3s_single_node() { configure_registry_mirrors - curl -sfL https://get.k3s.io | sudo K3S_KUBECONFIG_MODE="644" \ - INSTALL_K3S_EXEC="${k3s_exec}" sh - + wget https://get.k3s.io -O /tmp/get-k3s.sh + verify_sha256 /tmp/get-k3s.sh "$K3S_INSTALLER_SHA256" + sudo K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="${k3s_exec}" sh /tmp/get-k3s.sh + rm -f /tmp/get-k3s.sh fi echo "Configuring kubeconfig for user: $(whoami)" @@ -523,7 +545,10 @@ function deploy_rocm_gpu_device_plugin() { kubectl patch ds amdgpu-device-plugin-daemonset -n kube-system --type=json \ -p '[{"op":"replace","path":"/spec/template/spec/containers/0/imagePullPolicy","value":"IfNotPresent"}]' else - kubectl create -f https://raw.githubusercontent.com/ROCm/k8s-device-plugin/master/k8s-ds-amdgpu-dp.yaml + wget "https://raw.githubusercontent.com/ROCm/k8s-device-plugin/${ROCM_DEVICE_PLUGIN_COMMIT}/k8s-ds-amdgpu-dp.yaml" -O /tmp/k8s-ds-amdgpu-dp.yaml + verify_sha256 /tmp/k8s-ds-amdgpu-dp.yaml "$ROCM_DEVICE_PLUGIN_SHA256" + kubectl create -f /tmp/k8s-ds-amdgpu-dp.yaml + rm -f /tmp/k8s-ds-amdgpu-dp.yaml fi if ! kubectl wait --for=jsonpath='{.status.numberReady}'=1 --namespace=kube-system ds/amdgpu-device-plugin-daemonset --timeout=300s | grep "condition met"; then diff --git a/scripts/test/test_auplc_installer.sh b/scripts/test/test_auplc_installer.sh new file mode 100644 index 0000000..d931519 --- /dev/null +++ b/scripts/test/test_auplc_installer.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash +set -euo pipefail + +ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)" +INSTALLER="$ROOT/auplc-installer" + +grep -q 'verify_sha256()' "$INSTALLER" +grep -q 'HELM_LINUX_AMD64_SHA256=' "$INSTALLER" +grep -q 'K9S_LINUX_AMD64_DEB_SHA256=' "$INSTALLER" +grep -q 'K3S_INSTALLER_SHA256=' "$INSTALLER" +grep -q 'ROCM_DEVICE_PLUGIN_SHA256=' "$INSTALLER" + +if grep -q 'curl -sfL https://get.k3s.io |' "$INSTALLER"; then + echo 'FAIL: k3s still uses pipe-to-shell' + exit 1 +fi + +if grep -q 'kubectl create -f https://raw.githubusercontent.com/ROCm/k8s-device-plugin/master/k8s-ds-amdgpu-dp.yaml' "$INSTALLER"; then + echo 'FAIL: ROCm plugin still applies remote URL directly' + exit 1 +fi + +grep -q 'verify_sha256 /tmp/helm-linux-amd64.tar.gz' "$INSTALLER" +grep -q 'verify_sha256 /tmp/k9s_linux_amd64.deb' "$INSTALLER" +grep -q 'verify_sha256 /tmp/get-k3s.sh' "$INSTALLER" +grep -q 'verify_sha256 /tmp/k8s-ds-amdgpu-dp.yaml' "$INSTALLER" + +echo 'Installer integrity checks present.' From 4fd02a671c2e8368ecd452e371373bd7e613460a Mon Sep 17 00:00:00 2001 From: ShifZhan <252984256+MioYuuIH@users.noreply.github.com> Date: Fri, 10 Apr 2026 14:28:18 +0800 Subject: [PATCH 2/5] fix(installer): pin k3s install version --- auplc-installer | 5 ++++- scripts/test/test_auplc_installer.sh | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/auplc-installer b/auplc-installer index ab9b0f6..c6cc604 100755 --- a/auplc-installer +++ b/auplc-installer @@ -420,7 +420,10 @@ function install_k3s_single_node() { wget https://get.k3s.io -O /tmp/get-k3s.sh verify_sha256 /tmp/get-k3s.sh "$K3S_INSTALLER_SHA256" - sudo K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="${k3s_exec}" sh /tmp/get-k3s.sh + sudo INSTALL_K3S_VERSION="${K3S_VERSION}" \ + K3S_KUBECONFIG_MODE="644" \ + INSTALL_K3S_EXEC="${k3s_exec}" \ + sh /tmp/get-k3s.sh rm -f /tmp/get-k3s.sh fi diff --git a/scripts/test/test_auplc_installer.sh b/scripts/test/test_auplc_installer.sh index d931519..5873dff 100644 --- a/scripts/test/test_auplc_installer.sh +++ b/scripts/test/test_auplc_installer.sh @@ -9,6 +9,7 @@ grep -q 'HELM_LINUX_AMD64_SHA256=' "$INSTALLER" grep -q 'K9S_LINUX_AMD64_DEB_SHA256=' "$INSTALLER" grep -q 'K3S_INSTALLER_SHA256=' "$INSTALLER" grep -q 'ROCM_DEVICE_PLUGIN_SHA256=' "$INSTALLER" +grep -q 'INSTALL_K3S_VERSION="${K3S_VERSION}"' "$INSTALLER" if grep -q 'curl -sfL https://get.k3s.io |' "$INSTALLER"; then echo 'FAIL: k3s still uses pipe-to-shell' From d796df0db1042abc3223697cc22b911c6f288c37 Mon Sep 17 00:00:00 2001 From: ShifZhan <252984256+MioYuuIH@users.noreply.github.com> Date: Fri, 10 Apr 2026 14:33:14 +0800 Subject: [PATCH 3/5] fix(installer): pin rocm device plugin commit --- auplc-installer | 2 +- scripts/test/test_auplc_installer.sh | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/auplc-installer b/auplc-installer index c6cc604..35413c8 100755 --- a/auplc-installer +++ b/auplc-installer @@ -33,7 +33,7 @@ HELM_LINUX_AMD64_SHA256="90c28792a1eb5fb0b50028e39ebf826531ebfcf73f599050dbd79ba K9S_VERSION="v0.32.7" K9S_LINUX_AMD64_DEB_SHA256="3f12b34557d9ed9eada465b6fad57dbe9367786f68cfd4604a6771a9f08446b8" K3S_INSTALLER_SHA256="46177d4c99440b4c0311b67233823a8e8a2fc09693f6c89af1a7161e152fbfad" -ROCM_DEVICE_PLUGIN_COMMIT="master" +ROCM_DEVICE_PLUGIN_COMMIT="dea1db13f05159e64d8114bca4c31f48c3cfcac6" ROCM_DEVICE_PLUGIN_SHA256="b751e467feecf6118bed1de8ba80b9abff01c1f52a6b0b8f31aca3609e6e9dbd" K3S_IMAGES_DIR="/var/lib/rancher/k3s/agent/images" diff --git a/scripts/test/test_auplc_installer.sh b/scripts/test/test_auplc_installer.sh index 5873dff..d59b215 100644 --- a/scripts/test/test_auplc_installer.sh +++ b/scripts/test/test_auplc_installer.sh @@ -9,8 +9,14 @@ grep -q 'HELM_LINUX_AMD64_SHA256=' "$INSTALLER" grep -q 'K9S_LINUX_AMD64_DEB_SHA256=' "$INSTALLER" grep -q 'K3S_INSTALLER_SHA256=' "$INSTALLER" grep -q 'ROCM_DEVICE_PLUGIN_SHA256=' "$INSTALLER" +grep -q 'ROCM_DEVICE_PLUGIN_COMMIT=' "$INSTALLER" grep -q 'INSTALL_K3S_VERSION="${K3S_VERSION}"' "$INSTALLER" +if grep -q 'ROCM_DEVICE_PLUGIN_COMMIT="master"' "$INSTALLER"; then + echo 'FAIL: ROCm device plugin still tracks master instead of a pinned commit' + exit 1 +fi + if grep -q 'curl -sfL https://get.k3s.io |' "$INSTALLER"; then echo 'FAIL: k3s still uses pipe-to-shell' exit 1 From 127451f340397a228bafd3130d411f170eb0549e Mon Sep 17 00:00:00 2001 From: ShifZhan <252984256+MioYuuIH@users.noreply.github.com> Date: Fri, 10 Apr 2026 14:46:49 +0800 Subject: [PATCH 4/5] refactor(installer): stop hashing dynamic k3s script --- auplc-installer | 2 -- scripts/test/test_auplc_installer.sh | 4 +--- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/auplc-installer b/auplc-installer index 35413c8..0c38e36 100755 --- a/auplc-installer +++ b/auplc-installer @@ -32,7 +32,6 @@ HELM_VERSION="v3.17.2" HELM_LINUX_AMD64_SHA256="90c28792a1eb5fb0b50028e39ebf826531ebfcf73f599050dbd79bab2f277241" K9S_VERSION="v0.32.7" K9S_LINUX_AMD64_DEB_SHA256="3f12b34557d9ed9eada465b6fad57dbe9367786f68cfd4604a6771a9f08446b8" -K3S_INSTALLER_SHA256="46177d4c99440b4c0311b67233823a8e8a2fc09693f6c89af1a7161e152fbfad" ROCM_DEVICE_PLUGIN_COMMIT="dea1db13f05159e64d8114bca4c31f48c3cfcac6" ROCM_DEVICE_PLUGIN_SHA256="b751e467feecf6118bed1de8ba80b9abff01c1f52a6b0b8f31aca3609e6e9dbd" @@ -419,7 +418,6 @@ function install_k3s_single_node() { configure_registry_mirrors wget https://get.k3s.io -O /tmp/get-k3s.sh - verify_sha256 /tmp/get-k3s.sh "$K3S_INSTALLER_SHA256" sudo INSTALL_K3S_VERSION="${K3S_VERSION}" \ K3S_KUBECONFIG_MODE="644" \ INSTALL_K3S_EXEC="${k3s_exec}" \ diff --git a/scripts/test/test_auplc_installer.sh b/scripts/test/test_auplc_installer.sh index d59b215..061cc57 100644 --- a/scripts/test/test_auplc_installer.sh +++ b/scripts/test/test_auplc_installer.sh @@ -7,10 +7,9 @@ INSTALLER="$ROOT/auplc-installer" grep -q 'verify_sha256()' "$INSTALLER" grep -q 'HELM_LINUX_AMD64_SHA256=' "$INSTALLER" grep -q 'K9S_LINUX_AMD64_DEB_SHA256=' "$INSTALLER" -grep -q 'K3S_INSTALLER_SHA256=' "$INSTALLER" grep -q 'ROCM_DEVICE_PLUGIN_SHA256=' "$INSTALLER" grep -q 'ROCM_DEVICE_PLUGIN_COMMIT=' "$INSTALLER" -grep -q 'INSTALL_K3S_VERSION="${K3S_VERSION}"' "$INSTALLER" +grep -q 'INSTALL_K3S_VERSION="\${K3S_VERSION}"' "$INSTALLER" if grep -q 'ROCM_DEVICE_PLUGIN_COMMIT="master"' "$INSTALLER"; then echo 'FAIL: ROCm device plugin still tracks master instead of a pinned commit' @@ -29,7 +28,6 @@ fi grep -q 'verify_sha256 /tmp/helm-linux-amd64.tar.gz' "$INSTALLER" grep -q 'verify_sha256 /tmp/k9s_linux_amd64.deb' "$INSTALLER" -grep -q 'verify_sha256 /tmp/get-k3s.sh' "$INSTALLER" grep -q 'verify_sha256 /tmp/k8s-ds-amdgpu-dp.yaml' "$INSTALLER" echo 'Installer integrity checks present.' From 5d340ce9a0fcfe4ab53b14196934f44a259b3af4 Mon Sep 17 00:00:00 2001 From: ShifZhan <252984256+MioYuuIH@users.noreply.github.com> Date: Fri, 10 Apr 2026 14:53:22 +0800 Subject: [PATCH 5/5] style(tests): fix installer shellcheck --- scripts/test/test_auplc_installer.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/test/test_auplc_installer.sh b/scripts/test/test_auplc_installer.sh index 061cc57..1a56f6f 100644 --- a/scripts/test/test_auplc_installer.sh +++ b/scripts/test/test_auplc_installer.sh @@ -9,7 +9,7 @@ grep -q 'HELM_LINUX_AMD64_SHA256=' "$INSTALLER" grep -q 'K9S_LINUX_AMD64_DEB_SHA256=' "$INSTALLER" grep -q 'ROCM_DEVICE_PLUGIN_SHA256=' "$INSTALLER" grep -q 'ROCM_DEVICE_PLUGIN_COMMIT=' "$INSTALLER" -grep -q 'INSTALL_K3S_VERSION="\${K3S_VERSION}"' "$INSTALLER" +grep -Fq "INSTALL_K3S_VERSION=\"\${K3S_VERSION}\"" "$INSTALLER" if grep -q 'ROCM_DEVICE_PLUGIN_COMMIT="master"' "$INSTALLER"; then echo 'FAIL: ROCm device plugin still tracks master instead of a pinned commit'