Skip to content

verify installer downloads before use #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
KerwinTsaiii merged 5 commits into from
Apr 10, 2026
Merged

verify installer downloads before use #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a5474e2
fix(installer): verify downloads before use
MioYuuIH Apr 10, 2026
4fd02a6
fix(installer): pin k3s install version
MioYuuIH Apr 10, 2026
d796df0
fix(installer): pin rocm device plugin commit
MioYuuIH Apr 10, 2026
127451f
refactor(installer): stop hashing dynamic k3s script
MioYuuIH Apr 10, 2026
5d340ce
style(tests): fix installer shellcheck
MioYuuIH Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 29 additions & 3 deletions auplc-installer
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,11 @@ set -euo pipefail
# Pinned tool versions (used by pack and offline install)
K3S_VERSION="v1.32.3+k3s1"
HELM_VERSION="v3.17.2"
HELM_LINUX_AMD64_SHA256="90c28792a1eb5fb0b50028e39ebf826531ebfcf73f599050dbd79bab2f277241"
K9S_VERSION="v0.32.7"
K9S_LINUX_AMD64_DEB_SHA256="3f12b34557d9ed9eada465b6fad57dbe9367786f68cfd4604a6771a9f08446b8"
ROCM_DEVICE_PLUGIN_COMMIT="dea1db13f05159e64d8114bca4c31f48c3cfcac6"
ROCM_DEVICE_PLUGIN_SHA256="b751e467feecf6118bed1de8ba80b9abff01c1f52a6b0b8f31aca3609e6e9dbd"

K3S_IMAGES_DIR="/var/lib/rancher/k3s/agent/images"
K3S_REGISTRIES_FILE="/etc/rancher/k3s/registries.yaml"
Expand Down Expand Up @@ -266,6 +270,19 @@ function generate_values_overlay() {
# Tool Installation (Helm, K9s)
# ============================================================

function verify_sha256() {
local file="$1"
local expected="$2"
local actual
actual=$(sha256sum "$file" | awk '{print $1}')
if [[ "$actual" != "$expected" ]]; then
echo "Checksum mismatch for $file" >&2
echo "Expected: $expected" >&2
echo "Actual: $actual" >&2
exit 1
fi
}

function install_tools() {
echo "Checking/Installing tools (may require sudo)..."

Expand All @@ -285,6 +302,7 @@ function install_tools() {
if ! command -v helm &> /dev/null; then
echo "Installing Helm..."
wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz -O /tmp/helm-linux-amd64.tar.gz
verify_sha256 /tmp/helm-linux-amd64.tar.gz "$HELM_LINUX_AMD64_SHA256"
tar -zxvf /tmp/helm-linux-amd64.tar.gz -C /tmp
sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm
rm /tmp/helm-linux-amd64.tar.gz
Expand All @@ -294,6 +312,7 @@ function install_tools() {
if ! command -v k9s &> /dev/null; then
echo "Installing K9s..."
wget "https://github.com/derailed/k9s/releases/download/${K9S_VERSION}/k9s_linux_amd64.deb" -O /tmp/k9s_linux_amd64.deb
verify_sha256 /tmp/k9s_linux_amd64.deb "$K9S_LINUX_AMD64_DEB_SHA256"
sudo apt install /tmp/k9s_linux_amd64.deb -y
rm /tmp/k9s_linux_amd64.deb
fi
Expand Down Expand Up @@ -398,8 +417,12 @@ function install_k3s_single_node() {

configure_registry_mirrors

curl -sfL https://get.k3s.io | sudo K3S_KUBECONFIG_MODE="644" \
INSTALL_K3S_EXEC="${k3s_exec}" sh -
wget https://get.k3s.io -O /tmp/get-k3s.sh
sudo INSTALL_K3S_VERSION="${K3S_VERSION}" \
K3S_KUBECONFIG_MODE="644" \
INSTALL_K3S_EXEC="${k3s_exec}" \
sh /tmp/get-k3s.sh
rm -f /tmp/get-k3s.sh
fi

echo "Configuring kubeconfig for user: $(whoami)"
Expand Down Expand Up @@ -523,7 +546,10 @@ function deploy_rocm_gpu_device_plugin() {
kubectl patch ds amdgpu-device-plugin-daemonset -n kube-system --type=json \
-p '[{"op":"replace","path":"/spec/template/spec/containers/0/imagePullPolicy","value":"IfNotPresent"}]'
else
kubectl create -f https://raw.githubusercontent.com/ROCm/k8s-device-plugin/master/k8s-ds-amdgpu-dp.yaml
wget "https://raw.githubusercontent.com/ROCm/k8s-device-plugin/${ROCM_DEVICE_PLUGIN_COMMIT}/k8s-ds-amdgpu-dp.yaml" -O /tmp/k8s-ds-amdgpu-dp.yaml
verify_sha256 /tmp/k8s-ds-amdgpu-dp.yaml "$ROCM_DEVICE_PLUGIN_SHA256"
kubectl create -f /tmp/k8s-ds-amdgpu-dp.yaml
rm -f /tmp/k8s-ds-amdgpu-dp.yaml
fi

if ! kubectl wait --for=jsonpath='{.status.numberReady}'=1 --namespace=kube-system ds/amdgpu-device-plugin-daemonset --timeout=300s | grep "condition met"; then
Expand Down
33 changes: 33 additions & 0 deletions scripts/test/test_auplc_installer.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#!/usr/bin/env bash
set -euo pipefail

ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
INSTALLER="$ROOT/auplc-installer"

grep -q 'verify_sha256()' "$INSTALLER"
grep -q 'HELM_LINUX_AMD64_SHA256=' "$INSTALLER"
grep -q 'K9S_LINUX_AMD64_DEB_SHA256=' "$INSTALLER"
grep -q 'ROCM_DEVICE_PLUGIN_SHA256=' "$INSTALLER"
grep -q 'ROCM_DEVICE_PLUGIN_COMMIT=' "$INSTALLER"
grep -Fq "INSTALL_K3S_VERSION=\"\${K3S_VERSION}\"" "$INSTALLER"

if grep -q 'ROCM_DEVICE_PLUGIN_COMMIT="master"' "$INSTALLER"; then
echo 'FAIL: ROCm device plugin still tracks master instead of a pinned commit'
exit 1
fi

if grep -q 'curl -sfL https://get.k3s.io |' "$INSTALLER"; then
echo 'FAIL: k3s still uses pipe-to-shell'
exit 1
fi

if grep -q 'kubectl create -f https://raw.githubusercontent.com/ROCm/k8s-device-plugin/master/k8s-ds-amdgpu-dp.yaml' "$INSTALLER"; then
echo 'FAIL: ROCm plugin still applies remote URL directly'
exit 1
fi

grep -q 'verify_sha256 /tmp/helm-linux-amd64.tar.gz' "$INSTALLER"
grep -q 'verify_sha256 /tmp/k9s_linux_amd64.deb' "$INSTALLER"
grep -q 'verify_sha256 /tmp/k8s-ds-amdgpu-dp.yaml' "$INSTALLER"

echo 'Installer integrity checks present.'
Loading