From 75eef5f065cf88cab07fc787abbf16e1af71926f Mon Sep 17 00:00:00 2001
From: Dennis Kempin <denniskempin@google.com>
Date: Wed, 7 Jul 2021 14:08:25 -0700
Subject: [PATCH] Docker: Do not curl | bash

Instead, download the rustup-init binary directly and verify it's sha
before executing.
Also update debian image used in the bundled VM. The previous image
file was no longer available.

TEST=Rebuilt docker images
BUG=b:192355221

Change-Id: I8a2d8091b9cecdf40ecbdd4bb6cef7ca161421d9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3011343
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Dennis Kempin <denniskempin@google.com>
---
 ci/crosvm_base/Dockerfile    | 6 ++++--
 ci/crosvm_test_vm/Dockerfile | 2 +-
 ci/image_tag                 | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/ci/crosvm_base/Dockerfile b/ci/crosvm_base/Dockerfile
index 690957dcf3..fefeec2fed 100644
--- a/ci/crosvm_base/Dockerfile
+++ b/ci/crosvm_base/Dockerfile
@@ -52,8 +52,10 @@ VOLUME /workspace/logs
 
 # Install the current crosvm rust toolchain via rustup.
 COPY rust-toolchain ./
-RUN curl https://sh.rustup.rs -sSf | sh -s -- \
-    -y \
+RUN curl https://static.rust-lang.org/rustup/archive/1.24.3/x86_64-unknown-linux-gnu/rustup-init -sSf -o rustup-init \
+    && echo "3dc5ef50861ee18657f9db2eeb7392f9c2a6c95c90ab41e45ab4ca71476b4338 rustup-init" | sha256sum --check \
+    && chmod +x rustup-init \
+    && ./rustup-init -y \
     --profile minimal \
     -c rustfmt,clippy \
     --default-toolchain $(cat rust-toolchain)
diff --git a/ci/crosvm_test_vm/Dockerfile b/ci/crosvm_test_vm/Dockerfile
index aa19f17480..aa341739e5 100644
--- a/ci/crosvm_test_vm/Dockerfile
+++ b/ci/crosvm_test_vm/Dockerfile
@@ -24,7 +24,7 @@ RUN apt-get update && apt-get install --yes \
 WORKDIR /workspace/vm
 
 RUN curl -sSfL -o rootfs.qcow2 \
-    "http://cloud.debian.org/images/cloud/bullseye/daily/20210208-542/debian-11-generic-${VM_ARCH}-daily-20210208-542.qcow2"
+    "http://cloud.debian.org/images/cloud/bullseye/daily/20210702-691/debian-11-generic-${VM_ARCH}-daily-20210702-691.qcow2"
 
 # Package `cloud_init_data.yaml` to be loaded during `first_boot.expect`
 COPY build/cloud_init_data.yaml ./
diff --git a/ci/image_tag b/ci/image_tag
index 5aed675d3a..fa0363b794 100644
--- a/ci/image_tag
+++ b/ci/image_tag
@@ -1 +1 @@
-r0007
+r0008