Add stage4 SaltStack states and Catalyst files

README.md

@@ -1,8 +1,14 @@
-# gentoo-build-iso
+# gentoo-build-dist
 
-Build latest version of admin ISO.
+Build latest version of admin ISO and stage4.
 
 ### Differences from official admin ISO:
 
 - `SaltStack`, `Stratis storage` packages included.
 - `sshd`, `stratisd`, `dbus` services added to default runlevel.
+
+### Stage4 differences from official stage3:
+- `dev-libs/openssl` replaced with `dev-libs/libressl`;
+- Removed `dev-lang/python:2.7`
+- Included some commonly used packages like: `SaltStack`, `Stratis storage`.
+

admincd-amd64-iso.sls

@@ -1,27 +1,7 @@
-{% set catalyst = pillar['catalyst'] %}
-{% set stage3_line_path = salt['cp']['get_file_str'](catalyst.mirror_url+'/releases/amd64/autobuilds/latest-stage3-amd64'+catalyst.stage3_suffix+'-hardened.txt').split('\n')|max %}
-{% set stage3_local_path = stage3_line_path.split(' ')|first|string %}
-{% set stage3_tarball_name = stage3_local_path.split('/')|last|string %}
-{% set stage3_stamp = stage3_tarball_name.split('-')|last|truncate(8, True, '') %}
+{% import slspath+"/env.jinja" as env %}
 
 include:
-  - {{slspath}}.pkg
-
-/var/tmp/catalyst/snapshots/portage-latest.tar.xz:
-  file.managed:
-    - source: {{ catalyst.mirror_url }}/snapshots/portage-latest.tar.xz
-    - source_hash: {{ catalyst.mirror_url }}/releases/snapshots/current/portage-latest.tar.xz.md5sum
-    - makedirs: True
-    - require:
-      - pkg: dev-util/catalyst
-
-/var/tmp/catalyst/builds/hardened/{{ stage3_tarball_name }}:
-  file.managed:
-    - source: {{ catalyst.mirror_url }}/releases/amd64/autobuilds/{{ stage3_local_path }}
-    - source_hash: {{ catalyst.mirror_url }}/releases/amd64/autobuilds/{{ stage3_local_path }}.DIGESTS
-    - makedirs: True
-    - require:
-      - pkg: dev-util/catalyst
+    - {{slspath}}.envsetup
 
 {% for stage_number in ['1','2'] %}
 /var/tmp/catalyst/salt/specs/admincd-amd64{{ catalyst.stage3_suffix }}-stage{{ stage_number }}.spec:
@@ -37,30 +17,12 @@ include:
     - makedirs: True
 {% endfor %}
 
-/var/tmp/catalyst/salt/config/catalystrc:
-  file.managed:
-    - source: salt://{{ slspath }}/files/config/catalystrc
-    - template: jinja
-
-/var/tmp/catalyst/salt/config/catalyst.conf:
-  file.managed:
-    - source: salt://{{ slspath }}/files/config/catalyst.conf
-
-/var/tmp/catalyst/salt/overlay:
-  file.recurse:
-    - source: salt://{{ slspath }}/files/overlay
-    - makedirs: True
-    - clean: True
-
-/var/tmp/catalyst/salt/kconfig:
-  file.recurse:
-    - source: salt://{{ slspath }}/files/kconfig
 
 catalyst -f /var/tmp/catalyst/salt/specs/admincd-amd64{{ catalyst.stage3_suffix }}-stage1.spec -c /var/tmp/catalyst/salt/config/catalyst.conf:
   cmd.run:
     - require:
       - file: /var/tmp/catalyst/salt/specs/admincd-amd64{{ catalyst.stage3_suffix }}-stage1.spec
-      - file: /var/tmp/catalyst/salt/portage/isos
+      - file: /var/tmp/catalyst/salt/portage
       - pkg: dev-util/catalyst
       - pkg: stage1-pkgs
 
@@ -70,8 +32,3 @@ catalyst -f /var/tmp/catalyst/salt/specs/admincd-amd64{{ catalyst.stage3_suffix
       - pkg: stage2-pkgs
       - cmd: catalyst -f /var/tmp/catalyst/salt/specs/admincd-amd64{{ catalyst.stage3_suffix }}-stage1.spec -c /var/tmp/catalyst/salt/config/catalyst.conf
 
-/var/tmp/catalyst/salt/portage/isos:
-  file.recurse:
-    - source: salt://{{ slspath }}/files/portage/isos
-    - makedirs: True
-    - clean: True

env.jinja

@@ -0,0 +1,5 @@
+{% set catalyst = pillar['catalyst'] %}
+{% set stage3_line_path = salt['cp']['get_file_str'](catalyst.mirror_url+'/releases/amd64/autobuilds/latest-stage3-amd64'+catalyst.stage3_suffix+'.txt').split('\n')|max %}
+{% set stage3_local_path = stage3_line_path.split(' ')|first|string %}
+{% set stage3_tarball_name = stage3_local_path.split('/')|last|string %}
+{% set stage3_stamp = stage3_tarball_name.split('-')|last|truncate(8, True, '') %}

envsetup.sls

@@ -0,0 +1,56 @@
+{% import slspath+"/env.jinja" as env %}
+
+include:
+  - {{slspath}}.pkg
+
+/var/tmp/catalyst/snapshots/portage-latest.tar.xz:
+  file.managed:
+    - source: {{ env.catalyst.mirror_url }}/snapshots/portage-latest.tar.xz
+    - source_hash: {{ env.catalyst.mirror_url }}/releases/snapshots/current/portage-latest.tar.xz.md5sum
+    - makedirs: True
+    - require:
+      - pkg: dev-util/catalyst
+
+/var/tmp/catalyst/builds/hardened/{{ env.stage3_tarball_name }}:
+  file.managed:
+    - source: {{ env.catalyst.mirror_url }}/releases/amd64/autobuilds/{{ env.stage3_local_path }}
+    - source_hash: {{ env.catalyst.mirror_url }}/releases/amd64/autobuilds/{{ env.stage3_local_path }}.DIGESTS
+    - makedirs: True
+    - require:
+      - pkg: dev-util/catalyst
+
+/var/tmp/catalyst/salt/config/catalystrc:
+  file.managed:
+    - source: salt://{{ slspath }}/files/config/catalystrc
+    - template: jinja
+
+/var/tmp/catalyst/salt/config/catalyst.conf:
+  file.managed:
+    - source: salt://{{ slspath }}/files/config/catalyst.conf
+
+/var/tmp/catalyst/salt/overlay:
+  git.latest:
+    - name: {{ env.catalyst.overlay_url }}
+    - target: /var/tmp/catalyst/salt/overlay
+    - depth: 1
+    - rev: master
+    - force_clone: True
+    - force_fetch: True
+    - force_reset: True
+    - force_checkout: True
+
+/var/tmp/catalyst/salt/kconfig:
+  file.recurse:
+    - source: salt://{{ slspath }}/files/kconfig
+
+/var/tmp/catalyst/salt/portage:
+  file.recurse:
+    - source: salt://{{ slspath }}/files/portage
+    - makedirs: True
+    - clean: True
+
+/var/tmp/catalyst/salt/scripts:
+  file.recurse:
+    - source: salt://{{ slspath }}/files/scripts
+    - makedirs: True
+    - clean: True

files/config/catalystrc

@@ -5,3 +5,4 @@
 export MAKEOPTS="-j{{ grains['num_cpus'] }}"
 export EMERGE_DEFAULT_OPTS=" -v --jobs={{ grains['num_cpus'] }} "
 export ACCEPT_LICENSE='*'
+export I_KNOW_WHAT_I_AM_DOING=yes

files/portage/stages/glibc_libressl/package.accept_keywords/SALT

@@ -0,0 +1,10 @@
+x11-terms/kitty-terminfo ~amd64
+sys-fs/stratis-cli ~amd64
+sys-fs/stratisd ~amd64
+app-admin/salt ~amd64
+dev-python/dbus-client-gen
+dev-python/dbus-python-client-gen
+dev-python/dbus-signature-pyparsing
+dev-python/into-dbus-python
+dev-python/justbases
+dev-python/justbytes

files/portage/stages/glibc_libressl/package.mask/SALT

@@ -0,0 +1,2 @@
+dev-libs/openssl
+dev-lang/python:2.7

files/portage/stages/glibc_libressl/package.use/SALT

@@ -0,0 +1,4 @@
+net-libs/zeromq drafts
+app-admin/salt -openssl
+sys-process/audit python
+sys-boot/grub grub_platforms_efi-64 grub_platforms_multiboot grub_platforms_pc 

files/portage/stages/libressl_migration/package.mask/SALT

@@ -0,0 +1,2 @@
+dev-libs/openssl
+dev-lang/python:2.7

files/portage/stages/libressl_migration/package.use/SALT

@@ -0,0 +1,3 @@
+net-libs/zeromq drafts
+app-admin/salt -openssl
+sys-process/audit python

files/portage/stages/releng/libpcre

@@ -0,0 +1,5 @@
+# required by sys-libs/libselinux-2.7
+dev-libs/libpcre static-libs
+
+# required by dev-vcs/git
+dev-libs/libpcre2 jit

files/portage/stages/releng/no-filecaps

@@ -0,0 +1,7 @@
+# For stage building, we cannot be sure the final unpack destination will have
+# xattr/fcaps support.  To be safe, we build stages without filecaps, but allow
+# filecaps to be turned back on @ next full world upgrade.  The ebuilds using
+# fcaps eclass will have more logic to safely fall back in case of missing
+# support.
+
+*/* -filecaps

files/scripts/cloud-prep.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# Set timezone
+echo 'UTC' > /etc/timezone
+
+# Set locale
+echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen
+echo 'en_US ISO-8859-1' >> /etc/locale.gen
+locale-gen -q
+eselect locale set en_US.utf8
+
+# Some rootfs stuff
+grep -v rootfs /proc/mounts > /etc/mtab
+
+# This is set in rackspaces prep, might help us
+echo 'net.ipv4.conf.eth0.arp_notify = 1' >> /etc/sysctl.conf
+echo 'vm.swappiness = 0' >> /etc/sysctl.conf
+
+# Let's configure our grub
+# Access on both regular tty and serial console
+mkdir /boot/grub
+cat >>/etc/default/grub <<EOF
+GRUB_TERMINAL='serial console'
+GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"
+GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
+EOF
+grub-mkconfig -o /boot/grub/grub.cfg
+sed -r -i 's/loop[0-9]+p1/LABEL\=cloudimg-rootfs/g' /boot/grub/grub.cfg
+sed -i 's/root=.*\ ro/root=LABEL\=cloudimg-rootfs\ ro/' /boot/grub/grub.cfg
+
+# And the fstab
+echo 'LABEL=cloudimg-rootfs / ext4 defaults 0 0' > /etc/fstab
+
+# allow the console log
+sed -i 's/#s0/s0/g' /etc/inittab
+
+# let ipv6 use normal slaac
+sed -i 's/slaac/#slaac/g' /etc/dhcpcd.conf
+# don't let dhcpcd set domain name or hostname
+sed -i 's/domain_name\,\ domain_search\,\ host_name/domain_search/g' /etc/dhcpcd.conf
+
+# need to do this here because it clobbers an openrc owned file
+cat > /etc/conf.d/hostname << "EOL"
+# Set to the hostname of this machine
+if [ -f /etc/hostname ];then
+  hostname=$(cat /etc/hostname 2> /dev/null | cut -d"." -f1 2> /dev/null)
+else
+  hostname="localhost"
+fi
+EOL
+chmod 0644 /etc/conf.d/hostname
+chown root:root /etc/conf.d/hostname
+
+# set a nice default for /etc/resolv.conf
+cat > /etc/resolv.conf << EOL
+nameserver 8.8.8.8
+nameserver 2001:4860:4860::8888
+EOL
+
+# let's upgrade (security fixes and otherwise)
+USE="-build" emerge -uDNv --with-bdeps=y --jobs=2 @world
+USE="-build" emerge --verbose=n --depclean
+USE="-build" emerge -v --usepkg=n @preserved-rebuild
+etc-update --automode -5
+
+# Clean up portage
+emerge --verbose=n --depclean
+if [[ -a /usr/bin/eix ]]; then
+  eix-update
+fi
+emaint all -f
+eselect news read all
+eclean-dist --destructive
+sed -i '/^USE=\"\${USE}\ \ build\"$/d' /etc/portage/make.conf
+echo 'PORTAGE_GPG_DIR="/var/lib/gentoo/gkeys/keyrings/gentoo/release"' >> /etc/portage/make.conf
+
+# clean up system
+passwd -d root
+passwd -l root
+for i in $(find /var/log -type f); do truncate -s 0 $i; done
+# remove foreign manpages
+find /usr/share/man/ -mindepth 1  -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \;
+
+# fine if this fails, aka non-hardened
+if [[ -x /usr/sbin/migrate-pax ]]; then
+  echo 'migraging pax'
+  /usr/sbin/migrate-pax -m
+fi

files/scripts/libressl-migration.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+sed -i 's@^USE="@USE="-python_targets_python2_7 libressl curl_ssl_libressl -curl_ssl_openssl -openssl @g' /etc/portage/make.conf
+
+mkdir -p /etc/portage/repos.conf
+eselect repository enable libressl && \
+emaint sync -a
+
+emerge -uNDkbv --with-bdeps=y @world > /dev/null && \
+emerge -C dev-libs/openssl dev-lang/python:2.7 dev-python/subprocess32 && \
+emerge @preserved-rebuild  && revdep-rebuild -i && emerge -c

files/scripts/livecd.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+# This is where we will put any release-specific fsscript code
+
+if [[ -e /etc/conf.d/clock ]]
+then
+	sed -i -e 's/#TIMEZONE="Factory"/TIMEZONE="UTC"/' /etc/conf.d/clock
+fi
+
+case `uname -m` in
+	alpha)
+		echo >> /etc/sysctl.conf
+		echo "# Disable UAC on Alpha" >> /etc/sysctl.conf
+		echo "kernel.uac.noprint = 1" >> /etc/sysctl.conf
+	;;
+	i?86|x86_64)
+		sed -i 's/DRIVER fbdev/DRIVER vesa/' /usr/share/hwdata/Cards
+	;;
+esac
+
+# Enforce a unicode font by default
+sed -e 's/CONSOLEFONT="default8x16"/CONSOLEFONT="lat1-16"/' \
+	-e '/^#CONSOLETRANSLATION="8859-1_to_uni"/ s/^#//' \
+	-i /etc/conf.d/consolefont
+
+# This is necessary because /home/gentoo in the squashfs ends up getting owned
+# by whoever the owner of the overlay files were on the build box. This causes
+# weird stuff to happen like X failing to start because it doesn't have the
+# ability to write the .Xauthority file
+if [[ -d /home/gentoo ]]
+then
+	chown -R gentoo:users /home/gentoo
+fi
+
+echo "#####################################################" > /etc/fstab
+echo "## ATTENTION: THIS IS THE FSTAB ON THE LIVECD      ##" >> /etc/fstab
+echo "## PLEASE EDIT THE FSTAB at /mnt/gentoo/etc/fstab  ##" >> /etc/fstab
+echo "#####################################################" >> /etc/fstab
+
+# fstab tweaks
+echo "tmpfs	/		tmpfs	defaults	0 0" >> /etc/fstab
+echo "tmpfs	/usr/portage	tmpfs	defaults	0 0" >> /etc/fstab
+#echo "tmpfs	/boot		tmpfs	defaults	0 0" >> /etc/fstab
+
+# pull /boot from the CD
+cd /boot && ls -1 | grep -v boot > /usr/livecd/bootfiles.txt
+mv -f System.map* /usr/livecd
+rm -rf /boot/*
+cat << 'EOF' >> /etc/conf.d/local.start
+if [ -n "$(ls /mnt/cdrom)" ]
+then
+	rm /boot
+	mkdir /boot
+	mount -t tmpfs tmpfs /boot
+	INITRAMFS=`ls -1 /mnt/cdrom/{boot,isolinux}/*.igz 2>/dev/null | head -n 1`
+	KERNEL=${INITRAMFS/.igz/}
+	initramfs=`grep initr /usr/livecd/bootfiles.txt | head -n 1`
+	kernel=`grep '^kernel-' /usr/livecd/bootfiles.txt | head -n 1`
+	cp -f ${INITRAMFS} /boot/${initramfs}
+	cp -f ${KERNEL} /boot/${kernel}
+	cp -f /usr/livecd/System.map* /boot
+fi
+EOF
+
+#[ -x /usr/bin/ktelnet ] && ln -sf /usr/bin/ktelnet /usr/bin/telnet
+#[ -x /usr/bin/kftp ] && ln -sf /usr/bin/kftp /usr/bin/ftp
+
+# Remove DefaultColorDepth
+[ -e /etc/X11/xorg.conf.in ] && sed -i -e '/DefaultColorDepth/d' /etc/X11/xorg.conf.in
+
+# This is here so that the retval of the line above (which may be non-0
+# even if everything is ok) is not the retval of the script which would
+# make catalyst unhappy.
+exit 0                                                                          

files/specs/admincd-stage2.spec

@@ -25,9 +25,10 @@ boot/kernel/gentoo/config: /var/tmp/catalyst/salt/kconfig/admincd-4.14.83.config
 #	sys-fs/zfs
 #	sys-fs/zfs-kmod
 
-livecd/rcadd: sshd|default
-livecd/rcadd: dbus|default
-livecd/rcadd: stratisd|default
+livecd/rcadd: 
+	sshd|default
+	dbus|default
+	stratisd|default
 
 livecd/unmerge:
 	app-admin/eselect

files/specs/hardened/stage4-libressl-selinux-nomultilib-final.spec

@@ -0,0 +1,119 @@
+subarch: amd64
+target: stage4
+version_stamp: {{ stage3_stamp }}
+rel_type: hardened
+profile: default/linux/amd64/17.1/no-multilib/hardened/selinux
+snapshot: {{ snapshot_stamp }}
+compression_mode: pixz_x
+decompressor_search_order: tar pixz xz lbzip2 bzip2 gzip
+source_subpath: hardened-glibc-libressl-selinux-transitional/stage4-amd64-{{ stage3_stamp }}
+portage_confdir: /var/tmp/catalyst/salt/portage/stages/glibc_libressl
+portage_overlay: /var/tmp/catalyst/salt/overlay
+
+stage4/use:
+	argon2
+	audit
+	caps
+	cgroups
+	cracklib
+	ecdsa
+	efi
+	filecaps
+	json
+	gnupg
+	iproute2
+	leaps_timezone
+	logrotate
+	lz4
+	lzma
+	lzo
+	netlink
+	nettle
+	numa
+	seccomp
+	smp
+	threads
+	udev
+	xattr
+	xfs
+	-X
+	-tcpd
+	-bindist
+	bzip2
+	idm
+	ipv6
+	urandom
+	http2
+	-openssl
+	libressl
+	curl_ssl_libressl
+	-curl_ssl_openssl
+	-static-libs
+	-static
+	-python_targets_python2_7
+	system-llvm
+	keyring
+	portage
+	modern-top
+
+stage4/packages:
+	net-misc/dhcp
+	net-misc/iputils
+	sys-boot/grub
+	sys-apps/gptfdisk
+	sys-apps/iproute2
+	sys-devel/bc
+	sys-power/acpid
+	app-crypt/gentoo-keys
+	app-admin/salt
+	sys-fs/stratis-cli
+	sys-fs/stratisd
+	app-editors/vim
+	x11-terms/kitty-terminfo
+	sys-fs/lvm2
+
+stage4/rcadd:
+	acpid|default
+	net.lo|default
+	netmount|default
+	sshd|default
+        dbus|default
+        stratisd|default
+
+boot/kernel: gentoo
+boot/kernel/gentoo/sources: gentoo-sources
+boot/kernel/gentoo/config: /var/tmp/catalyst/salt/kconfig/cloud-amd64-hardened.config
+boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules
+
+# all of the cleanup...
+stage4/unmerge:
+	sys-devel/bc
+	sys-kernel/genkernel
+	sys-kernel/gentoo-sources
+
+stage4/empty:
+	/root/.ccache
+	/tmp
+	/usr/portage/distfiles
+	/usr/src
+	/var/cache/edb/dep
+	/var/cache/genkernel
+	/var/cache/portage/distfiles
+	/var/empty
+	/var/run
+	/var/state
+	/var/tmp
+
+stage4/rm:
+	/var/db/repos/*
+	/etc/*-
+	/etc/*.old
+	/etc/ssh/ssh_host_*
+	/root/.*history
+	/root/.lesshst
+	/root/.ssh/known_hosts
+	/root/.viminfo
+	# Remove any generated stuff by genkernel
+	/usr/share/genkernel
+	# This is 3MB of crap for each copy
+	/usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz

files/specs/hardened/stage4-libressl-selinux-nomultilib-transitional.spec

@@ -0,0 +1,89 @@
+subarch: amd64
+target: stage4
+version_stamp: {{ stage3_stamp }}
+rel_type: hardened-glibc-libressl-selinux-transitional
+profile: default/linux/amd64/17.1/no-multilib/hardened/selinux
+snapshot: {{ snapshot_stamp }}
+compression_mode: pixz_x
+decompressor_search_order: tar pixz xz lbzip2 bzip2 gzip
+source_subpath: hardened/{{ stage3 }}
+portage_confdir: /var/tmp/catalyst/salt/portage/stages/libressl_migration
+portage_overlay: /var/tmp/catalyst/salt/overlay
+
+stage4/use:
+	argon2
+	audit
+	caps
+	cgroups
+	cracklib
+	ecdsa
+	efi
+	filecaps
+	json
+	gnupg
+	iproute2
+	leaps_timezone
+	logrotate
+	lz4
+	lzma
+	lzo
+	netlink
+	nettle
+	numa
+	seccomp
+	smp
+	threads
+	udev
+	xattr
+	xfs
+	-X
+	-tcpd
+	-bindist
+	bzip2
+	idm
+	ipv6
+	urandom
+	http2
+	-static-libs
+	-static
+	system-llvm
+	keyring
+	portage
+	modern-top
+	-perl
+
+stage4/packages:
+	sys-apps/iproute2
+	app-eselect/eselect-repository
+	app-portage/gentoolkit
+	app-portage/portage-utils
+	app-portage/eix
+	dev-vcs/git
+
+stage4/fsscript: /var/tmp/catalyst/salt/scripts/libressl-migration.sh
+
+stage4/empty:
+	/root/.ccache
+	/tmp
+	/usr/portage/distfiles
+	/usr/src
+	/var/cache/edb/dep
+	/var/cache/genkernel
+	/var/cache/portage/distfiles
+	/var/empty
+	/var/run
+	/var/state
+	/var/tmp
+
+stage4/rm:
+	/etc/*-
+	/etc/*.old
+	/etc/ssh/ssh_host_*
+	/root/.*history
+	/root/.lesshst
+	/root/.ssh/known_hosts
+	/root/.viminfo
+	# Remove any generated stuff by genkernel
+	/usr/share/genkernel
+	# This is 3MB of crap for each copy
+	/usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz

stage4-amd64-libressl-hardened-selinux+nomultilib.sls

@@ -0,0 +1,33 @@
+{% import slspath+"/env.jinja" as env %}
+
+include:
+  - {{slspath}}.envsetup
+
+{% for stage_type in ['libressl-selinux-nomultilib-transitional','libressl-selinux-nomultilib-final'] %}
+/var/tmp/catalyst/salt/specs/hardened/stage4-{{ stage_type }}.spec:
+  file.managed:
+    - source: salt://{{ slspath }}/files/specs/hardened/stage4-{{ stage_type }}.spec
+    - template: jinja
+    - defaults:
+        stage3_stamp: {{ env.stage3_stamp }}
+        snapshot_stamp: latest
+        profile: {{ env.catalyst.profile }}
+        stage3: {{ env.stage3_tarball_name }}
+        stage3_suffix: {{ env.catalyst.stage3_suffix }}
+    - makedirs: True
+{% endfor %}
+
+
+catalyst -f /var/tmp/catalyst/salt/specs/hardened/stage4-libressl-selinux-nomultilib-transitional.spec -c /var/tmp/catalyst/salt/config/catalyst.conf:
+  cmd.run:
+      - require:
+          - file: /var/tmp/catalyst/salt/specs/hardened/stage4-libressl-selinux-nomultilib-transitional.spec
+          - file: /var/tmp/catalyst/salt/portage
+          - file: /var/tmp/catalyst/salt/scripts
+          - git: /var/tmp/catalyst/salt/overlay
+          - pkg: dev-util/catalyst
+
+catalyst -f /var/tmp/catalyst/salt/specs/hardened/stage4-libressl-selinux-nomultilib-final.spec -c /var/tmp/catalyst/salt/config/catalyst.conf:
+  cmd.run: 
+      - require:
+          - cmd: catalyst -f /var/tmp/catalyst/salt/specs/hardened/stage4-libressl-selinux-nomultilib-transitional.spec -c /var/tmp/catalyst/salt/config/catalyst.conf