mmdebstrap

Author	SHA1	Message	Date
Benjamin Drung	0378c101bb	Pass extended attributes (excluding system) to tar2sqfs /bin/ping (from iputils-ping) uses the security capabilities to allow users to use the program: ``` $ getcap /bin/ping /bin/ping cap_net_raw=ep ``` Debian testing/unstable images (variant important) contain security and system attributes: ``` $ mmdebstrap --variant=important bullseye root.tar $ tar --xattrs --xattrs-include='' -vv -tf root.tar \| grep -B 1 '^ ' -rwxr-xr-x 0/0 77432 2021-02-02 18:49 ./bin/ping x: 20 security.capability -- drwxr-sr-x* 0/102 0 2021-05-07 15:10 ./var/log/journal/ x: 44 system.posix_acl_access x: 44 system.posix_acl_default ``` When generating a squashfs image with mmdebstrap 0.7.5-2, these security capabilities are lost. Example for building a squashfs image in a minimal Debian unstable schroot: ``` $ apt install -y mmdebstrap squashfs-tools-ng $ mmdebstrap --variant=important buster root.squashfs $ rdsquashfs -x /bin/ping root.squashfs $ ``` tar2sqfs from squashfs-tools-ng 1.0.4-1 supports encoding extended attributes from the namespace `user`, `trusted`, and `security` (see `include/sqfs/xattr.h`). GNU tar (version 1.34) supports these three namespaces plus the namespace `system`. Passing extended attributes from the `system` namespace to tar2sqfs will produce an error: ``` ERROR: squashfs does not support xattr prefix of system.posix_acl_default ``` So pass the extended attributes to tar2sqfs, but exclude the `system` namespace. Then ping will keep its security attributes: ``` $ rdsquashfs -x /bin/ping root.squashfs security.capability=0x0100000200200000000000000000000000000000 ``` Closes: #988100 Signed-off-by: Benjamin Drung <benjamin.drung@ionos.com>	2021-05-17 21:43:10 +02:00
Johannes Schauer Marin Rodrigues	88a031477a	add --skip=cleanup/apt/lists and --skip=cleanup/apt/cache	2021-05-09 20:44:02 +02:00
Vagrant Cascadian	c51fb24c7b	Use all cores when compressing with zstd.	2021-05-09 17:32:04 +02:00
Johannes Schauer Marin Rodrigues	236b84a486	tarfilter: add --pax-exclude and --pax-include to strip extended attributes because tar2sqfs only supports user., trusted. and security.*	2021-05-07 09:39:40 +02:00
Johannes Schauer Marin Rodrigues	bd5d3c3dab	tarfilter: remove leftover debugging statement	2021-05-07 09:20:36 +02:00
Johannes Schauer Marin Rodrigues	ebfac91738	also choose null format if stdout is /dev/null and check whether major and minor number of /dev/null are as expected to avoid false positives	2021-05-04 15:01:53 +02:00
Konstantin Demin	ccd4b5c163	gpg: handle ASCII-armored keyrings as well gpg command "--list-keys" requires input files to be passed with option "--keyring" and each file must match type "public keyring v4" while gpg command "--show-keys" doesn't require extra options and handles also ASCII-armored public keyrings as well. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>	2021-04-25 22:33:37 +03:00
Helmut Grohne	2767b051bc	implement --format=null	2021-03-25 07:04:14 +01:00
Johannes Schauer Marin Rodrigues	4c17f36072	better document the TMPDIR env var	2021-03-08 19:33:51 +01:00
Johannes Schauer Marin Rodrigues	4cd69d444a	coverage.sh: let cover output to stderr to prevent wrong message output order	2021-03-08 19:33:24 +01:00
Johannes Schauer Marin Rodrigues	4cd547286c	coverage.sh: sysvinit-utils also works with chrootless	2021-03-08 19:32:53 +01:00
Johannes Schauer Marin Rodrigues	65070e23da	coverage.sh: add more docs for chrootless essential test	2021-03-08 19:32:19 +01:00
Johannes Schauer Marin Rodrigues	5a3d1ab5c4	Rework /dev, /sys, /proc mounting - assume all entries in @devfiles to be in /dev - allow for /dev, /sys and /proc not to exist in the target and print warning - allow for /dev entries as well as /sys and /proc not to exist on the outside - simplify umount by storing special options in @umountopts - remove superfluous checks for root and unshare mode - make sure /dev entries are less than 100 chars in size for tar	2021-03-08 08:04:35 +01:00
Johannes Schauer Marin Rodrigues	d52eaa4814	instead of checking for defined-ness and then comparing with the empty string, we can just use 'length' which returns undef if its argument is undef	2021-03-08 07:54:04 +01:00
Johannes Schauer Marin Rodrigues	270fd09b43	update copyright information	2021-03-08 07:52:14 +01:00
Johannes Schauer Marin Rodrigues	d5c8a85ace	document problems with chrootless mode in man page	2021-02-23 12:50:18 +01:00
Johannes Schauer Marin Rodrigues	ecbc10794c	warn if --dpkgopt is used in chrootless mode because of #808203	2021-02-23 12:49:46 +01:00
Johannes Schauer Marin Rodrigues	49f464e7da	create /etc/dpkg/dpkg.cfg.d/ if --dpkgopt is used	2021-02-23 12:49:26 +01:00
Johannes Schauer Marin Rodrigues	bbf12c221d	tarfilter: fixup last commit by formatting with black	2021-02-22 13:45:55 +01:00
Benjamin Drung	043ab3bbf0	tarfilter: Compile prefix pattern only once According to Debian bug #978742, mmtarfilter has a slow performance with many path exclusions. The execution can be speed up if the regular expression is only compiled once instead of every time in the hot loop. Signed-off-by: Benjamin Drung <benjamin.drung@cloud.ionos.com>	2021-02-22 13:15:16 +01:00
Johannes Schauer Marin Rodrigues	5fd1ca62d9	coverage.sh: don't attempt deleting non-existant directory	2021-02-19 14:40:20 +01:00
Johannes Schauer Marin Rodrigues	067daaf4c2	also run unshare with --propagation unchanged in root mode	2021-02-19 12:53:14 +01:00
Josh Triplett	f8fc7d9bbf	Fix typo in hook directory example	2021-02-06 18:58:30 +01:00
Johannes Schauer Marin Rodrigues	976cc9c1c4	release 0.7.5	2021-02-06 14:46:37 +01:00
Johannes Schauer Marin Rodrigues	276363c2a1	coverage.sh: remove chroot directories	2021-02-06 14:46:37 +01:00
Johannes Schauer Marin Rodrigues	0009e62b3e	coverage.sh: do not run cap_sys_admin test under lxc	2021-02-06 14:46:37 +01:00
Johannes Schauer Marin Rodrigues	73cd7cd2e8	run unshare --mount with --propagation unchanged to prevent 'cannot change root filesystem propagation' when running mmdebstrap from inside a chroot	2021-02-06 10:11:53 +01:00
Trent W. Buck	f976dabb51	add examples/twb	2021-02-06 10:10:17 +01:00
Johannes Schauer Marin Rodrigues	39167dbc30	expose hook name to hooks via MMDEBSTRAP_HOOK environment variable	2021-02-06 09:18:05 +01:00
Johannes Schauer Marin Rodrigues	8a4f4d90ab	remove example showing mmdebstrap as debootstrap replacement for sbuild-createchroot as it doesn't work in unshare mode	2021-02-04 17:47:40 +01:00
Johannes Schauer Marin Rodrigues	e1e0df7799	skip emulation check for extract variant	2021-02-04 17:47:10 +01:00
Johannes Schauer Marin Rodrigues	c740b01dc8	unset TMPDIR in hooks because there is no value that works inside as well as outside the chroot	2021-02-04 17:46:39 +01:00
Johannes Schauer Marin Rodrigues	0595c5c220	add new suite name trixie	2021-02-04 17:43:33 +01:00
Johannes Schauer Marin Rodrigues	7a43ff89dc	improve dpkg and apt version parsing	2021-02-04 17:42:40 +01:00
Johannes Schauer Marin Rodrigues	aaa7c14275	hooks/setup00-merged-usr.sh: add rationale	2021-02-04 17:40:35 +01:00
Johannes Schauer Marin Rodrigues	4e658549f0	coverage.sh: clean up some additional files	2021-02-04 17:39:50 +01:00
Johannes 'josch' Schauer	d9633d05fe	release 0.7.4	2021-01-16 00:33:40 +01:00
Johannes 'josch' Schauer	7bd733fb8b	In root mode, check whether it's possible to mount - even if the user is root, they might not have permission to mount - check for CAP_SYS_ADMIN and unshare --mount before proceeding - allow one to disable the check with --skip=check/canmount - this is useful in container environments like docker	2021-01-13 18:40:29 +01:00
Johannes 'josch' Schauer	205f5c2692	document how to use mmdebstrap to create a docker chroot	2021-01-13 18:08:04 +01:00
Johannes 'josch' Schauer	4693034138	allow unshare as root user - this is useful when you are already root and want the benefits of unsharing the mount namespace to prevent messing up your system - if the unshare mode is used as root, the user namespace is not unshared anymore and newuidmap, setuid and friends are not called anymore - if the unshare mode is used as non-root test if the user namespace can be unshared, otherwise test if the mount namespace can be unshared	2021-01-13 16:15:59 +01:00
Johannes 'josch' Schauer	0f6741d01a	coverage.sh: allow to run on stable	2021-01-11 13:28:18 +01:00
Johannes 'josch' Schauer	ea6bbc1d9c	#898446 got closed and the default of kernel.unprivileged_userns_clone changed to 1	2021-01-09 19:44:39 +01:00
Johannes 'josch' Schauer	62bcf3261e	do not run an additional env command inside the chroot	2021-01-09 19:44:00 +01:00
Johannes 'josch' Schauer	7ff3f53fb9	apt 2.1.16 fixed immediate configure	2021-01-09 19:43:15 +01:00
Johannes 'josch' Schauer	ac21074243	set MMDEBSTRAP_APT_CONFIG, MMDEBSTRAP_MODE and MMDEBSTRAP_HOOKSOCK for hook scripts	2021-01-09 19:41:59 +01:00
Josh Triplett	5a7dbc10c7	Optimize mmtarfilter to handle many path exclusions mmtarfilter uses fnmatch to handle path exclusions and inclusions. Python's fnmatch handles shell patterns by translating them to regular expressions, with a 256-entry LRU cache. With more than 256 path exclusions or inclusions, this LRU cache no longer works, and every invocation of fnmatch on every file in every package will re-translate and re-compile a regular expression, resulting in much worse performance. Translate all the shell patterns to regular expressions once. For an mmdebstrap invocation with around 500 path filters, this speeds up mmdebstrap by more than a minute.	2021-01-06 14:58:10 +01:00
Johannes 'josch' Schauer	9484107392	set PATH if it's unset or empty	2021-01-06 11:49:29 +01:00
Johannes 'josch' Schauer	8c42daad92	README.md: update benchmark numbers with new debootstrap	2021-01-06 11:49:14 +01:00
Johannes 'josch' Schauer	2d03a81997	coverage.sh: reenabling tests because bugs got fixed - systemd didn't get fixed but somehow the order matches again (bug #963788) - python is installable again (bug #968217) - apt immediate configure was not fixed but src:glibc changed to not trigger the bug anymore (bugs #973305, #973325 and #972552)	2021-01-06 11:33:37 +01:00
Johannes 'josch' Schauer	0dc8321094	coverage.sh: the output of getcap differs depending on the version	2021-01-06 11:19:15 +01:00

1 2 3 4 5 ...

613 commits