Commit graph

508 commits

Author SHA1 Message Date
cc3150ef04
Rework download stage to allow file:// mirrors
- factor out package downloading function
 - replace -oApt::Get::Download-Only=true by -oDebug::pkgDpkgPm=1
 - remove guessing of package names in /var/cache/apt/archives/
 - drop edsp parsing with proxysolver/mmdebstrap-dump-solution to obtain
   downloaded filenames in favour of -oDpkg::Pre-Install-Pkgs::=cat
 - /var/cache/apt/archives/ is now allowed to contain packages
 - drop --skip=download/empty
 - file:// mirrors are now supported if their path is available inside
   the chroot
2022-05-26 07:36:21 +02:00
dc8b09ed50
fix pod formatting typo 2022-05-24 04:15:25 +02:00
21b23ebb9f
set MMDEBSTRAP_VERBOSITY in hooks 2022-05-24 04:14:08 +02:00
0664792cd5
manually push option arguments to array instead of using s@
By mixing s@ for --$foo-hook options and manual pushing in --hook-dir,
it can happen that options get lost. Consider the following test:

use Getopt::Long;
my $arr = [];
GetOptions(
    'A=s@' => \$arr,
    'B=s' => sub { push @{$arr}, $_[1]; }
);
foreach my $hook (@{$arr}) { print "hook: $hook\n"; }

This works fine:

    perl test.pl --A=a1 --B=b1 --A=a2 --B=b2
    hook: a1
    hook: b1
    hook: a2
    hook: b2

This misses b1:

    perl test.pl --B=b1 --A=a2 --B=b2
    hook: a2
    hook: b2
2022-05-24 04:09:41 +02:00
26af846d0a
fix that cached debs were not returned if there was nothing to download 2022-05-23 23:30:29 +02:00
5c5f7de898
more documentation for TMPDIR 2022-05-22 02:57:42 +02:00
29b23bbcbc
document how to build on top of an existing tarball 2022-05-22 02:57:01 +02:00
d10f320f5d
document how to build an sbuild unshare chroot mode tarball 2022-05-22 02:56:21 +02:00
ce23e702e2
fixup comparison with debootstrap 2022-05-22 02:54:41 +02:00
09f1dd2ee6
Improve documentation of reproducibility of /etc/resolv.conf and /etc/hostname
Closes: #26
2022-05-11 10:47:25 +02:00
57e0ecb20f
release 0.8.6 2022-03-25 14:27:25 +01:00
70b081d299
allow running root mode inside unshare mode 2022-03-25 14:25:54 +01:00
64ba5f8229
release 0.8.5 2022-03-07 23:44:45 +01:00
409ce1cfee
improve man page further 2022-03-07 23:41:58 +01:00
7044baf6b1
run busybox from an absolute path to allow running it even when /proc is not mounted as busybox uses /proc/self/exe to figure out its own path 2022-03-07 11:27:10 +01:00
489e51a2eb
Run File::Find::find with no_chdir=>1
Without no_chdir=>1 the unshared child process in unshare mode needs
read permissions for the directory from which mmdebstrap is executed.
With this change, the current working directory does not need to be
world-readable anymore.

Closes: #1005857
Reported-by: Trent W. Buck <trentbuck@gmail.com>
2022-02-16 10:53:05 +01:00
5fa2457fd5 mmdebstrap: Add mbr.bin installation to autopkgtest-build-qemu instructions
The generated image will not be bootable if `mbr.bin` is not installed
into the MBR.

These lines are copied from the "Debian desktop on USB stick" example.
2022-02-13 20:00:35 +01:00
8e6f183b3f mmdebstrap: Install mbr.bin in /boot and keep after installation 2022-02-13 19:56:39 +01:00
97e6981ddc mmdebstrap: Read extlinux's MBR from /usr/lib/EXTLINUX
`/usr/lib/SYSLINUX` is not available if only `extlinux` is installed.
2022-02-13 19:55:29 +01:00
22c0ba45a0 mmdebstrap: Use ext4 instead of ext2 in examples 2022-02-13 17:44:25 +01:00
829df60242 mmdebstrap: Align autopkgtest-build-qemu and USB stick examples
Write the same `guestfish` instructions in the same way in both the
`autopkgtest-build-qemu` and the "Debian desktopn on a USB stick" example.
2022-02-13 17:42:26 +01:00
070a9cecb7
release 0.8.4 2022-02-11 23:04:31 +01:00
38a81e75bb
remove information about kernel.unprivileged_userns_clone from the man page 2022-02-11 23:02:31 +01:00
ce8a9f8764
also remove /var/lib/dbus/machine-id 2022-02-11 23:01:56 +01:00
e865ce850f
document another advantage of running apt outside the chroot 2022-02-11 23:01:36 +01:00
2b60a932a9
don't install essential packages in run_install() 2022-02-11 23:01:08 +01:00
632a918780
release 0.8.3 2022-01-08 08:37:00 +01:00
6ba6d10c4f
document that 'upload' doesn't retain permissions and ownership 2022-01-08 08:33:41 +01:00
4f811b7117
print errer message if mmdebstrap failed to run 2022-01-08 08:32:09 +01:00
ff2910a746
send SIGHUP to children if tar failed 2022-01-08 08:31:50 +01:00
0da6f103a1
hardcode 'stable' to use stable-security mirror 2022-01-08 08:31:26 +01:00
388c7980d3
don't copy in qemu-user-static if we don't need to 2022-01-08 08:29:48 +01:00
8bc6a4daa9
set PATH in main instead of run_setup 2022-01-08 07:44:05 +01:00
0383efc554
don't overwrite existing files in setup 2022-01-07 23:15:07 +01:00
1b0f7f1138
make $@ local, so we don't print "Can't locate Undefined subroutine &Devel::Cover::get_coverage called" in other parts where we evaluate $@ 2022-01-07 23:15:07 +01:00
88619e4d9c
test codename apt pattern as well, requires apt >= 2.3.14
closes: #21
2022-01-07 12:46:42 +01:00
5d8943b739
release 0.8.2 2021-12-14 21:07:04 +01:00
7501708aaf
perltidy 20200110 -> 20210717 2021-12-14 21:07:04 +01:00
e4e10b670c
allow custom daemon startup prevention
don't bother with /sbin/start-stop-daemon and /usr/sbin/policy-rc.d
if they're not a regular files (e.g. symlinks)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2021-12-06 00:28:34 +03:00
c4a43ea0f9
make $@ local, so we don't print "Can't locate Dpkg/Vendor/Debian.pm" in other parts where we evaluate $@ 2021-11-29 21:15:59 +01:00
60d69f6f78
Use apt patters to select priority variants
- requires apt >= 2.3.10
 - we can drop having to run apt-get indextargets and parse Packages
   files ourselves
 - we can drop the layer violation that computed the package set in
   run_download() and passed the package set around in setup() to
   run_install()
 - packages are selected by suite unless the suite is the empty string
2021-11-09 07:31:56 +01:00
3b41fe6805
document mmdebstrap as docker/podman replacement 2021-11-07 10:00:48 +01:00
Raul Tambre
c61e81a244 Relax dpkg version regex
For non-release builds the version will include the number of commits since last release and the commit hash with dashes, e.g. 1.20.8-46-g0881.
For downstream distros it seems it may include their identification strings, e.g. 1.20.9ubuntu2.

Make the regex match everything after the version number to avoid incorrectly erroring on such versions.

Fixes #18
2021-11-06 23:04:27 +02:00
7a062661e5
release 0.8.1 2021-10-07 13:35:39 +02:00
1d2a7ef71a
enforce dpkg >= 1.20.0 and remove dead code 2021-10-07 10:51:20 +02:00
4f278deadf
use rm and find instead of remove_tree()
* remove_tree() requires the CWD to be accessible or fails with
   cannot chdir to $CWD from $DIR_TO_DELETE: Permission denied, aborting.
 * CWD is not always accessible -- example: run mmdebstrap from a
   directory only accessible by the current user (like a tempdir) in
   unshare mode
 * find from findutils *also* requires CWD to be accessible but it's
   easier to temporarily change CWD in a subprocess because using
   there is no utility in perl core that changes CWD temporarily and
   cleans up after itself
 * we need to use find from findutils instead of rm in unshare mode
   because the root directory itself might not be removable by the
   unshared user so we only want to remove its subdirectories
2021-10-07 07:07:45 +02:00
c2d988b475
enforce apt >= 2.3.7 and remove dead code (closes: #14) 2021-10-06 23:30:09 +02:00
28cb757742
do not run xz and zstd with --threads=0
There are now systems with 160 cores (debci runs on two Ampere Altra
ARMv8 Neoverse-N1), which makes xz fail with: "xz: (stdin): Cannot
allocate memory"
2021-09-24 22:09:24 +02:00
12ec2c50aa
also create cmethopt and available in chrootless mode
- this allows bit-by-bit identical output of chrootless mode compared
   to other modes
2021-09-22 15:22:35 +02:00
1a4491b4d3
release 0.8.0 2021-09-21 14:20:58 +02:00
2c945e4c87
improve fakechroot LD_LIBRARY_PATH
- use /etc/ld.so.conf from the chroot instead of the host
 - parse /etc/ld.so.conf instead of blindly accessing /etc/ld.so.conf.d
 - add libraries from the chroot instead of the host
2021-09-21 14:17:31 +02:00
ddb642a1dc
update apt MR urls 2021-09-19 19:38:52 +02:00
dceb881bd0
drop DPkg::Install::Recursive::force=true (requires apt >= 2.3.7) 2021-09-19 19:37:06 +02:00
6d59d51a4a
add ldconfig.fakechroot and translate symlinks for bit-by-bit identical buildd variant 2021-09-16 16:23:46 +02:00
6a22e05d59
document that zstd is also called with --threads=0 2021-09-16 16:12:35 +02:00
c7390f648b
be more permissive in the FAKECHROOT_DETECT version format 2021-09-16 16:12:20 +02:00
631b103ca7
check for symlink first to compute disk usage because -f und -s otherwise follow symlinks 2021-09-16 16:11:34 +02:00
101229aa04
add a newline to /etc/machine-id as systemd does the same 2021-09-16 16:08:07 +02:00
5b0bb46421
add gpgvnoexpkeysig 2021-09-15 16:10:22 +02:00
6851cd7cb4
move hooks/setup00-merged-usr.sh -> hooks/merged-usr/setup00.sh, expand docs 2021-09-03 12:04:40 +02:00
6a8fbae9d8
make fakechroot mode bit-by-bit identical to the others 2021-08-29 10:25:34 +02:00
7d472ca116
document on how to use mmdebstrap with podman 2021-08-27 11:53:32 +02:00
047619967e
also check whether CAP_SYS_ADMIN is in the bounding set 2021-08-27 11:53:11 +02:00
5a5f57b404
Automatically skip using mount if that's not possible
- instead of throwing an error, just print a warning
 - can now run as root without cap_sys_admin
 - can now run without mount installed
 - --skip=check/canmount is not needed anymore
2021-08-26 15:40:27 +02:00
1a18160fe8
document that apt-transport-https, ca-certificates and apt-transport-tor are no longer installed automatically 2021-08-26 11:17:13 +02:00
91d8be5f9c
Do not use gpg --trust-model=always
- gpg will not create a trustdb when running with --update-trustdb with
   --trust-model=always:
       gpg: no need for a trustdb update with 'always' trust model
 - subsequent gpg calls will fail because there is no trustdb in GPGHOME
2021-08-26 07:58:27 +02:00
850eeb24d5
more code comments 2021-08-25 05:21:57 +02:00
8b12375de3
add more references to #808203 2021-08-25 05:15:44 +02:00
c627606110
document copy:// vs. file:// 2021-08-23 10:41:44 +02:00
60dba1c19e
fixup read_subuid_subgid
- use $REAL_USER_ID from English instead of $<
 - use getgrgid $REAL_GROUP_ID to get the group name instead of assuming
   the group name to be equal to the user name
 - also check whether /etc/subgid exists and is readable
2021-08-19 13:02:44 +02:00
Joe Groocock
15029c1c3b
improve error message for missing /etc/subuid entry (closes: #9) 2021-08-19 11:18:53 +02:00
3c37d692a0
write 'uninitialized' to /etc/machine-id to support systemd ConditionFirstBoot (closes: #10) 2021-08-19 07:18:21 +02:00
5283d74dfe
Remove files inside the auxfiles directory
This is fixing the error:
  cannot rmdir /var/lib/apt/lists/auxfiles: Directory not empty at ./mmdebstrap/mmdebstrap line 3084.
which happens when using apt-transport-mirror.
2021-08-19 07:18:21 +02:00
ea82b267c9
only run test_unshare_userns() if not root user 2021-08-18 22:06:16 +02:00
dfbf9cdcef
several fixes to chrootless mode 2021-08-17 23:39:20 +02:00
f868073b6e
add --skip=setup, --skip=update and --skip=cleanup 2021-08-17 11:11:00 +02:00
98f1f0abde
use apt pattern to select essential set 2021-08-17 10:30:06 +02:00
3e488dd1dd
use apt from the outside by setting DPkg::Chroot-Directory 2021-08-16 22:33:39 +02:00
c63ad87310
changes for release of Debian 11 Buster 2021-08-16 13:11:42 +02:00
594ea3c72e
improve busybox and --hook-dir examples in man page -- thanks Jochen Sprickerhof! 2021-05-31 16:33:34 +02:00
3f79c18a0d
since apt 2.1.16 we can use --error-on=any and do not anymore need to error out on all W: lines (closes: #6) 2021-05-31 11:17:45 +02:00
Benjamin Drung
0378c101bb
Pass extended attributes (excluding system) to tar2sqfs
/bin/ping (from iputils-ping) uses the security capabilities to allow
users to use the program:

```
$ getcap /bin/ping
/bin/ping cap_net_raw=ep
```

Debian testing/unstable images (variant important) contain security and
system attributes:

```
$ mmdebstrap --variant=important bullseye root.tar
$ tar --xattrs --xattrs-include='*' -vv -tf root.tar | grep -B 1 '^ '
-rwxr-xr-x* 0/0           77432 2021-02-02 18:49 ./bin/ping
  x: 20 security.capability
--
drwxr-sr-x* 0/102             0 2021-05-07 15:10 ./var/log/journal/
  x: 44 system.posix_acl_access
  x: 44 system.posix_acl_default
```

When generating a squashfs image with mmdebstrap 0.7.5-2, these security
capabilities are lost. Example for building a squashfs image in a
minimal Debian unstable schroot:

```
$ apt install -y mmdebstrap squashfs-tools-ng
$ mmdebstrap --variant=important buster root.squashfs
$ rdsquashfs -x /bin/ping root.squashfs
$
```

tar2sqfs from squashfs-tools-ng 1.0.4-1 supports encoding extended
attributes from the namespace `user`, `trusted`, and `security` (see
`include/sqfs/xattr.h`). GNU tar (version 1.34) supports these three
namespaces plus the namespace `system`.

Passing extended attributes from the `system` namespace to tar2sqfs will
produce an error:

```
ERROR: squashfs does not support xattr prefix of system.posix_acl_default
```

So pass the extended attributes to tar2sqfs, but exclude the `system`
namespace. Then ping will keep its security attributes:

```
$ rdsquashfs -x /bin/ping root.squashfs
security.capability=0x0100000200200000000000000000000000000000
```

Closes: #988100
Signed-off-by: Benjamin Drung <benjamin.drung@ionos.com>
2021-05-17 21:43:10 +02:00
88a031477a
add --skip=cleanup/apt/lists and --skip=cleanup/apt/cache 2021-05-09 20:44:02 +02:00
Vagrant Cascadian
c51fb24c7b
Use all cores when compressing with zstd. 2021-05-09 17:32:04 +02:00
236b84a486
tarfilter: add --pax-exclude and --pax-include to strip extended attributes because tar2sqfs only supports user.*, trusted.* and security.* 2021-05-07 09:39:40 +02:00
ebfac91738
also choose null format if stdout is /dev/null and check whether major and minor number of /dev/null are as expected to avoid false positives 2021-05-04 15:01:53 +02:00
ccd4b5c163
gpg: handle ASCII-armored keyrings as well
gpg command "--list-keys" requires input files to be passed with
option "--keyring" and each file must match type "public keyring v4"
while gpg command "--show-keys" doesn't require extra options and
handles also ASCII-armored public keyrings as well.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2021-04-25 22:33:37 +03:00
Helmut Grohne
2767b051bc
implement --format=null 2021-03-25 07:04:14 +01:00
4c17f36072
better document the TMPDIR env var 2021-03-08 19:33:51 +01:00
5a3d1ab5c4
Rework /dev, /sys, /proc mounting
- assume all entries in @devfiles to be in /dev
 - allow for /dev, /sys and /proc not to exist in the target and print warning
 - allow for /dev entries as well as /sys and /proc not to exist on the outside
 - simplify umount by storing special options in @umountopts
 - remove superfluous checks for root and unshare mode
 - make sure /dev entries are less than 100 chars in size for tar
2021-03-08 08:04:35 +01:00
d52eaa4814
instead of checking for defined-ness and then comparing with the empty string, we can just use 'length' which returns undef if its argument is undef 2021-03-08 07:54:04 +01:00
270fd09b43
update copyright information 2021-03-08 07:52:14 +01:00
d5c8a85ace
document problems with chrootless mode in man page 2021-02-23 12:50:18 +01:00
ecbc10794c
warn if --dpkgopt is used in chrootless mode because of #808203 2021-02-23 12:49:46 +01:00
49f464e7da
create /etc/dpkg/dpkg.cfg.d/ if --dpkgopt is used 2021-02-23 12:49:26 +01:00
067daaf4c2
also run unshare with --propagation unchanged in root mode 2021-02-19 12:53:14 +01:00
Josh Triplett
f8fc7d9bbf
Fix typo in hook directory example 2021-02-06 18:58:30 +01:00
976cc9c1c4
release 0.7.5 2021-02-06 14:46:37 +01:00
73cd7cd2e8
run unshare --mount with --propagation unchanged to prevent 'cannot change root filesystem propagation' when running mmdebstrap from inside a chroot 2021-02-06 10:11:53 +01:00
39167dbc30
expose hook name to hooks via MMDEBSTRAP_HOOK environment variable 2021-02-06 09:18:05 +01:00