Johannes Schauer Marin Rodrigues
60dba1c19e
fixup read_subuid_subgid
...
- use $REAL_USER_ID from English instead of $<
- use getgrgid $REAL_GROUP_ID to get the group name instead of assuming
the group name to be equal to the user name
- also check whether /etc/subgid exists and is readable
3 years ago
Joe Groocock
15029c1c3b
improve error message for missing /etc/subuid entry ( closes : #9 )
3 years ago
Johannes Schauer Marin Rodrigues
3c37d692a0
write 'uninitialized' to /etc/machine-id to support systemd ConditionFirstBoot ( closes : #10 )
3 years ago
Nicolas Vigier
5283d74dfe
Remove files inside the auxfiles directory
...
This is fixing the error:
cannot rmdir /var/lib/apt/lists/auxfiles: Directory not empty at ./mmdebstrap/mmdebstrap line 3084.
which happens when using apt-transport-mirror.
3 years ago
Johannes Schauer Marin Rodrigues
ea82b267c9
only run test_unshare_userns() if not root user
3 years ago
Johannes Schauer Marin Rodrigues
dfbf9cdcef
several fixes to chrootless mode
3 years ago
Johannes Schauer Marin Rodrigues
f868073b6e
add --skip=setup, --skip=update and --skip=cleanup
3 years ago
Johannes Schauer Marin Rodrigues
98f1f0abde
use apt pattern to select essential set
3 years ago
Johannes Schauer Marin Rodrigues
3e488dd1dd
use apt from the outside by setting DPkg::Chroot-Directory
3 years ago
Johannes Schauer Marin Rodrigues
c63ad87310
changes for release of Debian 11 Buster
3 years ago
Johannes Schauer Marin Rodrigues
594ea3c72e
improve busybox and --hook-dir examples in man page -- thanks Jochen Sprickerhof!
3 years ago
Johannes Schauer Marin Rodrigues
3f79c18a0d
since apt 2.1.16 we can use --error-on=any and do not anymore need to error out on all W: lines ( closes : #6 )
3 years ago
Benjamin Drung
0378c101bb
Pass extended attributes (excluding system) to tar2sqfs
...
/bin/ping (from iputils-ping) uses the security capabilities to allow
users to use the program:
```
$ getcap /bin/ping
/bin/ping cap_net_raw=ep
```
Debian testing/unstable images (variant important) contain security and
system attributes:
```
$ mmdebstrap --variant=important bullseye root.tar
$ tar --xattrs --xattrs-include='*' -vv -tf root.tar | grep -B 1 '^ '
-rwxr-xr-x* 0/0 77432 2021-02-02 18:49 ./bin/ping
x: 20 security.capability
--
drwxr-sr-x* 0/102 0 2021-05-07 15:10 ./var/log/journal/
x: 44 system.posix_acl_access
x: 44 system.posix_acl_default
```
When generating a squashfs image with mmdebstrap 0.7.5-2, these security
capabilities are lost. Example for building a squashfs image in a
minimal Debian unstable schroot:
```
$ apt install -y mmdebstrap squashfs-tools-ng
$ mmdebstrap --variant=important buster root.squashfs
$ rdsquashfs -x /bin/ping root.squashfs
$
```
tar2sqfs from squashfs-tools-ng 1.0.4-1 supports encoding extended
attributes from the namespace `user`, `trusted`, and `security` (see
`include/sqfs/xattr.h`). GNU tar (version 1.34) supports these three
namespaces plus the namespace `system`.
Passing extended attributes from the `system` namespace to tar2sqfs will
produce an error:
```
ERROR: squashfs does not support xattr prefix of system.posix_acl_default
```
So pass the extended attributes to tar2sqfs, but exclude the `system`
namespace. Then ping will keep its security attributes:
```
$ rdsquashfs -x /bin/ping root.squashfs
security.capability=0x0100000200200000000000000000000000000000
```
Closes : #988100
Signed-off-by: Benjamin Drung <benjamin.drung@ionos.com>
3 years ago
Johannes Schauer Marin Rodrigues
88a031477a
add --skip=cleanup/apt/lists and --skip=cleanup/apt/cache
3 years ago
Vagrant Cascadian
c51fb24c7b
Use all cores when compressing with zstd.
3 years ago
Johannes Schauer Marin Rodrigues
236b84a486
tarfilter: add --pax-exclude and --pax-include to strip extended attributes because tar2sqfs only supports user.*, trusted.* and security.*
3 years ago
Johannes Schauer Marin Rodrigues
ebfac91738
also choose null format if stdout is /dev/null and check whether major and minor number of /dev/null are as expected to avoid false positives
3 years ago
Konstantin Demin
ccd4b5c163
gpg: handle ASCII-armored keyrings as well
...
gpg command "--list-keys" requires input files to be passed with
option "--keyring" and each file must match type "public keyring v4"
while gpg command "--show-keys" doesn't require extra options and
handles also ASCII-armored public keyrings as well.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
3 years ago
Helmut Grohne
2767b051bc
implement --format=null
3 years ago
Johannes Schauer Marin Rodrigues
4c17f36072
better document the TMPDIR env var
3 years ago
Johannes Schauer Marin Rodrigues
5a3d1ab5c4
Rework /dev, /sys, /proc mounting
...
- assume all entries in @devfiles to be in /dev
- allow for /dev, /sys and /proc not to exist in the target and print warning
- allow for /dev entries as well as /sys and /proc not to exist on the outside
- simplify umount by storing special options in @umountopts
- remove superfluous checks for root and unshare mode
- make sure /dev entries are less than 100 chars in size for tar
3 years ago
Johannes Schauer Marin Rodrigues
d52eaa4814
instead of checking for defined-ness and then comparing with the empty string, we can just use 'length' which returns undef if its argument is undef
3 years ago
Johannes Schauer Marin Rodrigues
270fd09b43
update copyright information
3 years ago
Johannes Schauer Marin Rodrigues
d5c8a85ace
document problems with chrootless mode in man page
3 years ago
Johannes Schauer Marin Rodrigues
ecbc10794c
warn if --dpkgopt is used in chrootless mode because of #808203
3 years ago
Johannes Schauer Marin Rodrigues
49f464e7da
create /etc/dpkg/dpkg.cfg.d/ if --dpkgopt is used
3 years ago
Johannes Schauer Marin Rodrigues
067daaf4c2
also run unshare with --propagation unchanged in root mode
3 years ago
Josh Triplett
f8fc7d9bbf
Fix typo in hook directory example
3 years ago
Johannes Schauer Marin Rodrigues
976cc9c1c4
release 0.7.5
3 years ago
Johannes Schauer Marin Rodrigues
73cd7cd2e8
run unshare --mount with --propagation unchanged to prevent 'cannot change root filesystem propagation' when running mmdebstrap from inside a chroot
3 years ago
Johannes Schauer Marin Rodrigues
39167dbc30
expose hook name to hooks via MMDEBSTRAP_HOOK environment variable
3 years ago
Johannes Schauer Marin Rodrigues
8a4f4d90ab
remove example showing mmdebstrap as debootstrap replacement for sbuild-createchroot as it doesn't work in unshare mode
3 years ago
Johannes Schauer Marin Rodrigues
e1e0df7799
skip emulation check for extract variant
3 years ago
Johannes Schauer Marin Rodrigues
c740b01dc8
unset TMPDIR in hooks because there is no value that works inside as well as outside the chroot
3 years ago
Johannes Schauer Marin Rodrigues
0595c5c220
add new suite name trixie
3 years ago
Johannes Schauer Marin Rodrigues
7a43ff89dc
improve dpkg and apt version parsing
3 years ago
Johannes 'josch' Schauer
d9633d05fe
release 0.7.4
3 years ago
Johannes 'josch' Schauer
7bd733fb8b
In root mode, check whether it's possible to mount
...
- even if the user is root, they might not have permission to mount
- check for CAP_SYS_ADMIN and unshare --mount before proceeding
- allow one to disable the check with --skip=check/canmount
- this is useful in container environments like docker
3 years ago
Johannes 'josch' Schauer
205f5c2692
document how to use mmdebstrap to create a docker chroot
3 years ago
Johannes 'josch' Schauer
4693034138
allow unshare as root user
...
- this is useful when you are already root and want the benefits of
unsharing the mount namespace to prevent messing up your system
- if the unshare mode is used as root, the user namespace is not unshared
anymore and newuidmap, setuid and friends are not called anymore
- if the unshare mode is used as non-root test if the user namespace can be
unshared, otherwise test if the mount namespace can be unshared
3 years ago
Johannes 'josch' Schauer
ea6bbc1d9c
#898446 got closed and the default of kernel.unprivileged_userns_clone changed to 1
3 years ago
Johannes 'josch' Schauer
62bcf3261e
do not run an additional env command inside the chroot
3 years ago
Johannes 'josch' Schauer
7ff3f53fb9
apt 2.1.16 fixed immediate configure
3 years ago
Johannes 'josch' Schauer
ac21074243
set MMDEBSTRAP_APT_CONFIG, MMDEBSTRAP_MODE and MMDEBSTRAP_HOOKSOCK for hook scripts
3 years ago
Johannes 'josch' Schauer
9484107392
set PATH if it's unset or empty
3 years ago
Johannes 'josch' Schauer
2d03a81997
coverage.sh: reenabling tests because bugs got fixed
...
- systemd didn't get fixed but somehow the order matches again (bug #963788 )
- python is installable again (bug #968217 )
- apt immediate configure was not fixed but src:glibc changed to not
trigger the bug anymore (bugs #973305 , #973325 and #972552 )
3 years ago
Johannes 'josch' Schauer
0b2a0c5a55
release 0.7.3
4 years ago
Johannes 'josch' Schauer
43ca8a5211
it is wrong to match the suite for the package set selection if more than one apt index is given (because the suite name might be equal) instead check whether there is more than zero matching and more than zero not-matching suites
4 years ago
Johannes 'josch' Schauer
2c232e0661
don't ignore packages added via --include if multiple apt indices are used
4 years ago
Johannes 'josch' Schauer
85328c5c7e
mmdebstrap: check for defined-ness before integer comparison
4 years ago
Johannes 'josch' Schauer
165cc82f97
preserve permissions of /etc/resolv.conf and /etc/hostname and resolve symlinks as debootstrap does it
4 years ago
Johannes 'josch' Schauer
beb0b8c177
name solver mmdebstrap-dump-solution in official apt path
4 years ago
Johannes 'josch' Schauer
f76bcb5750
release 0.7.2
4 years ago
Johannes 'josch' Schauer
732fde54f8
documentation improvements, add OPERATION section
4 years ago
Johannes 'josch' Schauer
da449be3fe
fix missing I in front of <>
4 years ago
Johannes 'josch' Schauer
2e19a8bda4
remove nonsense code comment
4 years ago
Johannes 'josch' Schauer
96f45ec2e7
info messages start with lower case character
4 years ago
Johannes 'josch' Schauer
b7e257871d
use Debian::DistroInfo if available
4 years ago
Johannes 'josch' Schauer
b2ea7b230f
remove no-op if statement
4 years ago
Johannes 'josch' Schauer
1e7e002eb1
print explicit info message about installing essential packages
4 years ago
Johannes 'josch' Schauer
ad56754a2a
pkgs_to_install might contain duplicates when multiple suites are used -- avoid that by using a hash instead of an array
4 years ago
Johannes 'josch' Schauer
0c990abc48
coverage.sh: only consider non-POD parts for maximum line length check
4 years ago
Johannes 'josch' Schauer
534798dbd2
add example for how to use a cache directory
4 years ago
Johannes 'josch' Schauer
12b26a8817
use /usr/share/distro-info/debian.csv to figure out the security mirror for bullseye and beyond
4 years ago
Johannes 'josch' Schauer
9d32dee3f5
if a suite name was specified, use the matching apt index to figure out the package set to install
4 years ago
Johannes 'josch' Schauer
21a26b5dac
pass verbosity to hook-listener
4 years ago
Johannes 'josch' Schauer
e71487af5e
improve hook-helper and hook-listener debug output
4 years ago
Johannes 'josch' Schauer
bf87e83bdb
make it possible to seed /var/cache/apt/archives with deb packages
4 years ago
Johannes 'josch' Schauer
50d8d5edae
check whether dpkg, apt and others are installed ( closes : #18 )
4 years ago
Johannes 'josch' Schauer
0a985948cf
create temporary test ext2 image in TMPDIR and not in CWD
4 years ago
Johannes 'josch' Schauer
1000a033e8
release 0.7.1
4 years ago
Johannes 'josch' Schauer
259a188e06
fix typo: 3030 -> 2020 (thanks Trent W. Buck!)
4 years ago
Johannes 'josch' Schauer
65e40c8c34
redirect stderr of dpkg --version to /dev/null to prevent error output if dpkg is too old (thanks Trent W. Buck!)
4 years ago
Johannes 'josch' Schauer
58925dc493
add two more debug messages
4 years ago
Johannes 'josch' Schauer
400b51ad7b
release 0.7.0
4 years ago
Johannes 'josch' Schauer
3713735240
document non-functional --variant=standard due to bug #968217
4 years ago
Johannes 'josch' Schauer
7c752fa8a0
print elapsed time after successful run
4 years ago
Johannes 'josch' Schauer
74725ac451
coverage.sh: test eatmydata and merged-usr hooks
4 years ago
Johannes 'josch' Schauer
465c056434
no longer needs to install twice when --depkgopt=path-exclude is given by filtering the tarball with new tarfilter utility
4 years ago
Johannes 'josch' Schauer
8f09c3e02f
unless in chrootless mode, omitting stuff in /var/lib/dpkg does not depend on the dpkg version outside, but on the version inside the chroot (and we don't know that one yet)
4 years ago
Johannes 'josch' Schauer
dd64e8220d
use distro-info-data and debootstrap to help with suite name and keyring discovery
4 years ago
Johannes 'josch' Schauer
87d383d754
replace -t STDERR with a common function that explains the 'no critic' annotation
4 years ago
Johannes 'josch' Schauer
307cbf5a41
prefix certain progress bars with what is being done ( closes : #16 )
4 years ago
Johannes 'josch' Schauer
df18304449
add a new pipe to communicate the number of blocks to the parent instead of abusing the hookhelper/listener
4 years ago
Johannes 'josch' Schauer
a5ea38cbad
fix docs: there are four hooks, not three
4 years ago
Johannes 'josch' Schauer
0451d5f004
do not suggest using --dpkgopt=force-unsafe-io because it barely brings any speedups, see Debian bug #613428
4 years ago
Johannes 'josch' Schauer
614ef0e43d
make it clear that --aptopt and --dpkgopt add their content permamently
4 years ago
Johannes 'josch' Schauer
23fb2055e4
fix error message to specify the right command
4 years ago
Johannes 'josch' Schauer
501e29fdeb
fix closedir calls
4 years ago
Johannes 'josch' Schauer
12f41ad33f
fix syntax for perltidy
4 years ago
Johannes 'josch' Schauer
075645289f
add --hook-directory option and a directory with hooks
4 years ago
Johannes 'josch' Schauer
e2a759967f
put hook listener into its own function and expose it to the CLI via --hook-listener
4 years ago
Johannes 'josch' Schauer
c2c270390b
implement dpkg-realpath in perl so that we don't need to run tar inside the chroot anymore for modes other than fakechroot and proot
4 years ago
Johannes 'josch' Schauer
dc67c1f4be
if we got dpkg >= 1.20.0, then we don't have to create certain files and directories ourselves
4 years ago
Johannes 'josch' Schauer
904274b9f4
adjust genext2fs (>= 1.5.0) interface
4 years ago
Johannes 'josch' Schauer
112c0a5a6d
add documentation about --{setup,extract,essential,customize}-hooks and --skip option, making them an official interface
4 years ago
Johannes 'josch' Schauer
40b6155967
add another --dpkgopt example
4 years ago
Johannes 'josch' Schauer
4d041140d5
instead of 'du' we use File::Find to avoid different results on different filesystems, see https://bugs.debian.org/650077 for a discussion
4 years ago
Johannes 'josch' Schauer
655857e525
don't use apt sandboxing in fakechroot or proot modes
4 years ago
Johannes 'josch' Schauer
af13116336
do not hide errors even with --quiet
...
This change also fixes the problem that when --quiet is given, an error
will never lead to a non-zero exit status because the error function
returns before it runs die()
4 years ago