rockdrilla/mmdebstrap
1
0
Fork 0
forked from josch/mmdebstrap
Code Issues Pull requests Projects Releases Wiki Activity
680 commits 2 branches 0 tags 17 MiB
Commit graph

421 commits

Author SHA1 Message Date
Johannes Schauer Marin Rodrigues
7501708aaf
perltidy 20200110 -> 20210717 2021-12-14 21:07:04 +01:00
Konstantin Demin
e4e10b670c
allow custom daemon startup prevention 
don't bother with /sbin/start-stop-daemon and /usr/sbin/policy-rc.d
if they're not a regular files (e.g. symlinks)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
 2021-12-06 00:28:34 +03:00
Johannes Schauer Marin Rodrigues
c4a43ea0f9
make $@ local, so we don't print "Can't locate Dpkg/Vendor/Debian.pm" in other parts where we evaluate $@ 2021-11-29 21:15:59 +01:00
Johannes Schauer Marin Rodrigues
60d69f6f78
Use apt patters to select priority variants 
- requires apt >= 2.3.10
 - we can drop having to run apt-get indextargets and parse Packages
   files ourselves
 - we can drop the layer violation that computed the package set in
   run_download() and passed the package set around in setup() to
   run_install()
 - packages are selected by suite unless the suite is the empty string
 2021-11-09 07:31:56 +01:00
Johannes Schauer Marin Rodrigues
3b41fe6805
document mmdebstrap as docker/podman replacement 2021-11-07 10:00:48 +01:00
Raul Tambre
c61e81a244 Relax dpkg version regex 
For non-release builds the version will include the number of commits since last release and the commit hash with dashes, e.g. 1.20.8-46-g0881.
For downstream distros it seems it may include their identification strings, e.g. 1.20.9ubuntu2.

Make the regex match everything after the version number to avoid incorrectly erroring on such versions.

Fixes #18
 2021-11-06 23:04:27 +02:00
Johannes Schauer Marin Rodrigues
7a062661e5
release 0.8.1 2021-10-07 13:35:39 +02:00
Johannes Schauer Marin Rodrigues
1d2a7ef71a
enforce dpkg >= 1.20.0 and remove dead code 2021-10-07 10:51:20 +02:00
Johannes Schauer Marin Rodrigues
4f278deadf
use rm and find instead of remove_tree() 
* remove_tree() requires the CWD to be accessible or fails with
   cannot chdir to $CWD from $DIR_TO_DELETE: Permission denied, aborting.
 * CWD is not always accessible -- example: run mmdebstrap from a
   directory only accessible by the current user (like a tempdir) in
   unshare mode
 * find from findutils *also* requires CWD to be accessible but it's
   easier to temporarily change CWD in a subprocess because using
   there is no utility in perl core that changes CWD temporarily and
   cleans up after itself
 * we need to use find from findutils instead of rm in unshare mode
   because the root directory itself might not be removable by the
   unshared user so we only want to remove its subdirectories
 2021-10-07 07:07:45 +02:00
Johannes Schauer Marin Rodrigues
c2d988b475
enforce apt >= 2.3.7 and remove dead code (closes: #14) 2021-10-06 23:30:09 +02:00
Johannes Schauer Marin Rodrigues
28cb757742
do not run xz and zstd with --threads=0 
There are now systems with 160 cores (debci runs on two Ampere Altra
ARMv8 Neoverse-N1), which makes xz fail with: "xz: (stdin): Cannot
allocate memory"
 2021-09-24 22:09:24 +02:00
Johannes Schauer Marin Rodrigues
12ec2c50aa
also create cmethopt and available in chrootless mode 
- this allows bit-by-bit identical output of chrootless mode compared
   to other modes
 2021-09-22 15:22:35 +02:00
Johannes Schauer Marin Rodrigues
1a4491b4d3
release 0.8.0 2021-09-21 14:20:58 +02:00
Johannes Schauer Marin Rodrigues
2c945e4c87
improve fakechroot LD_LIBRARY_PATH 
- use /etc/ld.so.conf from the chroot instead of the host
 - parse /etc/ld.so.conf instead of blindly accessing /etc/ld.so.conf.d
 - add libraries from the chroot instead of the host
 2021-09-21 14:17:31 +02:00
Johannes Schauer Marin Rodrigues
ddb642a1dc
update apt MR urls 2021-09-19 19:38:52 +02:00
Johannes Schauer Marin Rodrigues
dceb881bd0
drop DPkg::Install::Recursive::force=true (requires apt >= 2.3.7) 2021-09-19 19:37:06 +02:00
Johannes Schauer Marin Rodrigues
6d59d51a4a
add ldconfig.fakechroot and translate symlinks for bit-by-bit identical buildd variant 2021-09-16 16:23:46 +02:00
Johannes Schauer Marin Rodrigues
6a22e05d59
document that zstd is also called with --threads=0 2021-09-16 16:12:35 +02:00
Johannes Schauer Marin Rodrigues
c7390f648b
be more permissive in the FAKECHROOT_DETECT version format 2021-09-16 16:12:20 +02:00
Johannes Schauer Marin Rodrigues
631b103ca7
check for symlink first to compute disk usage because -f und -s otherwise follow symlinks 2021-09-16 16:11:34 +02:00
Johannes Schauer Marin Rodrigues
101229aa04
add a newline to /etc/machine-id as systemd does the same 2021-09-16 16:08:07 +02:00
Johannes Schauer Marin Rodrigues
5b0bb46421
add gpgvnoexpkeysig 2021-09-15 16:10:22 +02:00
Johannes Schauer Marin Rodrigues
6851cd7cb4
move hooks/setup00-merged-usr.sh -> hooks/merged-usr/setup00.sh, expand docs 2021-09-03 12:04:40 +02:00
Johannes Schauer Marin Rodrigues
6a8fbae9d8
make fakechroot mode bit-by-bit identical to the others 2021-08-29 10:25:34 +02:00
Johannes Schauer Marin Rodrigues
7d472ca116
document on how to use mmdebstrap with podman 2021-08-27 11:53:32 +02:00
Johannes Schauer Marin Rodrigues
047619967e
also check whether CAP_SYS_ADMIN is in the bounding set 2021-08-27 11:53:11 +02:00
Johannes Schauer Marin Rodrigues
5a5f57b404
Automatically skip using mount if that's not possible 
- instead of throwing an error, just print a warning
 - can now run as root without cap_sys_admin
 - can now run without mount installed
 - --skip=check/canmount is not needed anymore
 2021-08-26 15:40:27 +02:00
Johannes Schauer Marin Rodrigues
1a18160fe8
document that apt-transport-https, ca-certificates and apt-transport-tor are no longer installed automatically 2021-08-26 11:17:13 +02:00
Johannes Schauer Marin Rodrigues
91d8be5f9c
Do not use gpg --trust-model=always 
- gpg will not create a trustdb when running with --update-trustdb with
   --trust-model=always:
       gpg: no need for a trustdb update with 'always' trust model
 - subsequent gpg calls will fail because there is no trustdb in GPGHOME
 2021-08-26 07:58:27 +02:00
Johannes Schauer Marin Rodrigues
850eeb24d5
more code comments 2021-08-25 05:21:57 +02:00
Johannes Schauer Marin Rodrigues
8b12375de3
add more references to #808203 2021-08-25 05:15:44 +02:00
Johannes Schauer Marin Rodrigues
c627606110
document copy:// vs. file:// 2021-08-23 10:41:44 +02:00
Johannes Schauer Marin Rodrigues
60dba1c19e
fixup read_subuid_subgid 
- use $REAL_USER_ID from English instead of $<
 - use getgrgid $REAL_GROUP_ID to get the group name instead of assuming
   the group name to be equal to the user name
 - also check whether /etc/subgid exists and is readable
 2021-08-19 13:02:44 +02:00
Joe Groocock
15029c1c3b
improve error message for missing /etc/subuid entry (closes: #9) 2021-08-19 11:18:53 +02:00
Johannes Schauer Marin Rodrigues
3c37d692a0
write 'uninitialized' to /etc/machine-id to support systemd ConditionFirstBoot (closes: #10) 2021-08-19 07:18:21 +02:00
Nicolas Vigier
5283d74dfe
Remove files inside the auxfiles directory 
This is fixing the error:
  cannot rmdir /var/lib/apt/lists/auxfiles: Directory not empty at ./mmdebstrap/mmdebstrap line 3084.
which happens when using apt-transport-mirror.
 2021-08-19 07:18:21 +02:00
Johannes Schauer Marin Rodrigues
ea82b267c9
only run test_unshare_userns() if not root user 2021-08-18 22:06:16 +02:00
Johannes Schauer Marin Rodrigues
dfbf9cdcef
several fixes to chrootless mode 2021-08-17 23:39:20 +02:00
Johannes Schauer Marin Rodrigues
f868073b6e
add --skip=setup, --skip=update and --skip=cleanup 2021-08-17 11:11:00 +02:00
Johannes Schauer Marin Rodrigues
98f1f0abde
use apt pattern to select essential set 2021-08-17 10:30:06 +02:00
Johannes Schauer Marin Rodrigues
3e488dd1dd
use apt from the outside by setting DPkg::Chroot-Directory 2021-08-16 22:33:39 +02:00
Johannes Schauer Marin Rodrigues
c63ad87310
changes for release of Debian 11 Buster 2021-08-16 13:11:42 +02:00
Johannes Schauer Marin Rodrigues
594ea3c72e
improve busybox and --hook-dir examples in man page -- thanks Jochen Sprickerhof! 2021-05-31 16:33:34 +02:00
Johannes Schauer Marin Rodrigues
3f79c18a0d
since apt 2.1.16 we can use --error-on=any and do not anymore need to error out on all W: lines (closes: #6) 2021-05-31 11:17:45 +02:00
Benjamin Drung
0378c101bb
Pass extended attributes (excluding system) to tar2sqfs 
/bin/ping (from iputils-ping) uses the security capabilities to allow
users to use the program:

```
$ getcap /bin/ping
/bin/ping cap_net_raw=ep
```

Debian testing/unstable images (variant important) contain security and
system attributes:

```
$ mmdebstrap --variant=important bullseye root.tar
$ tar --xattrs --xattrs-include='*' -vv -tf root.tar | grep -B 1 '^ '
-rwxr-xr-x* 0/0           77432 2021-02-02 18:49 ./bin/ping
  x: 20 security.capability
--
drwxr-sr-x* 0/102             0 2021-05-07 15:10 ./var/log/journal/
  x: 44 system.posix_acl_access
  x: 44 system.posix_acl_default
```

When generating a squashfs image with mmdebstrap 0.7.5-2, these security
capabilities are lost. Example for building a squashfs image in a
minimal Debian unstable schroot:

```
$ apt install -y mmdebstrap squashfs-tools-ng
$ mmdebstrap --variant=important buster root.squashfs
$ rdsquashfs -x /bin/ping root.squashfs
$
```

tar2sqfs from squashfs-tools-ng 1.0.4-1 supports encoding extended
attributes from the namespace `user`, `trusted`, and `security` (see
`include/sqfs/xattr.h`). GNU tar (version 1.34) supports these three
namespaces plus the namespace `system`.

Passing extended attributes from the `system` namespace to tar2sqfs will
produce an error:

```
ERROR: squashfs does not support xattr prefix of system.posix_acl_default
```

So pass the extended attributes to tar2sqfs, but exclude the `system`
namespace. Then ping will keep its security attributes:

```
$ rdsquashfs -x /bin/ping root.squashfs
security.capability=0x0100000200200000000000000000000000000000
```

Closes: #988100
Signed-off-by: Benjamin Drung <benjamin.drung@ionos.com>
 2021-05-17 21:43:10 +02:00
Johannes Schauer Marin Rodrigues
88a031477a
add --skip=cleanup/apt/lists and --skip=cleanup/apt/cache 2021-05-09 20:44:02 +02:00
Vagrant Cascadian
c51fb24c7b
Use all cores when compressing with zstd. 2021-05-09 17:32:04 +02:00
Johannes Schauer Marin Rodrigues
236b84a486
tarfilter: add --pax-exclude and --pax-include to strip extended attributes because tar2sqfs only supports user.*, trusted.* and security.* 2021-05-07 09:39:40 +02:00
Johannes Schauer Marin Rodrigues
ebfac91738
also choose null format if stdout is /dev/null and check whether major and minor number of /dev/null are as expected to avoid false positives 2021-05-04 15:01:53 +02:00
Konstantin Demin
ccd4b5c163
gpg: handle ASCII-armored keyrings as well 
gpg command "--list-keys" requires input files to be passed with
option "--keyring" and each file must match type "public keyring v4"
while gpg command "--show-keys" doesn't require extra options and
handles also ASCII-armored public keyrings as well.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
 2021-04-25 22:33:37 +03:00