Compare commits

...

11 commits

4 changed files with 178 additions and 58 deletions

View file

@ -1,3 +1,10 @@
0.8.3 (2022-01-08)
------------------
- allow codenames with apt patterns (requires apt >= 2.3.14)
- don't overwrite existing files in setup code
- don't copy in qemu-user-static binary if it's not needed
0.8.2 (2021-12-14)
------------------

View file

@ -127,7 +127,7 @@ if [ ! -e shared/hooks/eatmydata/customize.sh ] || [ hooks/eatmydata/customize.s
fi
fi
starttime=
total=177
total=182
skipped=0
runtests=0
i=1
@ -533,6 +533,34 @@ else
runtests=$((runtests+1))
fi
# make sure that using codenames works https://bugs.debian.org/cgi-bin/1003191
for dist in oldstable stable testing unstable; do
print_header "mode=$defaultmode,variant=apt: test $dist using codename"
cat << END > shared/test.sh
#!/bin/sh
set -eu
export LC_ALL=C.UTF-8
/usr/lib/apt/apt-helper download-file "$mirror/dists/$dist/Release" Release
codename=\$(awk '/^Codename: / { print \$2; }' Release)
rm Release
$CMD --mode=$defaultmode --variant=apt \$codename /tmp/debian-chroot.tar $mirror
if [ "$dist" = "$DEFAULT_DIST" ]; then
tar -tf /tmp/debian-chroot.tar | sort | diff -u tar1.txt -
fi
rm /tmp/debian-chroot.tar
END
if [ "$HAVE_QEMU" = "yes" ]; then
./run_qemu.sh
runtests=$((runtests+1))
elif [ "$defaultmode" = "root" ]; then
./run_null.sh SUDO
runtests=$((runtests+1))
else
./run_null.sh
runtests=$((runtests+1))
fi
done
print_header "mode=unshare,variant=apt: fail without /etc/subuid"
cat << END > shared/test.sh
#!/bin/sh
@ -1988,6 +2016,35 @@ else
skipped=$((skipped+1))
fi
print_header "mode=root,variant=apt: test ascii armored keys"
cat << END > shared/test.sh
#!/bin/sh
set -eu
export LC_ALL=C.UTF-8
if [ ! -e /mmdebstrap-testenv ]; then
echo "this test modifies the system and should only be run inside a container" >&2
exit 1
fi
for f in /usr/share/keyrings/*.gpg; do
name=\$(basename "\$f" .gpg)
gpg --enarmor < /usr/share/keyrings/\$name.gpg \
| sed 's/ PGP ARMORED FILE/ PGP PUBLIC KEY BLOCK/;/^Comment: /d' \
> /etc/apt/trusted.gpg.d/\$name.asc
done
rm /etc/apt/trusted.gpg.d/*.gpg
rm /usr/share/keyrings/*.gpg
$CMD --mode=root --variant=apt $DEFAULT_DIST /tmp/debian-chroot.tar $mirror
tar -tf /tmp/debian-chroot.tar | sort | diff -u tar1.txt -
rm -r /tmp/debian-chroot.tar
END
if [ "$HAVE_QEMU" = "yes" ]; then
./run_qemu.sh
runtests=$((runtests+1))
else
echo "HAVE_QEMU != yes -- Skipping test..." >&2
skipped=$((skipped+1))
fi
print_header "mode=root,variant=apt: test signed-by with host keys"
cat << END > shared/test.sh
#!/bin/sh

View file

@ -80,6 +80,9 @@ deletecache() {
rm "$dir/debian$i"
done
rm "$dir/mmdebstrapcache"
# remove all symlinks
find "$dir" -type l -delete
# now the rest should only be empty directories
if [ -e "$dir" ]; then
find "$dir" -depth -print0 | xargs -0 --no-run-if-empty rmdir
@ -270,11 +273,14 @@ END
curl --location "$mirror/dists/$dist/Release" > "$newmirrordir/dists/$dist/Release"
curl --location "$mirror/dists/$dist/Release.gpg" > "$newmirrordir/dists/$dist/Release.gpg"
curl --location "$mirror/dists/$dist/main/binary-$nativearch/Packages.xz" > "$newmirrordir/dists/$dist/main/binary-$nativearch/Packages.xz"
codename=$(awk '/^Codename: / { print $2; }' < "$newmirrordir/dists/$dist/Release")
[ -L "$newmirrordir/dists/$codename" ] || ln -s "$dist" "$newmirrordir/dists/$codename"
case "$dist" in oldstable|stable)
mkdir -p "$newmirrordir/dists/$dist-updates/main/binary-$nativearch/"
curl --location "$mirror/dists/$dist-updates/Release" > "$newmirrordir/dists/$dist-updates/Release"
curl --location "$mirror/dists/$dist-updates/Release.gpg" > "$newmirrordir/dists/$dist-updates/Release.gpg"
curl --location "$mirror/dists/$dist-updates/main/binary-$nativearch/Packages.xz" > "$newmirrordir/dists/$dist-updates/main/binary-$nativearch/Packages.xz"
[ -L "$newmirrordir/dists/$codename-updates" ] || ln -s "$dist-updates" "$newmirrordir/dists/$codename-updates"
;;
esac
case "$dist" in
@ -289,6 +295,7 @@ END
curl --location "$security_mirror/dists/$dist-security/Release" > "$newcachedir/debian-security/dists/$dist-security/Release"
curl --location "$security_mirror/dists/$dist-security/Release.gpg" > "$newcachedir/debian-security/dists/$dist-security/Release.gpg"
curl --location "$security_mirror/dists/$dist-security/main/binary-$nativearch/Packages.xz" > "$newcachedir/debian-security/dists/$dist-security/main/binary-$nativearch/Packages.xz"
[ -L "$newcachedir/debian-security/dists/$codename-security" ] || ln -s "$dist-security" "$newcachedir/debian-security/dists/$codename-security"
;;
esac

View file

@ -23,7 +23,7 @@
use strict;
use warnings;
our $VERSION = '0.8.2';
our $VERSION = '0.8.3';
use English;
use Getopt::Long;
@ -102,7 +102,13 @@ my @devfiles = (
# 3 -> debug output
my $verbosity_level = 1;
my $is_covering = !!(eval { Devel::Cover::get_coverage() });
my $is_covering = 0;
{
# make $@ local, so we don't print "Undefined subroutine called"
# in other parts where we evaluate $@
local $@ = '';
$is_covering = !!(eval { Devel::Cover::get_coverage() });
}
# the reason why Perl::Critic warns about this is, that it suspects that the
# programmer wants to implement a test whether the terminal is interactive or
@ -1657,7 +1663,7 @@ sub run_setup() {
# from inside the chroot.
# The config filename is chosen such that any settings in it will be
# overridden by what the user specified with --aptopt.
{
if (!-e "$options->{root}/etc/apt/apt.conf.d/00mmdebstrap") {
open my $fh, '>', "$options->{root}/etc/apt/apt.conf.d/00mmdebstrap"
or error "cannot open /etc/apt/apt.conf.d/00mmdebstrap: $!";
print $fh "Apt::Install-Recommends false;\n";
@ -1666,7 +1672,7 @@ sub run_setup() {
}
# apt-get update requires this
{
if (!-e "$options->{root}/var/lib/dpkg/status") {
open my $fh, '>', "$options->{root}/var/lib/dpkg/status"
or error "failed to open(): $!";
close $fh;
@ -1678,9 +1684,11 @@ sub run_setup() {
# architecture outside the chroot.
chomp(my $hostarch = `dpkg --print-architecture`);
if (
scalar @{ $options->{foreignarchs} } > 0
or ( $options->{mode} eq 'chrootless'
and $hostarch ne $options->{nativearch})
(!-e "$options->{root}/var/lib/dpkg/arch")
and (
scalar @{ $options->{foreignarchs} } > 0
or ( $options->{mode} eq 'chrootless'
and $hostarch ne $options->{nativearch}))
) {
open my $fh, '>', "$options->{root}/var/lib/dpkg/arch"
or error "cannot open /var/lib/dpkg/arch: $!";
@ -1691,7 +1699,8 @@ sub run_setup() {
close $fh;
}
if (scalar @{ $options->{aptopts} } > 0) {
if (scalar @{ $options->{aptopts} } > 0
and (!-e "$options->{root}/etc/apt/apt.conf.d/99mmdebstrap")) {
open my $fh, '>', "$options->{root}/etc/apt/apt.conf.d/99mmdebstrap"
or error "cannot open /etc/apt/apt.conf.d/99mmdebstrap: $!";
foreach my $opt (@{ $options->{aptopts} }) {
@ -1717,7 +1726,8 @@ sub run_setup() {
}
}
if (scalar @{ $options->{dpkgopts} } > 0) {
if (scalar @{ $options->{dpkgopts} } > 0
and (!-e "$options->{root}/etc/dpkg/dpkg.cfg.d/99mmdebstrap")) {
# FIXME: in chrootless mode, dpkg will only read the configuration
# from the host -- see #808203
if ($options->{mode} eq 'chrootless') {
@ -1747,7 +1757,7 @@ sub run_setup() {
}
}
{
if (!-e "$options->{root}/etc/fstab") {
open my $fh, '>', "$options->{root}/etc/fstab"
or error "cannot open fstab: $!";
print $fh "# UNCONFIGURED FSTAB FOR BASE SYSTEM\n";
@ -1787,9 +1797,11 @@ sub run_setup() {
$fname .= 'main.sources';
}
}
open my $fh, '>', "$fname" or error "cannot open $fname: $!";
print $fh $firstentry->{content};
close $fh;
if (!-e $fname) {
open my $fh, '>', "$fname" or error "cannot open $fname: $!";
print $fh $firstentry->{content};
close $fh;
}
# everything else goes into /etc/apt/sources.list.d/
for (my $i = 1 ; $i < scalar @{ $options->{sourceslists} } ; $i++) {
my $entry = $options->{sourceslists}->[$i];
@ -1816,15 +1828,17 @@ sub run_setup() {
error "invalid type: $entry->{type}";
}
}
open my $fh, '>', "$fname" or error "cannot open $fname: $!";
print $fh $entry->{content};
close $fh;
if (!-e $fname) {
open my $fh, '>', "$fname" or error "cannot open $fname: $!";
print $fh $entry->{content};
close $fh;
}
}
}
# allow network access from within
foreach my $file ("/etc/resolv.conf", "/etc/hostname") {
if (-e $file) {
if (-e $file && !-e "$options->{root}/$file") {
# this will create a new file with 644 permissions and copy
# contents only even if $file was a symlink
copy($file, "$options->{root}/$file")
@ -1945,15 +1959,6 @@ sub run_setup() {
}
}
# setting PATH for chroot, ldconfig, start-stop-daemon...
if (length $ENV{PATH}) {
## no critic (Variables::RequireLocalizedPunctuationVars)
$ENV{PATH} = "$ENV{PATH}:/usr/sbin:/usr/bin:/sbin:/bin";
} else {
## no critic (Variables::RequireLocalizedPunctuationVars)
$ENV{PATH} = "/usr/sbin:/usr/bin:/sbin:/bin";
}
return;
}
@ -2150,7 +2155,10 @@ sub run_download() {
'?narrow('
. (
length($options->{suite})
? '?archive(' . $options->{suite} . '),'
? '?or(?archive(^'
. $options->{suite}
. '$),?codename(^'
. $options->{suite} . '$)),'
: ''
)
. '?architecture('
@ -2506,19 +2514,41 @@ sub run_prepare {
$ENV{QEMU_LD_PREFIX} = $options->{root};
}
} elsif (any { $_ eq $options->{mode} } ('root', 'unshare')) {
# other modes require a static qemu-user binary
my $qemubin = "/usr/bin/qemu-$options->{qemu}-static";
if (!-e $qemubin) {
error "cannot find $qemubin";
my $require_qemu_static = 1;
# make $@ local, so we don't print an eventual error
# in other parts where we evaluate $@
local $@ = '';
eval {
# Check for the F flag which makes the kernel open the binfmt
# binary at configuration time instead of lazily at startup
# time. If the flag is set, then the qemu-static binary is not
# required inside the chroot.
open my $fh, '<',
"/proc/sys/fs/binfmt_misc/qemu-$options->{qemu}";
while (my $line = <$fh>) {
chomp($line);
if ($line =~ /^flags: [A-Z]*F[A-Z]*$/) {
$require_qemu_static = 0;
last;
}
}
close $fh;
};
if ($require_qemu_static) {
# other modes require a static qemu-user binary
my $qemubin = "/usr/bin/qemu-$options->{qemu}-static";
if (!-e $qemubin) {
error "cannot find $qemubin";
}
copy $qemubin, "$options->{root}/$qemubin"
or error "cannot copy $qemubin: $!";
# File::Copy does not retain permissions but on some
# platforms (like Travis CI) the binfmt interpreter must
# have the executable bit set or otherwise execve will
# fail with EACCES
chmod 0755, "$options->{root}/$qemubin"
or error "cannot chmod $qemubin: $!";
}
copy $qemubin, "$options->{root}/$qemubin"
or error "cannot copy $qemubin: $!";
# File::Copy does not retain permissions but on some
# platforms (like Travis CI) the binfmt interpreter must
# have the executable bit set or otherwise execve will
# fail with EACCES
chmod 0755, "$options->{root}/$qemubin"
or error "cannot chmod $qemubin: $!";
} else {
error "unknown mode: $options->{mode}";
}
@ -2704,7 +2734,10 @@ sub run_install() {
"?narrow("
. (
length($options->{suite})
? '?archive(' . $options->{suite} . '),'
? '?or(?archive(^'
. $options->{suite}
. '$),?codename(^'
. $options->{suite} . '$)),'
: ''
)
. "?architecture($options->{nativearch}),"
@ -2864,8 +2897,11 @@ sub run_cleanup() {
or error "failed to unlink $ENV{APT_CONFIG}: $!";
}
if (defined $options->{qemu}
and any { $_ eq $options->{mode} } ('root', 'unshare')) {
if (any { $_ eq 'cleanup/mmdebstrap/qemu' } @{ $options->{skip} }) {
info "skipping cleanup/mmdebstrap/qume as requested";
} elsif (defined $options->{qemu}
and any { $_ eq $options->{mode} } ('root', 'unshare')
and -e "$options->{root}/usr/bin/qemu-$options->{qemu}-static") {
unlink "$options->{root}/usr/bin/qemu-$options->{qemu}-static"
or error
"cannot unlink /usr/bin/qemu-$options->{qemu}-static: $!";
@ -3915,19 +3951,25 @@ sub get_sourceslist_by_suite {
# the security mirror changes, starting with bullseye
# https://lists.debian.org/87r26wqr2a.fsf@43-1.org
my $bullseye_or_later = 0;
my $distro_info = '/usr/share/distro-info/debian.csv';
if (
any { $_ eq $suite }
('stable', 'bullseye', 'bookworm', 'trixie')
) {
$bullseye_or_later = 1;
}
my $distro_info = '/usr/share/distro-info/debian.csv';
# make $@ local, so we don't print "Can't locate Debian/DistroInfo.pm"
# in other parts where we evaluate $@
local $@ = '';
eval { require Debian::DistroInfo; };
if (!$@) {
# libdistro-info-perl is installed
debug "libdistro-info-perl is installed";
my $debinfo = DebianDistroInfo->new();
if ($debinfo->version($suite, 0) >= 11) {
$bullseye_or_later = 1;
}
} elsif (-f $distro_info) {
# distro-info-data is installed
debug "distro-info-data is installed";
open my $fh, '<', $distro_info
or error "cannot open $distro_info: $!";
my $i = 0;
@ -3974,13 +4016,7 @@ sub get_sourceslist_by_suite {
$bullseye_or_later = 1;
}
} else {
# neither libdistro-info-perl nor distro-info-data is installed
if (
any { $_ eq $suite }
('stable', 'bullseye', 'bookworm', 'trixie')
) {
$bullseye_or_later = 1;
}
debug "neither libdistro-info-perl nor distro-info-data installed";
}
if ($bullseye_or_later) {
# starting from bullseye use
@ -4314,7 +4350,11 @@ sub main() {
error "invalid format. Choose from " . (join ', ', @valid_formats);
}
if (!defined $ENV{PATH} || $ENV{PATH} eq "") {
# setting PATH for chroot, ldconfig, start-stop-daemon...
if (length $ENV{PATH}) {
## no critic (Variables::RequireLocalizedPunctuationVars)
$ENV{PATH} = "$ENV{PATH}:/usr/sbin:/usr/bin:/sbin:/bin";
} else {
## no critic (Variables::RequireLocalizedPunctuationVars)
$ENV{PATH} = "/usr/sbin:/usr/bin:/sbin:/bin";
}
@ -4374,8 +4414,8 @@ sub main() {
and $content =~ /^apt ([0-9]+\.[0-9]+\.[0-9]+) \([a-z0-9-]+\)$/m) {
$aptversion = version->new($1);
}
if ($aptversion < "2.3.10") {
error "need apt >= 2.3.10 but have $aptversion";
if ($aptversion < "2.3.14") {
error "need apt >= 2.3.14 but have $aptversion";
}
}
@ -5723,7 +5763,12 @@ sub main() {
if ($@) {
# we cannot die here because that would leave the other thread
# running without a parent
# We send SIGHUP to all our processes (including eventually
# running tar and this process itself) to reliably tear down
# all running child processes. The main process is not affected
# because we are ignoring SIGHUP.
warning "creating tarball failed: $@";
kill HUP => -getpgrp();
$exitstatus = 1;
}
} else {
@ -5804,9 +5849,11 @@ sub main() {
if ($exitstatus == 0) {
my $duration = Time::HiRes::time - $before;
info "success in " . (sprintf "%.04f", $duration) . " seconds";
exit 0;
}
exit $exitstatus;
error "mmdebstrap failed to run";
return 1;
}
main();
@ -6546,7 +6593,9 @@ chroot as I<fileinside>. In contrast to B<copy-in>, this command only
handles files and not directories. To copy a directory recursively into the
chroot, use B<copy-in> or B<tar-in>. Its advantage is, that by being able to
specify the full path on the inside, including the filename, the file on the
inside can have a different name from the file on the outside.
inside can have a different name from the file on the outside. In contrast to
B<copy-in> and B<tar-in>, permission and ownership information will not be
retained.
=back