Compare commits

..

14 commits

Author SHA1 Message Date
fe87c3a1b8
README.md: add Gioele Barabucci 2022-02-14 07:57:52 +01:00
5fa2457fd5 mmdebstrap: Add mbr.bin installation to autopkgtest-build-qemu instructions
The generated image will not be bootable if `mbr.bin` is not installed
into the MBR.

These lines are copied from the "Debian desktop on USB stick" example.
2022-02-13 20:00:35 +01:00
8e6f183b3f mmdebstrap: Install mbr.bin in /boot and keep after installation 2022-02-13 19:56:39 +01:00
97e6981ddc mmdebstrap: Read extlinux's MBR from /usr/lib/EXTLINUX
`/usr/lib/SYSLINUX` is not available if only `extlinux` is installed.
2022-02-13 19:55:29 +01:00
22c0ba45a0 mmdebstrap: Use ext4 instead of ext2 in examples 2022-02-13 17:44:25 +01:00
829df60242 mmdebstrap: Align autopkgtest-build-qemu and USB stick examples
Write the same `guestfish` instructions in the same way in both the
`autopkgtest-build-qemu` and the "Debian desktopn on a USB stick" example.
2022-02-13 17:42:26 +01:00
070a9cecb7
release 0.8.4 2022-02-11 23:04:31 +01:00
38a81e75bb
remove information about kernel.unprivileged_userns_clone from the man page 2022-02-11 23:02:31 +01:00
ce8a9f8764
also remove /var/lib/dbus/machine-id 2022-02-11 23:01:56 +01:00
e865ce850f
document another advantage of running apt outside the chroot 2022-02-11 23:01:36 +01:00
2b60a932a9
don't install essential packages in run_install() 2022-02-11 23:01:08 +01:00
3962f36441
coverage.sh: since fontconfig was fixed, document the remaining reproducibility issues 2022-02-11 22:58:37 +01:00
88b9eaaad9
passwd since 1:4.11.1+dfsg1-1 creates an empty /var/mail/_apt 2022-02-11 22:57:59 +01:00
e3a7b7d013
tarfilter: add --strip-components option 2022-02-11 22:56:38 +01:00
5 changed files with 73 additions and 26 deletions

View file

@ -1,3 +1,10 @@
0.8.4 (2022-02-11)
------------------
- tarfilter: add --strip-components option
- don't install essential packages in run_install()
- remove /var/lib/dbus/machine-id
0.8.3 (2022-01-08)
------------------

View file

@ -154,3 +154,4 @@ Contributors
- Konstantin Demin
- Trent W. Buck
- Vagrant Cascadian
- Gioele Barabucci

View file

@ -180,6 +180,7 @@ export SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH
# compared to the one chosen in debootstrap because of different installation
# order in comparison to the systemd users
# https://bugs.debian.org/969631
# we cannot use useradd because passwd is not Essential:yes
$CMD --variant=$variant --mode=$defaultmode \
--essential-hook='if [ $variant = - ]; then echo _apt:*:100:65534::/nonexistent:/usr/sbin/nologin >> "\$1"/etc/passwd; fi' \
$dist /tmp/debian-$dist-mm.tar $mirror
@ -321,6 +322,18 @@ else
echo no difference for /etc/shadow- on $dist $variant >&2
fi
# Because of unreproducible uids (#969631) we created the _apt user ourselves
# and because passwd is not Essential:yes we didn't use useradd. But passwd
# since 1:4.11.1+dfsg1-1 will create empty mail files, so we create it too.
# https://bugs.debian.org/1004710
if [ $variant = - ]; then
if [ -e /tmp/debian-$dist-debootstrap/var/mail/_apt ]; then
touch /tmp/debian-$dist-mm/var/mail/_apt
chmod 660 /tmp/debian-$dist-mm/var/mail/_apt
chown 100:8 /tmp/debian-$dist-mm/var/mail/_apt
fi
fi
# check if the file content differs
diff --unified --no-dereference --recursive /tmp/debian-$dist-debootstrap /tmp/debian-$dist-mm
@ -742,9 +755,8 @@ fi
for variant in essential apt minbase buildd important standard; do
for format in tar squashfs ext2; do
print_header "mode=root/unshare/fakechroot,variant=$variant: check for bit-by-bit identical $format output"
# fontconfig doesn't install reproducibly because differences
# in /var/cache/fontconfig/. See
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864082
# pyc files and man index.db are not reproducible
# See #1004557 and #1004558
if [ "$variant" = "standard" ]; then
echo "skipping test because of #864082" >&2
skipped=$((skipped+1))
@ -846,6 +858,7 @@ cmp /tmp/debian-chroot.tar /tmp/debian-chroot-shiftedback.tar
# manually adjust uid/gid and compare "tar -t" output
tar --numeric-owner -tvf /tmp/debian-chroot.tar \
| sed 's# 100/0 # 100100/100000 #' \
| sed 's# 100/8 # 100100/100008 #' \
| sed 's# 0/0 # 100000/100000 #' \
| sed 's# 0/5 # 100000/100005 #' \
| sed 's# 0/8 # 100000/100008 #' \
@ -2973,9 +2986,8 @@ fi
# into /var/cache/apt/archives/partial
for variant in extract custom essential apt minbase buildd important standard; do
print_header "mode=$defaultmode,variant=$variant: compare output with pre-seeded /var/cache/apt/archives"
# fontconfig doesn't install reproducibly because differences
# in /var/cache/fontconfig/. See
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864082
# pyc files and man index.db are not reproducible
# See #1004557 and #1004558
if [ "$variant" = "standard" ]; then
echo "skipping test because of #864082" >&2
skipped=$((skipped+1))

View file

@ -23,7 +23,7 @@
use strict;
use warnings;
our $VERSION = '0.8.3';
our $VERSION = '0.8.4';
use English;
use Getopt::Long;
@ -2722,13 +2722,18 @@ sub run_install() {
any { $_ eq $options->{variant} }
('required', 'important', 'standard', 'buildd')
) {
# Many of the priority:required packages are also essential:yes. We
# make sure not to select those here to avoid useless "xxx is already
# the newest version" messages.
my $priority;
if (any { $_ eq $options->{variant} } ('required', 'buildd')) {
$priority = '?priority(required)';
$priority = '?and(?priority(required),?not(?essential))';
} elsif ($options->{variant} eq 'important') {
$priority = '?or(?priority(required),?priority(important))';
$priority = '?and(?or(?priority(required),?priority(important)),'
. '?not(?essential))';
} elsif ($options->{variant} eq 'standard') {
$priority = '?or(~prequired,~pimportant,~pstandard)';
$priority = '?and(?or(~prequired,~pimportant,~pstandard),'
. '?not(?essential))';
}
$pkgs_to_install{
"?narrow("
@ -2780,6 +2785,9 @@ sub run_install() {
#
# - we can make use of file:// and copy://
#
# - we can use EDSP solvers without installing apt-utils or other
# solvers inside the chroot
#
# The DPkg::Install::Recursive::force=true workaround can be
# dropped after this issue is fixed:
# https://salsa.debian.org/apt-team/apt/-/merge_requests/189
@ -2915,7 +2923,8 @@ sub run_cleanup() {
foreach my $fname (
'/var/log/dpkg.log', '/var/log/apt/history.log',
'/var/log/apt/term.log', '/var/log/alternatives.log',
'/var/cache/ldconfig/aux-cache', '/var/log/apt/eipp.log.xz'
'/var/cache/ldconfig/aux-cache', '/var/log/apt/eipp.log.xz',
'/var/lib/dbus/machine-id'
) {
my $path = "$options->{root}$fname";
if (!-e $path) {
@ -6288,11 +6297,7 @@ needs to be able to mount and thus requires C<SYS_CAP_ADMIN>.
This mode uses Linux user namespaces to allow unprivileged use of chroot and
creation of files that appear to be owned by the superuser inside the unshared
namespace. A tarball created in this mode should be bit-by-bit identical to a
tarball created with the B<root> mode. In Debian, this mode requires the sysctl
C<kernel.unprivileged_userns_clone> being set to C<1>. The default used to be
C<0> but was changed to C<1> with linux 5.10.1 or Debian 11 (Bullseye).
B<SETTING THIS OPTION TO 1 HAS SECURITY IMPLICATIONS>. Refer to
L<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446>
tarball created with the B<root> mode.
A directory chroot created with this mode will end up with wrong ownership
information. For correct ownership information, the directory must be accessed
@ -6716,7 +6721,7 @@ Performs cleanup tasks, unless B<--skip=cleanup> is used:
=item * Remove all files that were put into the chroot for setup purposes, like F</etc/apt/apt.conf.d/00mmdebstrap>, the temporary apt config and the qemu-user-static binary. This can be disabled using B<--skip=cleanup/mmdebstrap>.
=item * Remove all files that make the result unreproducible, like apt and dpkg logs and caches or F</etc/machine-id>. This can be disabled using B<--skip=cleanup/reproducible>
=item * Remove all files that make the result unreproducible, like apt and dpkg logs and caches or F</etc/machine-id> and F</var/lib/dbus/machine-id>. This can be disabled using B<--skip=cleanup/reproducible>
=item * Remove everything in F</tmp> inside the chroot. This can be disabled using B<--skip=cleanup/tmp>.
@ -6812,12 +6817,14 @@ Create a bootable USB Stick that boots into a full Debian desktop:
END
# You can use $(sudo blockdev --getsize64 /dev/sdXXX) to get the right
# image size for the target medium in bytes
$ guestfish -N debian-unstable.img=disk:8G -- part-disk /dev/sda mbr : \
part-set-bootable /dev/sda 1 true : mkfs ext2 /dev/sda1 : \
set-label /dev/sda1 rootfs : mount /dev/sda1 / : \
$ guestfish -N debian-unstable.img=disk:8G -- \
part-disk /dev/sda mbr : \
part-set-bootable /dev/sda 1 true : \
set-label /dev/sda1 rootfs : \
mkfs ext4 /dev/sda1 : mount /dev/sda1 / : \
tar-in debian-unstable.tar / xattrs:true : \
upload /usr/lib/SYSLINUX/mbr.bin /mbr.bin : \
copy-file-to-device /mbr.bin /dev/sda size:440 : rm /mbr.bin : \
upload /usr/lib/EXTLINUX/mbr.bin /boot/mbr.bin : \
copy-file-to-device /boot/mbr.bin /dev/sda size:440 : \
extlinux / : copy-in extlinux.conf / : sync : umount / : shutdown
$ qemu-system-x86_64 -m 1G -enable-kvm debian-unstable.img
$ sudo dd if=debian-unstable.img of=/dev/sdXXX status=progress
@ -6852,10 +6859,11 @@ Use as replacement for autopkgtest-build-qemu and vmdb2:
$ guestfish -N debian-unstable.img=disk:8G -- \
part-disk /dev/sda mbr : \
part-set-bootable /dev/sda 1 true : \
mkfs ext2 /dev/sda1 : mount /dev/sda1 / : \
mkfs ext4 /dev/sda1 : mount /dev/sda1 / : \
tar-in debian-unstable.tar / xattrs:true : \
extlinux / : copy-in extlinux.conf / : \
sync : umount / : shutdown
upload /usr/lib/EXTLINUX/mbr.bin /boot/mbr.bin : \
copy-file-to-device /boot/mbr.bin /dev/sda size:440 : \
extlinux / : copy-in extlinux.conf / : sync : umount / : shutdown
$ qemu-img convert -O qcow2 debian-unstable.img debian-unstable.qcow2
As a debootstrap wrapper to run it without superuser privileges but using Linux

View file

@ -64,6 +64,10 @@ Both types of options use Unix shell-style wildcards:
? matches any single character
[seq] matches any character in seq
[!seq] matches any character not in seq
Thirdly, strip leading directory components off of tar members. Just as with
GNU tar --strip-components, tar members that have less or equal components in
their path are not passed through.
"""
)
parser.add_argument(
@ -90,8 +94,18 @@ Both types of options use Unix shell-style wildcards:
action=PaxFilterAction,
help="Re-include a pax header after a previous exclusion.",
)
parser.add_argument(
"--strip-components",
metavar="number",
type=int,
help="Strip NUMBER leading components from file names",
)
args = parser.parse_args()
if not hasattr(args, "pathfilter") and not hasattr(args, "paxfilter"):
if (
not hasattr(args, "pathfilter")
and not hasattr(args, "paxfilter")
and not hasattr(args, "strip_components")
):
from shutil import copyfileobj
copyfileobj(sys.stdin.buffer, sys.stdout.buffer)
@ -141,6 +155,11 @@ Both types of options use Unix shell-style wildcards:
for member in in_tar:
if path_filter_should_skip(member):
continue
if args.strip_components:
comps = member.name.split("/")
if len(comps) <= args.strip_components:
continue
member.name = "/".join(comps[args.strip_components :])
member.pax_headers = {
k: v
for k, v in member.pax_headers.items()