Commit graph

909 commits

Author SHA1 Message Date
2bd6929fbc
make_mirror.sh: bullseye-updates doesn't ship Packages.gz anymore, so we use xz everywhere instead 2021-09-21 21:11:46 +02:00
1a4491b4d3
release 0.8.0 2021-09-21 14:20:58 +02:00
28707c79d2
coverage.sh: disable chrootless test broken by #983425 2021-09-21 14:20:31 +02:00
7ff7609a4c
coverage.sh: add fakechroot to test name 2021-09-21 14:19:31 +02:00
2c945e4c87
improve fakechroot LD_LIBRARY_PATH
- use /etc/ld.so.conf from the chroot instead of the host
 - parse /etc/ld.so.conf instead of blindly accessing /etc/ld.so.conf.d
 - add libraries from the chroot instead of the host
2021-09-21 14:17:31 +02:00
f5f6343622
coverage.sh: remove redundant tests 2021-09-21 14:15:31 +02:00
ddb642a1dc
update apt MR urls 2021-09-19 19:38:52 +02:00
dceb881bd0
drop DPkg::Install::Recursive::force=true (requires apt >= 2.3.7) 2021-09-19 19:37:06 +02:00
39a266bce2
add my name to several scripts 2021-09-16 16:24:16 +02:00
6d59d51a4a
add ldconfig.fakechroot and translate symlinks for bit-by-bit identical buildd variant 2021-09-16 16:23:46 +02:00
b3e08897c3
examples/twb: format with black 2021-09-16 16:20:15 +02:00
6a22e05d59
document that zstd is also called with --threads=0 2021-09-16 16:12:35 +02:00
c7390f648b
be more permissive in the FAKECHROOT_DETECT version format 2021-09-16 16:12:20 +02:00
631b103ca7
check for symlink first to compute disk usage because -f und -s otherwise follow symlinks 2021-09-16 16:11:34 +02:00
b41c3ee8cc
README.md: add another reason for debootstrap to exist 2021-09-16 16:08:47 +02:00
101229aa04
add a newline to /etc/machine-id as systemd does the same 2021-09-16 16:08:07 +02:00
5b0bb46421
add gpgvnoexpkeysig 2021-09-15 16:10:22 +02:00
6851cd7cb4
move hooks/setup00-merged-usr.sh -> hooks/merged-usr/setup00.sh, expand docs 2021-09-03 12:04:40 +02:00
6a8fbae9d8
make fakechroot mode bit-by-bit identical to the others 2021-08-29 10:25:34 +02:00
7d472ca116
document on how to use mmdebstrap with podman 2021-08-27 11:53:32 +02:00
047619967e
also check whether CAP_SYS_ADMIN is in the bounding set 2021-08-27 11:53:11 +02:00
5a5f57b404
Automatically skip using mount if that's not possible
- instead of throwing an error, just print a warning
 - can now run as root without cap_sys_admin
 - can now run without mount installed
 - --skip=check/canmount is not needed anymore
2021-08-26 15:40:27 +02:00
7ab770267c
README.md: document chroots without apt as a feature 2021-08-26 11:24:18 +02:00
1a18160fe8
document that apt-transport-https, ca-certificates and apt-transport-tor are no longer installed automatically 2021-08-26 11:17:13 +02:00
e53d246a3b
also test minbase buildd important standard with --dry-run/--simulate 2021-08-26 08:34:30 +02:00
91d8be5f9c
Do not use gpg --trust-model=always
- gpg will not create a trustdb when running with --update-trustdb with
   --trust-model=always:
       gpg: no need for a trustdb update with 'always' trust model
 - subsequent gpg calls will fail because there is no trustdb in GPGHOME
2021-08-26 07:58:27 +02:00
850eeb24d5
more code comments 2021-08-25 05:21:57 +02:00
8b12375de3
add more references to #808203 2021-08-25 05:15:44 +02:00
c627606110
document copy:// vs. file:// 2021-08-23 10:41:44 +02:00
dddccd5e55
tarfilter: expand description text 2021-08-23 10:33:31 +02:00
60dba1c19e
fixup read_subuid_subgid
- use $REAL_USER_ID from English instead of $<
 - use getgrgid $REAL_GROUP_ID to get the group name instead of assuming
   the group name to be equal to the user name
 - also check whether /etc/subgid exists and is readable
2021-08-19 13:02:44 +02:00
Joe Groocock
15029c1c3b
improve error message for missing /etc/subuid entry (closes: #9) 2021-08-19 11:18:53 +02:00
3c37d692a0
write 'uninitialized' to /etc/machine-id to support systemd ConditionFirstBoot (closes: #10) 2021-08-19 07:18:21 +02:00
5283d74dfe
Remove files inside the auxfiles directory
This is fixing the error:
  cannot rmdir /var/lib/apt/lists/auxfiles: Directory not empty at ./mmdebstrap/mmdebstrap line 3084.
which happens when using apt-transport-mirror.
2021-08-19 07:18:21 +02:00
ea82b267c9
only run test_unshare_userns() if not root user 2021-08-18 22:06:16 +02:00
dfbf9cdcef
several fixes to chrootless mode 2021-08-17 23:39:20 +02:00
f868073b6e
add --skip=setup, --skip=update and --skip=cleanup 2021-08-17 11:11:00 +02:00
d62c5b7a91
README.md: add more docs 2021-08-17 11:07:48 +02:00
b354502b7c
README.md: add missing contributors 2021-08-17 11:06:55 +02:00
98f1f0abde
use apt pattern to select essential set 2021-08-17 10:30:06 +02:00
aae47da9ab
coverage.sh: fix test that was wrongly installing outside the chroot and download-only 2021-08-16 23:14:18 +02:00
3e488dd1dd
use apt from the outside by setting DPkg::Chroot-Directory 2021-08-16 22:33:39 +02:00
3e61382763
README.md: fix my name 2021-08-16 13:12:55 +02:00
c63ad87310
changes for release of Debian 11 Buster 2021-08-16 13:11:42 +02:00
594ea3c72e
improve busybox and --hook-dir examples in man page -- thanks Jochen Sprickerhof! 2021-05-31 16:33:34 +02:00
3f79c18a0d
since apt 2.1.16 we can use --error-on=any and do not anymore need to error out on all W: lines (closes: #6) 2021-05-31 11:17:45 +02:00
Benjamin Drung
0378c101bb
Pass extended attributes (excluding system) to tar2sqfs
/bin/ping (from iputils-ping) uses the security capabilities to allow
users to use the program:

```
$ getcap /bin/ping
/bin/ping cap_net_raw=ep
```

Debian testing/unstable images (variant important) contain security and
system attributes:

```
$ mmdebstrap --variant=important bullseye root.tar
$ tar --xattrs --xattrs-include='*' -vv -tf root.tar | grep -B 1 '^ '
-rwxr-xr-x* 0/0           77432 2021-02-02 18:49 ./bin/ping
  x: 20 security.capability
--
drwxr-sr-x* 0/102             0 2021-05-07 15:10 ./var/log/journal/
  x: 44 system.posix_acl_access
  x: 44 system.posix_acl_default
```

When generating a squashfs image with mmdebstrap 0.7.5-2, these security
capabilities are lost. Example for building a squashfs image in a
minimal Debian unstable schroot:

```
$ apt install -y mmdebstrap squashfs-tools-ng
$ mmdebstrap --variant=important buster root.squashfs
$ rdsquashfs -x /bin/ping root.squashfs
$
```

tar2sqfs from squashfs-tools-ng 1.0.4-1 supports encoding extended
attributes from the namespace `user`, `trusted`, and `security` (see
`include/sqfs/xattr.h`). GNU tar (version 1.34) supports these three
namespaces plus the namespace `system`.

Passing extended attributes from the `system` namespace to tar2sqfs will
produce an error:

```
ERROR: squashfs does not support xattr prefix of system.posix_acl_default
```

So pass the extended attributes to tar2sqfs, but exclude the `system`
namespace. Then ping will keep its security attributes:

```
$ rdsquashfs -x /bin/ping root.squashfs
security.capability=0x0100000200200000000000000000000000000000
```

Closes: #988100
Signed-off-by: Benjamin Drung <benjamin.drung@ionos.com>
2021-05-17 21:43:10 +02:00
88a031477a
add --skip=cleanup/apt/lists and --skip=cleanup/apt/cache 2021-05-09 20:44:02 +02:00
Vagrant Cascadian
c51fb24c7b
Use all cores when compressing with zstd. 2021-05-09 17:32:04 +02:00
236b84a486
tarfilter: add --pax-exclude and --pax-include to strip extended attributes because tar2sqfs only supports user.*, trusted.* and security.* 2021-05-07 09:39:40 +02:00