From 509c00ea23e676d97072786f1fbe97dc23fa898b Mon Sep 17 00:00:00 2001 From: Eli Schwartz Date: Mon, 15 Jan 2018 12:36:45 -0500 Subject: makechrootpkg: Do not copy the user keyring into the chroot. Since commit 75fdff1811a0487f82c75b2e260da905102b4eea we no longer run integrity checks inside the chroot anyway, so this is no longer needed and will never be used. --- makechrootpkg.in | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index 57231d5..f709955 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -181,12 +181,7 @@ prepare_chroot() { printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' "$builduser_uid" "$builduser_gid" printf >>"$copydir/etc/shadow" 'builduser:!!:%d::::::\n' "$(( $(date -u +%s) / 86400 ))" - $install -d "$copydir"/{build,build/.gnupg,startdir,{pkg,srcpkg,src,log}dest} - - for x in .gnupg/pubring.{kbx,gpg}; do - [[ -r $USER_HOME/$x ]] || continue - $install -m 644 "$USER_HOME/$x" "$copydir/build/$x" - done + $install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest} sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf" for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \ -- cgit v1.2.3-70-g09d2 From 7fcf847bc37fb014d38dcb5c37ea3abc75e1889a Mon Sep 17 00:00:00 2001 From: Eli Schwartz Date: Wed, 16 May 2018 10:37:55 -0400 Subject: Do not assume the makechrootpkg user's groupname is the same as the username chown support "$user:$group" but also "$user:" which infers $group rather than leaving it as root. This looks up the group name in cases where the default group is e.g. "users" and users do not get their own unique groups. --- makechrootpkg.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index f709955..37e97e7 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -245,7 +245,7 @@ download_sources() { local builddir builddir="$(mktemp -d)" - chown "$makepkg_user:$makepkg_user" "$builddir" + chown "$makepkg_user:" "$builddir" # Ensure sources are downloaded sudo -u "$makepkg_user" --preserve-env=GNUPGHOME \ -- cgit v1.2.3-70-g09d2 From ad54ac08ae475134f1ef6242cf4a831aa4ab770a Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Wed, 15 Feb 2017 15:56:42 -0500 Subject: makechrootpkg: _chrootbuild: Split into _chroot{prepare,build} --- makechrootpkg.in | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index 37e97e7..8480c56 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -198,6 +198,12 @@ EOF # This is a little gross, but this way the script is recreated every time in the # working copy + { + printf '#!/bin/bash\n' + declare -f _chrootprepare + printf '_chrootprepare "$@"\n' + } > "$copydir/chrootprepare" + chmod +x "$copydir/chrootprepare" { printf '#!/bin/bash\n' declare -f _chrootbuild @@ -214,6 +220,20 @@ EOF # These functions aren't run in makechrootpkg, # so no global variables +_chrootprepare() { + # No coredumps + ulimit -c 0 + + # shellcheck source=/dev/null + . /etc/profile + + # Beware, there are some stupid arbitrary rules on how you can + # use "$" in arguments to commands with "sudo -i". ${foo} or + # ${1} is OK, but $foo or $1 isn't. + # https://bugzilla.sudo.ws/show_bug.cgi?id=765 + sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@" --nobuild' -bash "$@" +} + _chrootbuild() { # No coredumps ulimit -c 0 @@ -225,7 +245,7 @@ _chrootbuild() { # use "$" in arguments to commands with "sudo -i". ${foo} or # ${1} is OK, but $foo or $1 isn't. # https://bugzilla.sudo.ws/show_bug.cgi?id=765 - sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@" + sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@" --noextract --noprepare' -bash "$@" } _chrootnamcap() { @@ -409,6 +429,11 @@ main() { prepare_chroot "$copydir" "$USER_HOME" "$keepbuilddir" "$run_namcap" if arch-nspawn "$copydir" \ + --bind="$PWD:/startdir" \ + --bind="$SRCDEST:/srcdest" \ + "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ + /chrootprepare "${makepkg_args[@]}" && + arch-nspawn "$copydir" \ --bind="$PWD:/startdir" \ --bind="$SRCDEST:/srcdest" \ "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ -- cgit v1.2.3-70-g09d2 From 35796c0490efcb7316b96d032e7330598beb9433 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Wed, 15 Feb 2017 14:40:06 -0500 Subject: makechrootpkg, arch-nspawn: Force-enable local '/repo/' repository The change in arch-nspawn is subtle: This was the source of "infamous" "it fails every other time" bug that took me over a year to solve. By having a repository of local packages (rather than simply running `pacman -U`), we are inviting pacman to cache them in `/var/cache/pacman/pkg`. Besides being needless disk writes, this actually causes a real issue. If the package gets rebuilt, pacman will balk, as the file no longer matches the cached signature. So, how do we prevent pacman from caching these local packages? Simple: include the directory they are already in in the pacman.conf:CacheDir list. This will prevent pacman from copying the files to one of the other cache directories. --- arch-nspawn.in | 1 + makechrootpkg.in | 13 +++++++++++++ 2 files changed, 14 insertions(+) (limited to 'makechrootpkg.in') diff --git a/arch-nspawn.in b/arch-nspawn.in index 7f432a6..96b3e38 100644 --- a/arch-nspawn.in +++ b/arch-nspawn.in @@ -106,6 +106,7 @@ elif [[ $(cat "$working_dir/.arch-chroot") != "$CHROOT_VERSION" ]]; then fi build_mount_args +cache_dirs+=('/repo/') copy_hostconf eval "$(grep -a '^CARCH=' "$working_dir/etc/makepkg.conf")" diff --git a/makechrootpkg.in b/makechrootpkg.in index 8480c56..a302e4d 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -196,6 +196,19 @@ builduser ALL = NOPASSWD: /usr/bin/pacman EOF chmod 440 "$copydir/etc/sudoers.d/builduser-pacman" + if ! grep -q '^\[repo\]' "$copydir/etc/pacman.conf"; then + local line + line=$(grep -n '^\[' "$copydir/etc/pacman.conf" |grep -Fv ':[options]'|sed 's/:.*//;1q') + local ins='[repo] +SigLevel = Optional TrustAll +Server = file:///repo +' + sed -i "${line}i${ins//$'\n'/\\n}" "$copydir/etc/pacman.conf" + fi + # Avoid having to use `pacman -Sy` to update [repo], as + # networking might be disabled inside of the chroot. + cp "$copydir/repo/repo.db" "$copydir/var/lib/pacman/sync/repo.db" + # This is a little gross, but this way the script is recreated every time in the # working copy { -- cgit v1.2.3-70-g09d2 From 14dcf83982cc143d7269237fe469b2c01dc5599f Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Thu, 20 Apr 2017 13:49:19 -0400 Subject: makechrootpkg: Also build --allsource packages It also sets SRCEXT="-$pkgarch$SRCEXT", so that two runs of makechrootpkg on different architectures don't overwrite eachothers source packages. --- makechrootpkg.in | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index a302e4d..4cfc6b4 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -254,10 +254,25 @@ _chrootbuild() { # shellcheck source=/dev/null . /etc/profile + local srcext + srcext="$( + # shellcheck source=makepkg-x86_64.conf + . /etc/makepkg.conf || exit + # shellcheck source=PKGBUILD.proto + . /startdir/PKGBUILD || exit + if [ "$arch" = any ]; then + pkgarch=any + else + pkgarch=$CARCH + fi + printf '%s\n' "-$pkgarch$SRCEXT" + )" || return + # Beware, there are some stupid arbitrary rules on how you can # use "$" in arguments to commands with "sudo -i". ${foo} or # ${1} is OK, but $foo or $1 isn't. # https://bugzilla.sudo.ws/show_bug.cgi?id=765 + sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; SRCEXT="${1}" makepkg "${@:2}" --allsource' -bash "$srcext" "$@" || return sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@" --noextract --noprepare' -bash "$@" } -- cgit v1.2.3-70-g09d2