Commit ca819a23 authored by Jan Alexander Steffens (heftig)'s avatar Jan Alexander Steffens (heftig)
Browse files

makechrootpkg: Simplify chroot preparation (v2) 

Copy both UID and primary GID of the invoker to the builduser. Mount
srcdest and startdir read-write.

v2: Fixed GnuPG keyring owner and moved running namcap from a heredoc
    to a function.
parent eb88a303

makechrootpkg.in

+43 −101
Original line number Original line Diff line number Diff line
@@ -148,67 +148,38 @@ install_packages() { 
prepare_chroot() {

prepare_chroot() {

	$repack || rm -rf "$copydir/build"

	$repack || rm -rf "$copydir/build"





	mkdir -p "$copydir/build"

	local builduser_uid="${SUDO_UID:-$UID}"

	if ! grep -q 'BUILDDIR="/build"' "$copydir/etc/makepkg.conf"; then

	local builduser_gid="$(id -g "$builduser_uid")"

		echo 'BUILDDIR="/build"' >> "$copydir/etc/makepkg.conf"

	local install="install -o $builduser_uid -g $builduser_gid"

	fi

	local x



	# Read .makepkg.conf and gnupg pubring

	if [[ -r $USER_HOME/.gnupg/pubring.kbx ]]; then

		install -D "$USER_HOME/.gnupg/pubring.kbx" "$copydir/build/.gnupg/pubring.kbx"

	fi

	if [[ -r $USER_HOME/.gnupg/pubring.gpg ]]; then

		install -D "$USER_HOME/.gnupg/pubring.gpg" "$copydir/build/.gnupg/pubring.gpg"

	fi



	mkdir -p "$copydir/pkgdest"

	if ! grep -q 'PKGDEST="/pkgdest"' "$copydir/etc/makepkg.conf"; then

		echo 'PKGDEST="/pkgdest"' >> "$copydir/etc/makepkg.conf"

	fi



	mkdir -p "$copydir/srcpkgdest"

	if ! grep -q 'SRCPKGDEST="/srcpkgdest"' "$copydir/etc/makepkg.conf"; then

		echo 'SRCPKGDEST="/srcpkgdest"' >> "$copydir/etc/makepkg.conf"

	fi



	mkdir -p "$copydir/logdest"

	if ! grep -q 'LOGDEST="/logdest"' "$copydir/etc/makepkg.conf"; then

		echo 'LOGDEST="/logdest"' >> "$copydir/etc/makepkg.conf"

	fi



	# These two get bind-mounted read-only

	# XXX: makepkg dislikes having these dirs read-only, so separate them

	mkdir -p "$copydir/startdir" "$copydir/startdir_host"

	mkdir -p "$copydir/srcdest" "$copydir/srcdest_host"

	if ! grep -q 'SRCDEST="/srcdest"' "$copydir/etc/makepkg.conf"; then

		echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf"

	fi



	builduser_uid=${SUDO_UID:-$UID}





	# We can't use useradd without chrooting, otherwise it invokes PAM modules

	# We can't use useradd without chrooting, otherwise it invokes PAM modules

	# which we might not be able to load (i.e. when building i686 packages on

	# which we might not be able to load (i.e. when building i686 packages on

	# an x86_64 host).

	# an x86_64 host).

	printf 'builduser:x:%d:100:builduser:/build:/bin/bash\n' "$builduser_uid" >>"$copydir/etc/passwd"

	sed -e '/^builduser:/d' -i "$copydir"/etc/{passwd,group}

	chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}

	printf >>"$copydir/etc/group"  'builduser:x:%d:\n' $builduser_gid

	printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' $builduser_uid $builduser_gid





	if [[ -n $MAKEFLAGS ]]; then

	$install -d "$copydir"/{build,build/.gnupg,startdir,{pkg,srcpkg,src,log}dest}

		sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf"

		echo "MAKEFLAGS='${MAKEFLAGS}'" >> "$copydir/etc/makepkg.conf"

	fi





	if [[ -n $PACKAGER ]]; then

	for x in .gnupg/pubring.{kbx,gpg}; do

		sed -i '/^PACKAGER=/d' "$copydir/etc/makepkg.conf"

		[[ -r $USER_HOME/$x ]] || continue

		echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf"

		$install -m 644 "$USER_HOME/$x" "$copydir/build/$x"

	fi

	done



	sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf"

	for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \

		"MAKEFLAGS='$MAKEFLAGS'" "PACKAGER='$PACKAGER'"

	do

		grep -q "^$x" "$copydir/etc/makepkg.conf" && continue

		echo "$x" >>"$copydir/etc/makepkg.conf"

	done





	if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then

	cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF

		cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF

Defaults env_keep += "HOME"

Defaults env_keep += "HOME"

builduser ALL = NOPASSWD: /usr/bin/pacman

builduser ALL = NOPASSWD: /usr/bin/pacman

EOF

EOF

		chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"

	chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"

	fi





	# This is a little gross, but this way the script is recreated every time in the

	# This is a little gross, but this way the script is recreated every time in the

	# working copy

	# working copy
@@ -220,18 +191,30 @@ EOF 
		printf ' || exit\n'

		printf ' || exit\n'





		if $run_namcap; then

		if $run_namcap; then

			cat <<'EOF'

			declare -f _chrootnamcap

pacman -S --needed --noconfirm namcap

			printf '_chrootnamcap || exit\n'

for pkgfile in /startdir/PKGBUILD /pkgdest/*; do

	echo "Checking ${pkgfile##*/}"

	sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"

done

EOF

		fi

		fi

	} >"$copydir/chrootbuild"

	} >"$copydir/chrootbuild"

	chmod +x "$copydir/chrootbuild"

	chmod +x "$copydir/chrootbuild"

}

}





# These functions aren't run in makechrootpkg,

# so no global variables

_chrootbuild() {

	. /etc/profile

	export HOME=/build

	cd /startdir

	sudo -u builduser makepkg "$@"

}



_chrootnamcap() {

	pacman -S --needed --noconfirm namcap

	for pkgfile in /startdir/PKGBUILD /pkgdest/*; do

		echo "Checking ${pkgfile##*/}"

		sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"

	done

}



download_sources() {

download_sources() {

	local builddir="$(mktemp -d)"

	local builddir="$(mktemp -d)"

	chmod 1777 "$builddir"

	chmod 1777 "$builddir"
@@ -251,47 +234,6 @@ download_sources() { 
	rm -rf $builddir

	rm -rf $builddir

}

}





_chrootbuild() {

	# This function isn't run in makechrootpkg,

	# so no global variables



	. /etc/profile

	export HOME=/build

	shopt -s nullglob



	# XXX: Workaround makepkg disliking read-only dirs

	ln -sft /srcdest /srcdest_host/*

	ln -sft /startdir /startdir_host/*



	# XXX: Keep bzr and svn sources writable

	# Since makepkg 4.1.1 they get checked out via cp -a, copying the symlink

	for dir in /srcdest /startdir; do

		for vcs in bzr svn; do

			cd "$dir"

			for vcsdir in */.$vcs; do

				rm "${vcsdir%/.$vcs}"

				cp -a "${dir}_host/${vcsdir%/.$vcs}" .

				chown -R builduser "${vcsdir%/.$vcs}"

			done

		done

	done



	cd /startdir



	# XXX: Keep PKGBUILD writable for pkgver()

	rm PKGBUILD*

	cp /startdir_host/PKGBUILD* .

	chown builduser PKGBUILD*



	# Safety check

	if [[ ! -w PKGBUILD ]]; then

		echo "Can't write to PKGBUILD!"

		exit 1

	fi



	sudo -u builduser makepkg "$@"

}



move_products() {

move_products() {

	for pkgfile in "$copydir"/pkgdest/*; do

	for pkgfile in "$copydir"/pkgdest/*; do

		chown "$src_owner" "$pkgfile"

		chown "$src_owner" "$pkgfile"
@@ -389,8 +331,8 @@ download_sources 
prepare_chroot

prepare_chroot





if arch-nspawn "$copydir" \

if arch-nspawn "$copydir" \

	--bind-ro="$PWD:/startdir_host" \

	--bind="$PWD:/startdir" \

	--bind-ro="$SRCDEST:/srcdest_host" \

	--bind="$SRCDEST:/srcdest" \

	"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \

	"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \

	/chrootbuild

	/chrootbuild

then

then