From 3cff47783075f757b817ddf0c21fdb7e633a0508 Mon Sep 17 00:00:00 2001 From: Xavier Date: Thu, 16 Nov 2023 01:03:53 -0500 Subject: [PATCH] New and updated dist scripts, dist package, and build-environment configuration - makepkg.conf for building dist-package in build chroot - runtime.sh to package a lightweight runtime image for pacwrap-agent - Link to flatpak-xdg-utils binaries to /usr/local/bin in pacwrap-base-dist package. --- dist/config/makepkg.conf | 160 ++++++++++++++++++ dist/pacwrap-base-dist/PKGBUILD | 28 +-- .../dist_src/0-pacwrap-dist.hook | 2 +- .../dist_src/42-trust-permission.hook | 2 +- dist/pacwrap-base-dist/dist_src/pacwrap-dist | 31 +++- dist/tools/clean.sh | 53 +++++- dist/tools/package.sh | 24 ++- dist/tools/repo.sh | 25 ++- dist/tools/runtime.sh | 72 ++++++++ 9 files changed, 367 insertions(+), 30 deletions(-) create mode 100644 dist/config/makepkg.conf create mode 100755 dist/tools/runtime.sh diff --git a/dist/config/makepkg.conf b/dist/config/makepkg.conf new file mode 100644 index 0000000..4ef2fd2 --- /dev/null +++ b/dist/config/makepkg.conf @@ -0,0 +1,160 @@ +#!/hint/bash +# +# /etc/makepkg.conf +# + +######################################################################### +# SOURCE ACQUISITION +######################################################################### +# +#-- The download utilities that makepkg should use to acquire sources +# Format: 'protocol::agent' +DLAGENTS=('file::/usr/bin/curl -qgC - -o %o %u' + 'ftp::/usr/bin/curl -qgfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u' + 'http::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'https::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'rsync::/usr/bin/rsync --no-motd -z %u %o' + 'scp::/usr/bin/scp -C %u %o') + +# Other common tools: +# /usr/bin/snarf +# /usr/bin/lftpget -c +# /usr/bin/wget + +#-- The package required by makepkg to download VCS sources +# Format: 'protocol::package' +VCSCLIENTS=('bzr::breezy' + 'fossil::fossil' + 'git::git' + 'hg::mercurial' + 'svn::subversion') + +######################################################################### +# ARCHITECTURE, COMPILE FLAGS +######################################################################### +# +CARCH="x86_64" +CHOST="x86_64-pc-linux-gnu" + +#-- Compiler and Linker Flags +#CPPFLAGS="" +CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \ + -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \ + -fstack-clash-protection -fcf-protection" +CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS" +LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" +LTOFLAGS="-flto=auto" +#RUSTFLAGS="-C opt-level=2" +#-- Make Flags: change this for DistCC/SMP systems +#MAKEFLAGS="-j2" +#-- Debugging flags +DEBUG_CFLAGS="-g" +DEBUG_CXXFLAGS="$DEBUG_CFLAGS" +#DEBUG_RUSTFLAGS="-C debuginfo=2" + +######################################################################### +# BUILD ENVIRONMENT +######################################################################### +# +# Makepkg defaults: BUILDENV=(!distcc !color !ccache check !sign) +# A negated environment option will do the opposite of the comments below. +# +#-- distcc: Use the Distributed C/C++/ObjC compiler +#-- color: Colorize output messages +#-- ccache: Use ccache to cache compilation +#-- check: Run the check() function if present in the PKGBUILD +#-- sign: Generate PGP signature file +# +BUILDENV=(!distcc color !ccache check !sign) +# +#-- If using DistCC, your MAKEFLAGS will also need modification. In addition, +#-- specify a space-delimited list of hosts running in the DistCC cluster. +#DISTCC_HOSTS="" +# +#-- Specify a directory for package building. +#BUILDDIR=/tmp/makepkg + +######################################################################### +# GLOBAL PACKAGE OPTIONS +# These are default values for the options=() settings +######################################################################### +# +# Makepkg defaults: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug !lto) +# A negated option will do the opposite of the comments below. +# +#-- strip: Strip symbols from binaries/libraries +#-- docs: Save doc directories specified by DOC_DIRS +#-- libtool: Leave libtool (.la) files in packages +#-- staticlibs: Leave static library (.a) files in packages +#-- emptydirs: Leave empty directories in packages +#-- zipman: Compress manual (man and info) pages in MAN_DIRS with gzip +#-- purge: Remove files specified by PURGE_TARGETS +#-- debug: Add debugging flags as specified in DEBUG_* variables +#-- lto: Add compile flags for building with link time optimization +# +OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug !lto) + +#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2 +INTEGRITY_CHECK=(sha256) +#-- Options to be used when stripping binaries. See `man strip' for details. +STRIP_BINARIES="--strip-all" +#-- Options to be used when stripping shared libraries. See `man strip' for details. +STRIP_SHARED="--strip-unneeded" +#-- Options to be used when stripping static libraries. See `man strip' for details. +STRIP_STATIC="--strip-debug" +#-- Manual (man and info) directories to compress (if zipman is specified) +MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info}) +#-- Doc directories to remove (if !docs is specified) +DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc}) +#-- Files to be removed from all packages (if purge is specified) +PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod) +#-- Directory to store source code in for debug packages +DBGSRCDIR="/usr/src/debug" + +######################################################################### +# PACKAGE OUTPUT +######################################################################### +# +# Default: put built package and cached source in build directory +# +#-- Destination: specify a fixed directory where all packages will be placed +#PKGDEST=/home/packages +#-- Source cache: specify a fixed directory where source files will be cached +#SRCDEST=/home/sources +#-- Source packages: specify a fixed directory where all src packages will be placed +#SRCPKGDEST=/home/srcpackages +#-- Log files: specify a fixed directory where all log files will be placed +#LOGDEST=/home/makepkglogs +#-- Packager: name/email of the person or organization building packages +#PACKAGER="John Doe " +#-- Specify a key to use for package signing +#GPGKEY="" + +######################################################################### +# COMPRESSION DEFAULTS +######################################################################### +# +COMPRESSGZ=(gzip -c -f -n) +COMPRESSBZ2=(bzip2 -c -f) +COMPRESSXZ=(xz -c -z -) +COMPRESSZST=(zstd -c -z -q -) +COMPRESSLRZ=(lrzip -q) +COMPRESSLZO=(lzop -q) +COMPRESSZ=(compress -c -f) +COMPRESSLZ4=(lz4 -q) +COMPRESSLZ=(lzip -c -f) + +######################################################################### +# EXTENSION DEFAULTS +######################################################################### +# +PKGEXT='.pkg.tar.zst' +SRCEXT='.src.tar.gz' + +######################################################################### +# OTHER +######################################################################### +# +#-- Command used to run pacman as root, instead of trying sudo and su +#PACMAN_AUTH=() +PACKAGER='Xavier R.M. ' diff --git a/dist/pacwrap-base-dist/PKGBUILD b/dist/pacwrap-base-dist/PKGBUILD index 2609d46..9109665 100644 --- a/dist/pacwrap-base-dist/PKGBUILD +++ b/dist/pacwrap-base-dist/PKGBUILD @@ -1,20 +1,20 @@ # Maintainer: Xavier R.M. (sapphirus at azorium dot net) pkgname=('pacwrap-base-dist') -pkgver=0.4.3 +pkgver=0.5.0 pkgrel=1 -pkgdesc="" +pkgdesc="Distribution package to configure Arch Linux for use with pacwrap." arch=('any') url="https://pacwrap.sapphirus.org/" license=('GPLv3-only') conflicts=('pacwrap-base-dist') -depends=('fakeroot' 'fakechroot') +depends=('fakeroot' 'fakechroot' 'flatpak-xdg-utils') source=("${pkgname}-${pkgver}-${pkgrel}.tar.zst::${pkgname}-${pkgver}-${pkgrel}.tar.zst") -sha512sums=('53226312533e2935caf23d9102e277e441f0165f394752a022c27dd2ede6fffad9a2e1a0005468d7fd94e0da0a51c10675f43bc4292c4864ece9c88dbd539f69') +sha512sums=('96e4cfde8f56eaff18d5b807564f3fa8b2a1b72d115210c7f3de44a8651dfecb3a6b862fcf3b622e0ecc4bd28fb7726fb9a0dee163e3871895a1975830e88dea') package() { - cd "${srcdir}" + cd "${srcdir}" local pacman_hooks=('20-systemd-sysusers' '30-systemd-tmpfiles' @@ -22,14 +22,18 @@ package() { '30-systemd-sysctl' '30-systemd-catalog' '30-systemd-update' - '30-systemd-udev-reload' + '30-systemd-udev-reload' '30-systemd-hwdb' - 'dbus-reload') + 'dbus-reload') - mkdir -p "$pkgdir/etc/pacman.d/hooks/" + mkdir -p "${pkgdir}/etc/pacman.d/hooks/" "${pkgdir}/usr/local/bin/" for pacman_hook in ${pacman_hooks[@]}; do - ln -s /dev/null "$pkgdir/etc/pacman.d/hooks/$pacman_hook.hook"; done - install -Dm 644 "dist_src/0-pacwrap-dist.hook" "${pkgdir}/usr/share/libalpm/hooks/0-pacwrap-dist.hook" - install -Dm 644 "dist_src/42-trust-permission.hook" "${pkgdir}/usr/share/libalpm/hooks/42-trust-permission.hook" - install -Dm 755 "dist_src/pacwrap-dist" "${pkgdir}/usr/bin/pacwrap-dist" + ln -s /dev/null "${pkgdir}/etc/pacman.d/hooks/${pacman_hook}.hook"; done + + ln -s ../../../usr/lib/flatpak-xdg-utils/xdg-open "${pkgdir}/usr/local/bin/" + ln -s ../../../usr/lib/flatpak-xdg-utils/xdg-email "${pkgdir}/usr/local/bin/" + + install -Dm 644 "dist_src/0-pacwrap-dist.hook" "${pkgdir}/usr/share/libalpm/hooks/0-pacwrap-dist.hook" + install -Dm 644 "dist_src/42-trust-permission.hook" "${pkgdir}/usr/share/libalpm/hooks/42-trust-permission.hook" + install -Dm 755 "dist_src/pacwrap-dist" "${pkgdir}/usr/share/libalpm/scripts/pacwrap-dist" } diff --git a/dist/pacwrap-base-dist/dist_src/0-pacwrap-dist.hook b/dist/pacwrap-base-dist/dist_src/0-pacwrap-dist.hook index d3b1078..b86a7ea 100644 --- a/dist/pacwrap-base-dist/dist_src/0-pacwrap-dist.hook +++ b/dist/pacwrap-base-dist/dist_src/0-pacwrap-dist.hook @@ -7,4 +7,4 @@ Target = pacwrap-base-dist [Action] Description = Configuring base container.. When = PostTransaction -Exec = /usr/bin/pacwrap-dist +Exec = /usr/share/libalpm/scripts/pacwrap-dist config diff --git a/dist/pacwrap-base-dist/dist_src/42-trust-permission.hook b/dist/pacwrap-base-dist/dist_src/42-trust-permission.hook index aa2b524..afb48a6 100644 --- a/dist/pacwrap-base-dist/dist_src/42-trust-permission.hook +++ b/dist/pacwrap-base-dist/dist_src/42-trust-permission.hook @@ -8,4 +8,4 @@ Target = usr/share/ca-certificates/trust-source/* [Action] Description = Permissing certificate store... When = PostTransaction -Exec = /usr/bin/chmod -R 755 /usr/share/ca-certificates /etc/ca-certificates +Exec = /usr/share/libalpm/scripts/pacwrap-dist cert-store diff --git a/dist/pacwrap-base-dist/dist_src/pacwrap-dist b/dist/pacwrap-base-dist/dist_src/pacwrap-dist index ecb7766..54987d3 100755 --- a/dist/pacwrap-base-dist/dist_src/pacwrap-dist +++ b/dist/pacwrap-base-dist/dist_src/pacwrap-dist @@ -1,6 +1,6 @@ #!/bin/bash # -# Pacwrap - distribution script +# pacwrap - distribution script # # Copyright (C) 2023 Xavier R.M. # sapphirus(at)azorium(dot)net @@ -23,8 +23,12 @@ user() { return fi + local uid=$(id -u) + local gid=$(id -g) + echo "Creating dummy user.." - echo 'user:x:1000:1000::/:/usr/bin/nologin' >> /etc/passwd + echo "user:x:$uid:$gid::/:/usr/bin/nologin" >> /etc/passwd + echo "user:x:$gid:" >> /etc/group } locale() { @@ -34,7 +38,7 @@ locale() { echo "Initializing locales.." - if [[ $LANG == "en_US.UTF-8" ]] || [[ -z $LANG ]]; then + if [[ $LANG == "en_US.UTF-8" ]] || [[ -z "$LANG" ]]; then echo -e "\nen_US.UTF-8" >> "$INSTANCE_ROOT/etc/locale.gen" else echo -e "\nen_US.UTF-8 UTF-8\n$LANG ${LANG#*.}" >> "$INSTANCE_ROOT/etc/locale.gen" @@ -44,15 +48,24 @@ locale() { locale-gen } -cleanup() { - rm /usr/share/libalpm/hooks/0-pacwrap-dist.hook /usr/bin/pacwrap-dist -} - dist() { locale user - cleanup echo "Distribution configuration completed." } -dist +cert_store() { + chmod -R 755 /usr/share/ca-certificates /etc/ca-certificates + + if [[ $? == 0 ]]; then + echo "Applied permissions to certificate stores successfully." + else + echo "Error occurred whilst applying permissions to certificate stores." + fi +} + +case $1 in + cert-store) cert_store;; + config) dist;; + *) echo "error: Hook parameter '$1' not found.";; +esac diff --git a/dist/tools/clean.sh b/dist/tools/clean.sh index ce28543..872e6ff 100755 --- a/dist/tools/clean.sh +++ b/dist/tools/clean.sh @@ -1,2 +1,51 @@ -rm ./dist/dist-repo/* -rm ./dist/pacwrap-base-dist/*.tar.zst +#!/bin/bash +# +# pacwrap - clean.sh +# +# Copyright (C) 2023 Xavier R.M. +# sapphirus(at)azorium(dot)net +# +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, with only version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +BOLD=$(tput bold) +GREEN=$(tput setaf 2) +RED=$(tput setaf 1) +RESET=$(tput sgr0) +DIST_RUNTIME="./dist/runtime" +DIST_BASE="./dist/pacwrap-base-dist" +DIST_REPO="./dist/dist-repo" + +runtime() { + if [[ -d "$DIST_RUNTIME" ]]; then + rm -r "$DIST_RUNTIME" + echo "$BOLD$GREEN Cleaned$RESET container runtime" + fi +} + +repo() { + if [[ -d "$DIST_REPO" ]] && [[ -d "$DIST_BASE" ]]; then + rm $DIST_REPO/* $DIST_BASE/*.tar.zst + echo "$BOLD$GREEN Cleaned$RESET repositories" + fi +} + +invalid() { + echo $BOLD$RED"error:$RESET Invalid parameter '$1'" +} + +for var in "$@"; do case $var in + repo) repo;; + runtime) runtime;; + *) invalid $var;; +esac; done diff --git a/dist/tools/package.sh b/dist/tools/package.sh index aa2112d..f09a695 100755 --- a/dist/tools/package.sh +++ b/dist/tools/package.sh @@ -1,8 +1,28 @@ #!/bin/bash +# +# pacwrap - package.sh +# +# Copyright (C) 2023 Xavier R.M. +# sapphirus(at)azorium(dot)net +# +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, with only version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + cd ./dist/$1/ tar acvf $1-$2-$3.tar.zst dist_src SUM=($(sha512sum $1-$2-$3.tar.zst)) cp PKGBUILD PKGBUILD.tmp sed -e "s/sha512sums=(.*)/sha512sums=('${SUM[0]}')/g;s/pkgver=.*/pkgver=$2/g;s/pkgrel=.*/pkgrel=$3/g" < "PKGBUILD.tmp" > "PKGBUILD" -makepkg -sf -rm -r src pkg PKGBUILD.tmp +makepkg -scf --config ../config/makepkg.conf +cp $1-$2-$3-any.pkg.tar.zst ../dist-repo/ +rm PKGBUILD.tmp diff --git a/dist/tools/repo.sh b/dist/tools/repo.sh index 655695d..7c0944b 100755 --- a/dist/tools/repo.sh +++ b/dist/tools/repo.sh @@ -1,7 +1,26 @@ +#!/bin/bash +# +# pacwrap - repo.sh +# +# Copyright (C) 2023 Xavier R.M. +# sapphirus(at)azorium(dot)net +# +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, with only version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + echo "Preparing repo.." -./dist/tools/clean.sh +./dist/tools/clean.sh repo echo "Packaging.." ./dist/tools/package.sh pacwrap-base-dist $1 $2 echo "Building repo.." -cp ./dist/*/*.pkg.tar.zst ./dist/dist-repo/ -repose pacwrap -zfr ./dist/dist-repo/ +repose pacwrap -vzfr ./dist/dist-repo/ diff --git a/dist/tools/runtime.sh b/dist/tools/runtime.sh new file mode 100755 index 0000000..44a02a1 --- /dev/null +++ b/dist/tools/runtime.sh @@ -0,0 +1,72 @@ +#!/bin/bash +# +# pacwrap - runtime.sh +# +# This script packages the most minimal userspace environment possible +# allowing pacwrap's agent binary to execute in an otherwise empty container. +# +# Copyright (C) 2023 Xavier R.M. +# sapphirus(at)azorium(dot)net +# +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, with only version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +BOLD=$(tput bold) +RED=$(tput setaf 1) +GREEN=$(tput setaf 2) +RESET=$(tput sgr0) +LIB_DIR="/lib" +BIN_DIR="/bin" +DEST_DIR="./dist/runtime" + +# Validate parameters + +if [[ -z $1 ]]; then + echo $BOLD$RED"error:$RESET target not specified."; + exit 1 +fi + +case $1 in + release);; + debug);; + *) echo $BOLD$RED"error:$RESET target $1 is invalid."; + exit 1;; +esac + +# Cleanup and prepare container runtime + +./dist/tools/clean.sh runtime 0> /dev/null +mkdir -p $DEST_DIR$LIB_DIR $DEST_DIR$BIN_DIR + +# Validate preparation environment + +if [[ ! -d "$DEST_DIR$LIB_DIR" ]] || [[ ! -d $DEST_DIR$BIN_DIR ]]; then + echo $BOLD$RED"error:$RESET '$DEST_DIR': directory not found."; + exit 1 +fi + +# Populate libraries for container runtime + +ldd ./target/$1/pacwrap-agent | sed -e "s/.*=> //g;s/ (.*)//g;s/\t.*//g" | xargs cp -Lt $DEST_DIR$LIB_DIR +ldd /usr/bin/gpg | sed -e "s/.*=> //g;s/ (.*)//g;s/\t.*//g" | xargs cp -Lt $DEST_DIR$LIB_DIR +ldd /usr/bin/bash | sed -e "s/.*=> //g;s/ (.*)//g;s/\t.*//g" | xargs cp -Lt $DEST_DIR$LIB_DIR +cp -L /usr/lib/libfakeroot/libfakeroot.so $DEST_DIR$LIB_DIR +cp -L /usr/lib/libfakeroot/fakechroot/libfakechroot.so $DEST_DIR$LIB_DIR + +# Populate binaries for container runtime + +ln -s ../lib64/ld-linux-x86-64.so.2 $DEST_DIR$BIN_DIR/ld.so +cp ./target/$1/pacwrap-agent $DEST_DIR$BIN_DIR/agent +cp /usr/bin/gpg $DEST_DIR$BIN_DIR/gpg + +echo "$GREEN$BOLD Packaged$RESET container runtime [$1]"