Enable signature checking within build environment
* bind /sys and /dev/pts from host * drop support for devtmpfs as it is no longer needed * add /run and /dev/rtc0 * clone own ipc, uts and mount namespaces for chroot * set localtime, timezone and locale within chroot environment * copy /etc/pacman.d/gnupg from host
This commit is contained in:
parent
41b39c3e78
commit
c7cda47342
|
@ -258,15 +258,11 @@ nobody ALL = NOPASSWD: /usr/bin/pacman
|
|||
EOF
|
||||
chmod 440 "$copydir/etc/sudoers.d/nobody-pacman"
|
||||
|
||||
# Set this system wide as makepkg will source /etc/profile before calling build()
|
||||
echo 'LANG=C' > "$copydir/etc/locale.conf"
|
||||
|
||||
# This is a little gross, but this way the script is recreated every time in the
|
||||
# working copy
|
||||
cat >"$copydir/chrootbuild" <<EOF
|
||||
#!/bin/bash
|
||||
. /etc/profile
|
||||
export LANG=C
|
||||
export HOME=/build
|
||||
|
||||
cd /build
|
||||
|
|
|
@ -30,7 +30,6 @@ usage() {
|
|||
echo ' -M <file> Location of a makepkg config file'
|
||||
echo ' -n Do not copy config files into the chroot'
|
||||
echo ' -c <dir> Set pacman cache. Default: /var/cache/pacman/pkg'
|
||||
echo ' -d Use devtmpfs instead of minimal /dev (tmpfs)'
|
||||
echo ' -h This message'
|
||||
exit 1
|
||||
}
|
||||
|
@ -87,38 +86,40 @@ fi
|
|||
# {{{ functions
|
||||
chroot_mount() {
|
||||
[[ -e "${working_dir}/sys" ]] || mkdir "${working_dir}/sys"
|
||||
mount -t sysfs sysfs "${working_dir}/sys"
|
||||
mount -o bind /sys "${working_dir}/sys"
|
||||
mount -o remount,ro,bind "${working_dir}/sys"
|
||||
|
||||
[[ -e "${working_dir}/proc" ]] || mkdir "${working_dir}/proc"
|
||||
mount -t proc proc "${working_dir}/proc"
|
||||
mount -t proc proc -o nosuid,noexec,nodev "${working_dir}/proc"
|
||||
mount -o bind /proc/sys "${working_dir}/proc/sys"
|
||||
mount -o remount,ro,bind "${working_dir}/proc/sys"
|
||||
|
||||
[[ -e "${working_dir}/dev" ]] || mkdir "${working_dir}/dev"
|
||||
if [[ ${USE_DEVTMPFS} = "y" ]]; then
|
||||
mount -t devtmpfs dev "${working_dir}/dev" -o mode=0755,nosuid
|
||||
else
|
||||
mount -t tmpfs dev "${working_dir}/dev" -o mode=0755,size=10M,nosuid
|
||||
mknod -m 666 "${working_dir}/dev/null" c 1 3
|
||||
mknod -m 666 "${working_dir}/dev/zero" c 1 5
|
||||
mknod -m 600 "${working_dir}/dev/console" c 5 1
|
||||
mknod -m 644 "${working_dir}/dev/random" c 1 8
|
||||
mknod -m 644 "${working_dir}/dev/urandom" c 1 9
|
||||
mknod -m 666 "${working_dir}/dev/tty" c 5 0
|
||||
mknod -m 666 "${working_dir}/dev/ptmx" c 5 2
|
||||
mknod -m 666 "${working_dir}/dev/tty0" c 4 0
|
||||
mknod -m 666 "${working_dir}/dev/full" c 1 7
|
||||
ln -s /proc/kcore "${working_dir}/dev/core"
|
||||
ln -s /proc/self/fd "${working_dir}/dev/fd"
|
||||
ln -s /proc/self/fd/0 "${working_dir}/dev/stdin"
|
||||
ln -s /proc/self/fd/1 "${working_dir}/dev/stdout"
|
||||
ln -s /proc/self/fd/2 "${working_dir}/dev/stderr"
|
||||
fi
|
||||
mount -t tmpfs dev "${working_dir}/dev" -o mode=0755,size=10M,nosuid,strictatime
|
||||
mknod -m 666 "${working_dir}/dev/null" c 1 3
|
||||
mknod -m 666 "${working_dir}/dev/zero" c 1 5
|
||||
mknod -m 600 "${working_dir}/dev/console" c 5 1
|
||||
mknod -m 644 "${working_dir}/dev/random" c 1 8
|
||||
mknod -m 644 "${working_dir}/dev/urandom" c 1 9
|
||||
mknod -m 666 "${working_dir}/dev/tty" c 5 0
|
||||
mknod -m 666 "${working_dir}/dev/ptmx" c 5 2
|
||||
mknod -m 666 "${working_dir}/dev/tty0" c 4 0
|
||||
mknod -m 666 "${working_dir}/dev/full" c 1 7
|
||||
mknod -m 666 "${working_dir}/dev/rtc0" c 254 0
|
||||
ln -s /proc/kcore "${working_dir}/dev/core"
|
||||
ln -s /proc/self/fd "${working_dir}/dev/fd"
|
||||
ln -s /proc/self/fd/0 "${working_dir}/dev/stdin"
|
||||
ln -s /proc/self/fd/1 "${working_dir}/dev/stdout"
|
||||
ln -s /proc/self/fd/2 "${working_dir}/dev/stderr"
|
||||
|
||||
[[ -e "${working_dir}/dev/shm" ]] || mkdir "${working_dir}/dev/shm"
|
||||
mount -t tmpfs shm "${working_dir}/dev/shm" -o nodev,nosuid,size=128M
|
||||
|
||||
[[ -e "${working_dir}/dev/pts" ]] || mkdir "${working_dir}/dev/pts"
|
||||
mount -t devpts devpts "${working_dir}/dev/pts" -o newinstance,ptmxmode=666
|
||||
mount -o bind "${working_dir}/dev/pts/ptmx" "${working_dir}/dev/ptmx"
|
||||
mount -o bind /dev/pts "${working_dir}/dev/pts"
|
||||
|
||||
[[ -e "${working_dir}/run" ]] || mkdir "${working_dir}/run"
|
||||
mount -t tmpfs tmpfs "${working_dir}/run" -o nodev,nosuid,strictatime,size=64M
|
||||
|
||||
[[ -e $cache_dir ]] || mkdir -p "${cache_dir}"
|
||||
[[ -e "${working_dir}/${cache_dir}" ]] || mkdir -p "${working_dir}/${cache_dir}"
|
||||
|
@ -135,6 +136,7 @@ chroot_mount() {
|
|||
|
||||
copy_hostconf () {
|
||||
cp /etc/resolv.conf "${working_dir}/etc/resolv.conf"
|
||||
cp -a /etc/pacman.d/gnupg "${working_dir}/etc/pacman.d"
|
||||
echo "Server = ${host_mirror}" > ${working_dir}/etc/pacman.d/mirrorlist
|
||||
|
||||
if [[ -n $pac_conf && $NOCOPY = 'n' ]]; then
|
||||
|
@ -147,12 +149,13 @@ copy_hostconf () {
|
|||
}
|
||||
|
||||
chroot_umount () {
|
||||
umount "${working_dir}/proc/sys"
|
||||
umount "${working_dir}/proc"
|
||||
umount "${working_dir}/sys"
|
||||
umount "${working_dir}/dev/ptmx"
|
||||
umount "${working_dir}/dev/pts"
|
||||
umount "${working_dir}/dev/shm"
|
||||
umount "${working_dir}/dev"
|
||||
umount "${working_dir}/run"
|
||||
umount "${working_dir}/${cache_dir}"
|
||||
[[ -n $host_mirror_path ]] && umount "${working_dir}/${host_mirror_path}"
|
||||
}
|
||||
|
@ -184,7 +187,7 @@ if [[ -n $RUN ]]; then
|
|||
chroot_mount
|
||||
copy_hostconf
|
||||
|
||||
eval chroot "${working_dir}" ${RUN}
|
||||
eval unshare -mui -- chroot "${working_dir}" ${RUN}
|
||||
|
||||
# }}}
|
||||
else
|
||||
|
@ -226,6 +229,9 @@ else
|
|||
sed -i 's@^#\(en_US\|de_DE\)\(\.UTF-8\)@\1\2@' "${working_dir}/etc/locale.gen"
|
||||
chroot "${working_dir}" /usr/sbin/locale-gen
|
||||
fi
|
||||
echo 'UTC' > "${working_dir}/etc/timezone"
|
||||
ln -s /usr/share/zoneinfo/UTC "${working_dir}/etc/localtime"
|
||||
echo 'LANG=C' > "${working_dir}/etc/locale.conf"
|
||||
|
||||
copy_hostconf
|
||||
|
||||
|
|
|
@ -45,9 +45,6 @@ Architecture = auto
|
|||
# keyring can then be populated with the keys of all official Arch Linux
|
||||
# packagers with `pacman-key --populate archlinux`.
|
||||
|
||||
# Signature checking does not work within our chroot
|
||||
SigLevel = Never
|
||||
|
||||
#
|
||||
# REPOSITORIES
|
||||
# - can be defined here or included from another file
|
||||
|
@ -72,18 +69,23 @@ SigLevel = Never
|
|||
# after the header, and they will be used before the default mirrors.
|
||||
|
||||
#[testing]
|
||||
#SigLevel = PackageRequired
|
||||
#Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[core]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[extra]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
#[community-testing]
|
||||
#SigLevel = PackageRequired
|
||||
#Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# An example of a custom package repository. See the pacman manpage for
|
||||
|
|
|
@ -45,9 +45,6 @@ Architecture = auto
|
|||
# keyring can then be populated with the keys of all official Arch Linux
|
||||
# packagers with `pacman-key --populate archlinux`.
|
||||
|
||||
# Signature checking does not work within our chroot
|
||||
SigLevel = Never
|
||||
|
||||
#
|
||||
# REPOSITORIES
|
||||
# - can be defined here or included from another file
|
||||
|
@ -72,21 +69,27 @@ SigLevel = Never
|
|||
# after the header, and they will be used before the default mirrors.
|
||||
|
||||
[gnome-unstable]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[core]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[extra]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community-testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# An example of a custom package repository. See the pacman manpage for
|
||||
|
|
|
@ -45,9 +45,6 @@ Architecture = auto
|
|||
# keyring can then be populated with the keys of all official Arch Linux
|
||||
# packagers with `pacman-key --populate archlinux`.
|
||||
|
||||
# Signature checking does not work within our chroot
|
||||
SigLevel = Never
|
||||
|
||||
#
|
||||
# REPOSITORIES
|
||||
# - can be defined here or included from another file
|
||||
|
@ -72,21 +69,27 @@ SigLevel = Never
|
|||
# after the header, and they will be used before the default mirrors.
|
||||
|
||||
[kde-unstable]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[core]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[extra]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community-testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# An example of a custom package repository. See the pacman manpage for
|
||||
|
|
|
@ -45,9 +45,6 @@ Architecture = auto
|
|||
# keyring can then be populated with the keys of all official Arch Linux
|
||||
# packagers with `pacman-key --populate archlinux`.
|
||||
|
||||
# Signature checking does not work within our chroot
|
||||
SigLevel = Never
|
||||
|
||||
#
|
||||
# REPOSITORIES
|
||||
# - can be defined here or included from another file
|
||||
|
@ -72,40 +69,50 @@ SigLevel = Never
|
|||
# after the header, and they will be used before the default mirrors.
|
||||
|
||||
[staging]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[core]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[extra]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community-staging]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community-testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# If you want to run 32 bit applications on your x86_64 system,
|
||||
# enable the multilib repository here.
|
||||
# enable the multilib repositories as required here.
|
||||
[multilib-staging]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[multilib-testing]
|
||||
#SigLevel = Optional TrustAll
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[multilib]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# An example of a custom package repository. See the pacman manpage for
|
||||
# tips on creating your own repositories.
|
||||
#[custom]
|
||||
#SigLevel = Optional TrustAll
|
||||
#Server = file:///home/custompkgs
|
||||
|
||||
|
|
|
@ -45,9 +45,6 @@ Architecture = auto
|
|||
# keyring can then be populated with the keys of all official Arch Linux
|
||||
# packagers with `pacman-key --populate archlinux`.
|
||||
|
||||
# Signature checking does not work within our chroot
|
||||
SigLevel = Never
|
||||
|
||||
#
|
||||
# REPOSITORIES
|
||||
# - can be defined here or included from another file
|
||||
|
@ -72,31 +69,38 @@ SigLevel = Never
|
|||
# after the header, and they will be used before the default mirrors.
|
||||
|
||||
[testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[core]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[extra]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community-testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# If you want to run 32 bit applications on your x86_64 system,
|
||||
# enable the multilib repository here.
|
||||
# enable the multilib repositories as required here.
|
||||
[multilib-testing]
|
||||
#SigLevel = Optional TrustAll
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[multilib]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# An example of a custom package repository. See the pacman manpage for
|
||||
# tips on creating your own repositories.
|
||||
#[custom]
|
||||
#SigLevel = Optional TrustAll
|
||||
#Server = file:///home/custompkgs
|
||||
|
||||
|
|
|
@ -45,9 +45,6 @@ Architecture = auto
|
|||
# keyring can then be populated with the keys of all official Arch Linux
|
||||
# packagers with `pacman-key --populate archlinux`.
|
||||
|
||||
# Signature checking does not work within our chroot
|
||||
SigLevel = Never
|
||||
|
||||
#
|
||||
# REPOSITORIES
|
||||
# - can be defined here or included from another file
|
||||
|
@ -72,28 +69,39 @@ SigLevel = Never
|
|||
# after the header, and they will be used before the default mirrors.
|
||||
|
||||
#[testing]
|
||||
#SigLevel = PackageRequired
|
||||
#Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[core]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[extra]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
#[community-testing]
|
||||
#SigLevel = PackageRequired
|
||||
#Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# If you want to run 32 bit applications on your x86_64 system,
|
||||
# enable the multilib repository here.
|
||||
# enable the multilib repositories as required here.
|
||||
|
||||
#[multilib-testing]
|
||||
#SigLevel = PackageRequired
|
||||
#Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[multilib]
|
||||
#SigLevel = Optional TrustAll
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# An example of a custom package repository. See the pacman manpage for
|
||||
# tips on creating your own repositories.
|
||||
#[custom]
|
||||
#SigLevel = Optional TrustAll
|
||||
#Server = file:///home/custompkgs
|
||||
|
||||
|
|
|
@ -45,9 +45,6 @@ Architecture = auto
|
|||
# keyring can then be populated with the keys of all official Arch Linux
|
||||
# packagers with `pacman-key --populate archlinux`.
|
||||
|
||||
# Signature checking does not work within our chroot
|
||||
SigLevel = Never
|
||||
|
||||
#
|
||||
# REPOSITORIES
|
||||
# - can be defined here or included from another file
|
||||
|
@ -72,29 +69,36 @@ SigLevel = Never
|
|||
# after the header, and they will be used before the default mirrors.
|
||||
|
||||
[staging]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[core]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[extra]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community-staging]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community-testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
#SigLevel = Optional TrustAll
|
||||
[community]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# An example of a custom package repository. See the pacman manpage for
|
||||
# tips on creating your own repositories.
|
||||
#[custom]
|
||||
#SigLevel = Optional TrustAll
|
||||
#Server = file:///home/custompkgs
|
||||
|
||||
|
|
|
@ -45,9 +45,6 @@ Architecture = auto
|
|||
# keyring can then be populated with the keys of all official Arch Linux
|
||||
# packagers with `pacman-key --populate archlinux`.
|
||||
|
||||
# Signature checking does not work within our chroot
|
||||
SigLevel = Never
|
||||
|
||||
#
|
||||
# REPOSITORIES
|
||||
# - can be defined here or included from another file
|
||||
|
@ -72,18 +69,23 @@ SigLevel = Never
|
|||
# after the header, and they will be used before the default mirrors.
|
||||
|
||||
[testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[core]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[extra]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community-testing]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
[community]
|
||||
SigLevel = PackageRequired
|
||||
Include = /etc/pacman.d/mirrorlist
|
||||
|
||||
# An example of a custom package repository. See the pacman manpage for
|
||||
|
|
Loading…
Reference in New Issue