Replace devtools functionality#1155
Conversation
|
The changes look good. To allow for a transition period, perhaps make it |
|
With the last commit I think I've made the whole I agree with renaming it into aur chroot standalone (I'll do it as a last step to simplify reviewing the diffs). I'd like your input on:
|
|
|
Aside deciding how to deal with AUR_PACMAN_AUTH I think the PR is approaching its final shape. Example: instead of $AUR_PACMAN_AUTH systemd-nspawn -D "$directory"/root pacman-key --init
$AUR_PACMAN_AUTH systemd-nspawn -D "$directory"/root pacman-key --populate
# XXX: use localedef to generate locales directly (without nspawn)
$AUR_PACMAN_AUTH systemd-nspawn -D "$directory"/root locale-genwe could have $AUR_PACMAN_AUTH systemd-nspawn -D "$directory"/root /aur-chroot-helper setupIt could also simplify the namcap implementation uglyness I did to keep it in one line :D Thoughts? |
|
That sounds reasonable. In line with the other naming, I'd call it |
|
I went for a slightly different solution inspired once again by makechrootpkg: I don't think there's anything left, I plan to restore the old chroot and rename this one into chroot--standalone pending your approval. |
|
|
|
|
||
| # allow makepkg_user to install packages (e.g. --syncdeps) | ||
| tee "$directory/root/etc/sudoers.d/makepkg_user" \ | ||
| < <(printf '%q ALL = NOPASSWD: /usr/bin/pacman' "$makepkg_user") \ |
There was a problem hiding this comment.
%q is a form of encoding that produces strings according to bash rather than sudo. The User grammar for sudo doesn't allow single quotes but uses similar mechanism for escaping problem characters:
Consider the sudoers manual:
User_List ::= User |
User ',' User_List
User ::= '!'* user name |
'!'* #user-ID |
'!'* %group |
'!'* %#group-ID |
'!'* +netgroup |
'!'* %:nonunix_group |
'!'* %:#nonunix_gid |
'!'* User_Alias
[...]
A user name, user-ID, group, group-ID, netgroup, nonunix_group or
nonunix_gid may be enclosed in double quotes to avoid the need for es‐
caping special characters. Alternately, special characters may be spec‐
ified in escaped hex mode, e.g., \x20 for space. When using double
quotes, any prefix characters must be included inside the quotes.
[...]
Quotes around group names are optional. Unquoted strings must use a
backslash (‘\’) to escape spaces and special characters. See “Other
special characters and reserved words” for a list of characters that
need to be escaped.
Here quotes are " which %q won't use, but it might use \. So I would be careful about mixing encoding schemes and making sure they accord to one another.
(N.B. sudoers doesn't seem to say how to handle " inside a quoted string, whether \" or closing, escaping and re-opening is needed ("\""))
There was a problem hiding this comment.
thanks for taking the time to explain this!
|
Could you rebase this to one commit for |
chrooti
force-pushed
the
standalone-aur-chroot
branch
from
a74512b to
3ce08a3
Compare
|
I made one extra for aur-sync, hopefully it's alright. |
|
@AladW sorry for pinging but I see you have answered issues and opened a PR... are you still interested in merging this? |
|
I'm still interested, I just got some deadlines that prevent me from looking into more complex PRs. Will give it a look in the next week or two. |
| } | ||
|
|
||
| auth_cmd() { | ||
| ${AUR_PACMAN_AUTH:-sudo --preserve-env} "$@" |
There was a problem hiding this comment.
I think a blanket --preserve-env is too coarse, e.g. the pacman commands to update the database do not require this (and this change would thus break existing sudoers rules.) I'd stick to ${AUR_PACMAN_AUTH:-sudo} and leave the --preserve-env stuff to aur-chroot.
There was a problem hiding this comment.
I'm not follwoing: aur build is the one calling aur chroot and has some prior infrastructure to call various commands with an auth_cmd. Once I call it with sudo without --preserve-env I can't do anything to get the envvars back.
I see a few ways of doing what you suggest:
- not calling aur chroot with sudo and having a separate logic to sudo only the relevant commands. This is what I did in my first implementation, and you suggested to change it. I'm fine with changing it again, however.
- adding a separate
auth_cmd_chrootfunction and the respective envvar insideaur build
Any third option I haven't thought about?
There was a problem hiding this comment.
The discussion you linked mentions check_root in aur-chroot to reexec, but it seems that's no longer part of the script?
| --pkgver) | ||
| run_pkgver=1; makepkg_args+=(--noextract) | ||
| chroot_build_args+=(--margs '--holdver') ;; | ||
| run_pkgver=1; makepkg_args+=(--noextract) ;; |
There was a problem hiding this comment.
This change and those in lines 150, 166 will break the semantics of the existing aur-chroot, which does not allow specifying arbitrary makepkg arguments with --.
This was done to preserve the meaning of -- for end-of-options, e.g. to specify additional packages the user wants to install: see #807.
aur-chroot--standalone also uses --margs, though, but does not pass on makepkg_args to the actual makepkg command.
There was a problem hiding this comment.
I thought you didn't particularly like the --margs interface with the comma as separator and it felt like a good moment for breaking changes, more so because there is still --create/--update to add more packages to the environment.
Just put a thumbs up and I'll do what you asked, no biggie.
There was a problem hiding this comment.
The challenge is when combining --build with --create / --update. Then the additional arguments could be both makepkg arguments, and package names. With the end-of-options approach, to pass on additional packages to be installed in the chroot you'd need an additional flag like --extra-packages. Since that approach gives some special meaning for -- when --margs doesn't, I think --margs is preferable overall.
| chroot_args+=(--temp) ;; | ||
| # makepkg options (common) | ||
| -A|--ignorearch|--ignore-arch) | ||
| chroot_build_args+=(--ignorearch) |
| -L|--log) | ||
| makepkg_args+=(--log) ;; | ||
| --nocheck|--no-check) | ||
| chroot_build_args+=(--nocheck) |
| # Therefore they do not need to be updated a second time with makepkg | ||
| # --verifysource in makechrootpkg. | ||
| if (( chroot )) && (( run_pkgver )); then | ||
| makepkg_args+=(--holdver) |
There was a problem hiding this comment.
--margs '--holdver', see L129. Alternatively aur-chroot could include a --holdver flag.
| # # XXX: allow setting machine-id from host (and provide default) to enable .nspawn file usage | ||
| systemd-firstboot --root="$directory"/root --copy-locale --copy-timezone --setup-machine-id | ||
|
|
||
| pacman -Sy "${base_packages[@]}" \ |
There was a problem hiding this comment.
I would put the pacman -Sy arguments on one line here
| ) | ||
|
|
||
| # create makepkg_user | ||
| systemd-sysusers --root "$directory"/root --replace=/usr/lib/sysusers.d/build.conf - \ |
There was a problem hiding this comment.
Maybe it makes sense to use a second helper for the --build step, or overwrite (>) the contents. As it stands, the commands added for the --create and --update steps would be run a second time when both --build and --create / --update are specified.
|
|
||
| # create makepkg_user | ||
| systemd-sysusers --root "$directory"/root --replace=/usr/lib/sysusers.d/build.conf - \ | ||
| < <(printf 'u %s %s "makepkg user" /build /bin/bash\n' "$makepkg_user" "$AUR_CHROOT_UID") |
There was a problem hiding this comment.
AUR_CHROOT_UID seems like a good idea, but as written this relies on it being set by the caller, i.e. aur-build. When running aur-chroot on its own, the value is empty. I don't know if this is handled implicitly by systemd-sysusers, or if some explicit value should be set.
There was a problem hiding this comment.
as long as we call aur chroot with sudo externally this needs to be passed, and I think the safest approach is just to raise if this variable doesn't exist. What do you think?
There was a problem hiding this comment.
Let's return to this then after solving #1155 (review)
| < <(printf 'u %s %s "makepkg user" /build /bin/bash\n' "$makepkg_user" "$AUR_CHROOT_UID") | ||
|
|
||
| # allow makepkg_user to install packages (e.g. --syncdeps) | ||
| tee "$directory/root/etc/sudoers.d/makepkg_user" \ |
There was a problem hiding this comment.
cat also expands shell arguments:
cat <<EOF >"$directory/root/etc/sudoers.d/makepkg_user"
$makepkg_user ALL = NOPASSWD: /usr/bin/pacman
EOFThere was a problem hiding this comment.
I just disliked the weird indentation and it seemed a useless use of cat, but it's a matter of taste. I'll change it.
| 1> /dev/null | ||
| chmod 440 "$directory/root/etc/sudoers.d/makepkg_user" | ||
|
|
||
| printf 'makepkg %s || exit\n' "${*@Q}" >> "$directory"/root/aur-chroot--helper |
There was a problem hiding this comment.
${makepkg_args[@]} instead of ${*@Q}
|
My responses are still delayed, sorry about that. I still hope to see this in v20. |
|
Superseded by #1179. |
3 participants
This is an attempt at solving (part of) #909.
This PR takes inspiration from the branch linked in the issue and a few arch projects to replace devtools with pure systemd-nspawn.
A few things: