[Piuparts-devel] Bug#767485: [PATCH] Support new scripts directive 'post_chroot_unpack'

Michael Prokop mika at debian.org
Fri Oct 31 12:13:26 UTC 2014

The chroot gets updated via 'apt-get update;  apt-get -yf
dist-upgrade' after the tarball was extracted. This is necessary
to make sure the chroot is up2date before it gets snapshotted
(see #356678).  If the underlying chroot of the tarball was
(de)bootstrapped from a repository with a custom key (therefore
requiring either --keyring=... or (worse) --no-check-gpg to
debootstrap) it usually still doesn't include this key though.
Therefore 'apt-get update' will complain about it and the following
dist-upgrade actually does nothing:

| After purging files have been modified: /usr/share/doc/perl/changelog.Debian.gz owned by: perl-base

| 0m0.0s DEBUG: Unpacking /var/cache/pbuilder/base-wheezy-amd64.tgz into /tmp/tmpx5wqQb
| 0m0.0s DEBUG: Starting command: ['tar', '-C', '/tmp/tmpx5wqQb', '-zxf', '/var/cache/pbuilder/base-wheezy-amd64.tgz']
| 0m2.0s DEBUG: Command ok: ['tar', '-C', '/tmp/tmpx5wqQb', '-zxf', '/var/cache/pbuilder/base-wheezy-amd64.tgz']
| 0m2.0s DEBUG: Starting command: ['chroot', '/tmp/tmpx5wqQb', 'mount', '-t', 'proc', 'proc', '/proc']
| 0m2.0s DEBUG: Command ok: ['chroot', '/tmp/tmpx5wqQb', 'mount', '-t', 'proc', 'proc', '/proc']
| 0m2.0s DEBUG: sources.list:
|   deb http://debian.example.com/debian wheezy main
|   deb http://debian.example.com/debian wheezy contrib
|   deb http://debian.example.com/debian wheezy non-free
| 0m2.0s DEBUG: Created policy-rc.d and chmodded it.
| 0m2.0s DEBUG: Starting command: ['chroot', '/tmp/tmpx5wqQb', 'apt-get', 'update']
| 0m7.3s DUMP:
|   Get:1 http://debian.example.com wheezy Release.gpg [198 B]
|   Get:2 http://debian.example.com wheezy Release [5918 B]
|   Err http://debian.example.com wheezy Release
|   Fetched 6116 B in 0s (245 kB/s)
|   Reading package lists...
|   W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://debian.example.com wheezy Release: The fol
| lowing signatures couldn't be verified because the public key is not available: NO_PUBKEY 123456789424242F
|   W: Failed to fetch http://debian.example.com/debian/dists/wheezy/Release
|   W: Some index files failed to download. They have been ignored, or old ones used instead.
| 0m7.3s DEBUG: Command ok: ['chroot', '/tmp/tmpx5wqQb', 'apt-get', 'update']
| 0m7.3s DEBUG: Starting command: ['chroot', '/tmp/tmpx5wqQb', 'apt-get', '-yf', 'dist-upgrade']
| 0m7.7s DUMP:
|   Reading package lists...
|   Building dependency tree...
|   0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
| 0m7.7s DEBUG: Command ok: ['chroot', '/tmp/tmpx5wqQb', 'apt-get', '-yf', 'dist-upgrade']
| 0m7.7s DEBUG: Copying scriptsdir /tmp/piuparts-tests/scripts/ to /tmp/tmpx5wqQb/tmp/scripts/

As a result you might have different checksums reported in the
piupart run. For example if your chroot tarball uses perl-base of
Debian 7.6 but Debian 7.7 ships an updated perl-base package
nowadays you'll get:

| After purging files have been modified: /usr/share/doc/perl/changelog.Debian.gz owned by: perl-base

To make sure the dist-upgrade step doesn't fail we need a way to
install a custom key for apt usage *after* the unpacking of the
chroot but *before* the actual dist-upgrade. The is what the
post_chroot_unpack stage provides.

Thanks: Sipwise GmbH for sponsoring my development time
 README.txt                                                    |  3 +++
 .../scripts-unused-examples/post_chroot_unpack_key_setup.sh   |  9 +++++++++
 piuparts.py                                                   | 11 ++++++++---
 3 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 custom-scripts/scripts-unused-examples/post_chroot_unpack_key_setup.sh

diff --git a/README.txt b/README.txt
index 37faf2e..9c7e4d8 100644
--- a/README.txt
+++ b/README.txt
@@ -213,6 +213,9 @@ PIUPARTS_DISTRIBUTION.
 The following prefixes for scripts are recognized:
+'post_chroot_unpack' - after the chroot has been unpacked/debootrapped.
+Before the chroot gets updated/dist-upgraded initially.
 'post_setup_' - after the *setup* of the chroot is finished.
 Before metadata of the chroot is recorded for later comparison.
diff --git a/custom-scripts/scripts-unused-examples/post_chroot_unpack_key_setup.sh b/custom-scripts/scripts-unused-examples/post_chroot_unpack_key_setup.sh
new file mode 100644
index 0000000..06f1f96
--- /dev/null
+++ b/custom-scripts/scripts-unused-examples/post_chroot_unpack_key_setup.sh
@@ -0,0 +1,9 @@
+# we rely on wget being available, make sure to use "--include=wget" in your deboostrap cmdline
+echo "Setting up https://example.com/internal_key.asc for apt-get usage."
+wget -O - 'https://example.com/internal_key.asc' | apt-key add -
+echo "Running apt-get update to have a verified and working Debian repository available."
+apt-get update
diff --git a/piuparts.py b/piuparts.py
index de349ff..5053044 100644
--- a/piuparts.py
+++ b/piuparts.py
@@ -706,9 +706,6 @@ class Chroot:
-        if settings.basetgz or settings.schroot:
-            self.run(["apt-get", "-yf", "dist-upgrade"])
-        self.minimize()
         # Copy scripts dirs into the chroot, merging all dirs together,
         # later files overwriting earlier ones.
@@ -724,6 +721,14 @@ class Chroot:
                             and os.path.isfile(os.path.join(sdir, sfile)):
                         shutil.copy(os.path.join(sdir, sfile), dest)
+        # Run custom scripts after chroot has been unpacked/debootstrapped
+        # Useful for adjusting apt configuration e.g. for internal mirror usage
+        self.run_scripts("post_chroot_unpack")
+        if settings.basetgz or settings.schroot:
+            self.run(["apt-get", "-yf", "dist-upgrade"])
+        self.minimize()
         # Run custom scripts after creating the chroot.

More information about the Piuparts-devel mailing list