[Piuparts-devel] Bug#1018893: support for unshare in some form
Helmut Grohne
helmut at subdivi.de
Thu Sep 1 19:31:56 BST 2022
Hi Jelmer,
On Thu, Sep 01, 2022 at 03:51:19PM +0000, Jelmer Vernooij wrote:
> It would be great if piuparts supported root-less operation, ideally in a less
> complicated way than via podman+docker.
>
> Conversation in #debian-qa suggests the are various options for building on
> top of infrastructure that's provided by other packages, e.g. sbuild,
> autopkgtest or mmdebootstrap.
>
> <josch> Jelmer, h01ger: I'd second what helmut said. With mmdebstrap you get the equivalent of "lxc-usernsexec -- lxc-unshare -s 'MOUNT|PID|UTSNAME|IPC' -- /usr/sbin/chroot ./debian-rootfs /bin/bash" but without having to depend on lxc -- You can see a variant of this in the mmdebstrap man page where mmdebstrap is used as a wrapper of debootstrap to fix #829134. That way you can run debootstrap without
> needing root: mmdebstrap --variant=custom --mode=unshare --setup-hook='env container=lxc debootstrap unstable "$1"' - debian-debootstrap.tar
Yeah, I think we're 99% there.
piuparts has a --existing-chroot option. Unfortunately, it doesn't
exactly do what we need here. It uses the given directory as a template
and tries to copy it. That is bound to fail as mmdebstrap has kindly
mounted /sys and /proc and such. It would be nice if piuparts got some
--use-existing option that would make it just use that chroot directly.
--use-existing is relatively easy to implement. I'm attaching a patch
for your convenience. I'm not sure whether this is acceptable in
piuparts. I do find the flag, its semantics and its implementation quite
suboptimal. I'd prefer if you use it as inspiration rather than
solution.
So we're doing something like piuparts --existing-chroot=...
--use-existing and this is going to be our --customize-hook for
mmdebstrap. The whole thing is not entirely trivial to assemble, but
this is how it looks:
mmdebstrap \
--verbose \
--mode=unshare \
--variant=apt \
--customize-hook='mv $1/sbin/start-stop-daemon.REAL $1/sbin/start-stop-daemon && ./piuparts --use-existing --existing-chroot=$1 .../somepackage.changes' \
sid \
/dev/null \
http://deb.debian.org/debian
I suppose the most tricky part is the one about start-stop-daemon. It's
mangled by mmdebstrap for historical reasons. It's a problem, because
piuparts runs debsums and debsums doesn't like that.
So I tried this with a simple package (e.g. buffer) and it passed
completely in an entirely unprivileged way without podman.
Helmut
-------------- next part --------------
A non-text attachment was scrubbed...
Name: piuparts-use-existing.patch
Type: text/x-diff
Size: 3147 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/piuparts-devel/attachments/20220901/f017864b/attachment.patch>
More information about the Piuparts-devel
mailing list