From eebcd76feb474a15d82896cde9096e5884899018 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Sun, 10 Apr 2022 06:20:00 -0300 Subject: [PATCH 1/4] lxc-debian: allow using a custom keyring This makes it possible to create containers for unofficial architectures such as the ones on ports.debian.org, by specifying a custom mirror and its associated keyring. Signed-off-by: Antonio Terceiro --- templates/lxc-debian.in | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 50aa787..d98af0b 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -42,6 +42,8 @@ LOCALSTATEDIR="@LOCALSTATEDIR@" LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" # Allows the lxc-cache directory to be set by environment variable LXC_CACHE_PATH=${LXC_CACHE_PATH:-"$LOCALSTATEDIR/cache/lxc"} +DEBIAN_ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg +KEYRING=${KEYRING:-${DEBIAN_ARCHIVE_KEYRING}} DOWNLOAD_KEYRING=${DOWNLOAD_KEYRING:-1} find_interpreter() @@ -387,13 +389,13 @@ apt-transport-https mkdir -p "$cache" # If debian-archive-keyring isn't installed, fetch GPG keys directly - releasekeyring=/usr/share/keyrings/debian-archive-keyring.gpg + releasekeyring=${KEYRING} lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg if [ -f "$releasekeyring" ]; then apt_gpg_opt="--keyring=${releasekeyring}" elif [ -f "$lreleasekeyring" ]; then apt_gpg_opt="--keyring=${lreleasekeyring}" - elif [ "$DOWNLOAD_KEYRING" = 1 ]; then + elif [ ${releasekeyring}" = "${DEBIAN_ARCHIVE_KEYRING} -a "$DOWNLOAD_KEYRING" = 1 ]; then [ ! -d "/etc/apt/trusted.gpg.d" ] && lreleasekeyring="$cache/archive-key.gpg" if [[ "$(id -u)" == "0" ]]; then case $release in @@ -660,6 +662,7 @@ Template specific options can be passed to lxc-create after a '--' like this: Usage: $1 -h|--help -p|--path= [-c|--clean] [-a|--arch=] [-r|--release=] [--mirror=] [--security-mirror=] + [--keyring=] [--package=] [-I|--interpreter-path=] [-F | --flush-cache] [-S|--auth-key=] @@ -675,6 +678,8 @@ Options : Defaults to current stable. --mirror=MIRROR Debian mirror to use during installation. Overrides the MIRROR environment variable (see below). + --keyring=KEYRING GPG keyring to authenticate the repository against. + Overrides the KEYRING environment variable (see below). --security-mirror=SECURITY_MIRROR Debian mirror to use for security updates. Overrides the SECURITY_MIRROR environment variable (see below). @@ -692,6 +697,7 @@ Environment variables: Defaults to '$MIRROR' SECURITY_MIRROR The Debian package security mirror to use. See also the --security-mirror switch above. Defaults to '$SECURITY_MIRROR' + KEYRING Defaults to '$DEBIAN_ARCHIVE_KEYRING' DOWNLOAD_KEYRING Sets whether to download keyring when missing or ignore keyring checks Defaults to 1 @@ -699,7 +705,7 @@ EOF return 0 } -options=$(getopt -o hp:n:a:r:cI:FS: -l arch:,auth-key:,clean,help,enable-non-free,mirror:,name:,packages:,path:,release:,rootfs:,security-mirror:,interpreter-path:,flush-cache -- "$@") +options=$(getopt -o hp:n:a:r:cI:FS: -l arch:,auth-key:,clean,help,enable-non-free,mirror:keyring:,name:,packages:,path:,release:,rootfs:,security-mirror:,interpreter-path:,flush-cache -- "$@") if [ $? -ne 0 ]; then usage "$(basename "$0")" exit 1 @@ -743,6 +749,7 @@ do -c|--clean) clean=1; shift 1;; --enable-non-free) mainonly=0; shift 1;; --mirror) MIRROR=$2; shift 2;; + --keyring) KEYRING=$2; shift 2;; -n|--name) name=$2; shift 2;; --packages) packages=$2; shift 2;; -p|--path) path=$2; shift 2;; From 5479240fbd29aef33b12e23367457a053fe8c5ca Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Sun, 10 Apr 2022 06:20:05 -0300 Subject: [PATCH 2/4] lxc-debian: support unnoficial architectures out of the box When trying to create containers for unnoficial Debian architectures, use different defaults for mirror and keyring, install debian-ports-archive-keyring, and default release to unstable. This way one can create containers for unnoficial architectures without having to pass several extra parameters. Signed-off-by: Antonio Terceiro --- templates/lxc-debian.in | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index d98af0b..5af040a 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -36,13 +36,16 @@ done export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin export GREP_OPTIONS="" -MIRROR=${MIRROR:-http://deb.debian.org/debian} +DEBIAN_MIRROR=http://deb.debian.org/debian +DEBIAN_PORTS_MIRROR=${MIRROR:-http://deb.debian.org/debian-ports} +MIRROR=${MIRROR:-${DEBIAN_MIRROR}} SECURITY_MIRROR=${SECURITY_MIRROR:-http://security.debian.org/} LOCALSTATEDIR="@LOCALSTATEDIR@" LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" # Allows the lxc-cache directory to be set by environment variable LXC_CACHE_PATH=${LXC_CACHE_PATH:-"$LOCALSTATEDIR/cache/lxc"} DEBIAN_ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg +DEBIAN_PORTS_ARCHIVE_KEYRING=/usr/share/keyrings/debian-ports-archive-keyring.gpg KEYRING=${KEYRING:-${DEBIAN_ARCHIVE_KEYRING}} DOWNLOAD_KEYRING=${DOWNLOAD_KEYRING:-1} @@ -733,6 +736,7 @@ elif [ "$arch" = "mips64" -a "$littleendian" = "yes" ]; then arch="mips64el" fi hostarch=$arch +packages= mainonly=1 flushcache=0 @@ -774,6 +778,21 @@ if [ "$arch" = "x86_64" ]; then arch=amd64 fi + +testing_release_file=${DEBIAN_MIRROR}/dists/testing/main/binary-${arch}/Release +if ! wget -q -O /dev/null "${testing_release_file}"; then + echo "${arch} does not look like a release architecture, trying debian ports" + # non-release architecture; assume debian-ports architecture + if [ "${MIRROR}" = "${DEBIAN_MIRROR}" ]; then + MIRROR="${DEBIAN_PORTS_MIRROR}" + fi + if [ "${KEYRING}" = "${DEBIAN_ARCHIVE_KEYRING}" ]; then + KEYRING="${DEBIAN_PORTS_ARCHIVE_KEYRING}" + fi + packages="debian-ports-archive-keyring,${packages}" + release="${release:-unstable}" +fi + if [ "$interpreter" = "" ] ; then if [ $hostarch = "i386" -a $arch = "amd64" ]; then echo "can't create $arch container on $hostarch" From 4b041f1d18798ada808abea5ecf0eb2a4c7670c7 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Sun, 10 Apr 2022 06:20:14 -0300 Subject: [PATCH 3/4] configure.ac: generate lxc-* as executable This allows them to be executed directly, and symlinked from /usr/share/lxc/templates/ to the build directory for easier testing with a system-installed lxc. Signed-off-by: Antonio Terceiro --- configure.ac | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index fbabc94..fc3c074 100644 --- a/configure.ac +++ b/configure.ac @@ -214,7 +214,9 @@ AC_CONFIG_FILES([ templates/lxc-sparclinux templates/lxc-voidlinux templates/lxc-sabayon -]) + ], + if test "${ac_file##templates/lxc-}" != "${ac_file}"; then chmod +x $ac_file; fi +) AC_CONFIG_COMMANDS([default],[[]],[[]]) AC_OUTPUT From 56a2d30c4144047e000e6d126546565d1753df3f Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Sun, 10 Apr 2022 06:20:18 -0300 Subject: [PATCH 4/4] lxc-debian: avoid installing unauthenticated packages --force-yes is deprecated, and is a shortcut for --allow-unauthenticated, --allow-downgrades, --allow-remove-essential, --allow-change-held-packages. --allow-unauthenticated is the only likely to be needed here, so instead of allowing unauthenticated packages, copy any custom keyring used inside the rootfs so any packages we need to install are properly authenticated. The common case is debian-ports-archive-keyring. Signed-off-by: Antonio Terceiro --- templates/lxc-debian.in | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 5af040a..060e4dd 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -267,9 +267,9 @@ install_packages() { local rootfs="$1"; shift local packages="$*" - + if [ -n "${packages}" ] && apt_update_packages; then - chroot "${rootfs}" apt-get install --force-yes -y --no-install-recommends ${packages} + chroot "${rootfs}" apt-get install -y --no-install-recommends ${packages} elif [ -n "${packages}" ]; then echo "Apt update failed, not downloading packages" fi @@ -614,6 +614,13 @@ EOF write_sourceslist "${rootfs}" "${release}" fi + # Copy non-standard keyring inside rootfs + local extra_keyring + extra_keyring="${rootfs}/etc/apt/trusted.gpg.d/lxc-create-$(basename "${KEYRING}")" + if [ "${KEYRING}" != "${DEBIAN_ARCHIVE_KEYRING}" ]; then + cp "${KEYRING}" "${extra_keyring}" + fi + # Install Packages in container if [ -n "${packages}" ]; then local pack_list