edd7477891
The way redhat-common's extract-image script was creating the base tarball caused file capabilities to get dropped, which meant that things like ping in RHEL 7 images was unusable for regular users. This change adds the necessary options to the tar call to maintain as many extended attributes as possible. --acls and --selinux are intentionally omitted, and the selinux xattrs are filtered out because all of those items cause issues in our chroot environment. We restore selinux attributes at the end of the build anyway so that shouldn't be a problem. bz reference: https://bugzilla.redhat.com/show_bug.cgi?id=1144149 Change-Id: Ibff99ce9bde01bc5ecf95dc3a5d3e2cebe5015b9
99 lines
3.6 KiB
Bash
Executable file
99 lines
3.6 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Intended to be called from the root.d cloud-image script as follows:
|
|
# $TMP_HOOKS_PATH/bin/extract-image $BASE_IMAGE_FILE $BASE_IMAGE_TAR $IMAGE_LOCATION $CACHED_IMAGE
|
|
|
|
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
BASE_IMAGE_FILE=$1
|
|
BASE_IMAGE_TAR=$2
|
|
IMAGE_LOCATION=$3
|
|
CACHED_IMAGE=$4
|
|
|
|
CACHED_TAR=$DIB_IMAGE_CACHE/$BASE_IMAGE_TAR
|
|
DIB_LOCAL_IMAGE=${DIB_LOCAL_IMAGE:-""}
|
|
TAR_LOCK=$CACHED_TAR.lock
|
|
|
|
function extract_image() {
|
|
if [ -n "$DIB_OFFLINE" -a -f "$CACHED_TAR" ] ; then
|
|
echo "Not checking freshness of cached $CACHED_TAR."
|
|
else
|
|
if [ -z "$DIB_LOCAL_IMAGE" ]; then
|
|
echo "Fetching Base Image"
|
|
|
|
# There seems to be some bad Fedora mirrors returning http 404's for the cloud image.
|
|
# If the image fails to download due to a 404 we retry once.
|
|
set +e
|
|
$TMP_HOOKS_PATH/bin/cache-url $IMAGE_LOCATION $CACHED_IMAGE
|
|
RV=$?
|
|
set -e
|
|
|
|
if [ "$RV" == "44" ] ; then
|
|
$TMP_HOOKS_PATH/bin/cache-url $IMAGE_LOCATION $CACHED_IMAGE
|
|
elif [ "$RV" != "0" ] ; then
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if [ ! -f $CACHED_TAR -o \
|
|
$CACHED_IMAGE -nt $CACHED_TAR ] ; then
|
|
echo "Repacking base image as tarball."
|
|
|
|
WORKING=$(mktemp --tmpdir=${TMP_DIR:-/tmp} -d)
|
|
EACTION="rm -r $WORKING"
|
|
trap "$EACTION" EXIT
|
|
echo "Working in $WORKING"
|
|
|
|
RAW_FILE=$(basename $BASE_IMAGE_FILE)
|
|
RAW_FILE=${RAW_FILE%.qcow2}.raw
|
|
|
|
qemu-img convert -f qcow2 -O raw $CACHED_IMAGE $WORKING/$RAW_FILE
|
|
|
|
ROOT_PARTITON=p1
|
|
|
|
# kpartx fails if no /dev/loop* exists, "losetup -f" prints first unused
|
|
# loop device and creates it if it doesn't exist
|
|
sudo losetup -f
|
|
|
|
# XXX: Parsing stdout is dangerous, would like a better way to discover
|
|
# the device used for the image.
|
|
ROOT_LOOPDEV=$(sudo kpartx -av $WORKING/$RAW_FILE | \
|
|
awk "/loop[0-9]+$ROOT_PARTITON/ {print \$3}")
|
|
if ! timeout 5 sh -c "while ! [ -e /dev/mapper/$ROOT_LOOPDEV ]; do sleep 1; done"; then
|
|
echo "Error: Could not find /dev/mapper/$ROOT_LOOPDEV"
|
|
exit 1
|
|
fi
|
|
EACTION="sudo kpartx -d $WORKING/$RAW_FILE ; $EACTION"
|
|
trap "$EACTION" EXIT
|
|
mkdir $WORKING/mnt
|
|
sudo mount /dev/mapper/$ROOT_LOOPDEV $WORKING/mnt
|
|
EACTION="sudo umount -f $WORKING/mnt ; $EACTION"
|
|
trap "$EACTION" EXIT
|
|
|
|
# Chroot in so that we get the correct uid/gid
|
|
sudo chroot $WORKING/mnt bin/tar --xattrs --xattrs-include='*' --xattrs-exclude='security.selinux' -cz . > $WORKING/tmp.tar
|
|
mv $WORKING/tmp.tar $CACHED_TAR
|
|
else
|
|
echo "Using cached tar from $CACHED_TAR"
|
|
fi
|
|
fi
|
|
|
|
# Extract the base image (use --numeric-owner to avoid UID/GID mismatch between
|
|
# image tarball and host OS e.g. when building Fedora image on an openSUSE host)
|
|
# Include all xattrs except selinux because the selinux ones cause issues in our
|
|
# chroot environment, and we restore all of those at the end of the build anyway.
|
|
echo "Extracting base root image from $CACHED_TAR"
|
|
sudo tar -C $TARGET_ROOT --numeric-owner --xattrs --xattrs-include='*' --xattrs-exclude='security.selinux' -xzf $CACHED_TAR
|
|
}
|
|
|
|
(
|
|
echo "Getting $TAR_LOCK: $(date)"
|
|
# Wait up to 20 minutes for another process to download
|
|
if ! flock -w 1200 9 ; then
|
|
echo "Did not get $TAR_LOCK: $(date)"
|
|
exit 1
|
|
fi
|
|
extract_image
|
|
) 9> $TAR_LOCK
|