diskimage-builder/diskimage_builder/elements/zypper-minimal/root.d/08-zypper-chroot
Ian Wienand 12b60c4088 Mount /sys RO
As noted inline, this works around potential issues by being a strong
indication you are in a container (e.g. [1]).  Since nothing should be
changing anything on the host/build system, this is a generically
safer way to operate.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1975588

Change-Id: Ic6802c4ffc2e825f129af10717860a2d1770fe80
2021-07-05 11:45:02 +10:00

149 lines
5.8 KiB
Bash
Executable file

#!/bin/bash
#
# Copyright 2016 SUSE Linux GmbH
# Copyright 2015 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# dib-lint: disable=safe_sudo
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
source $_LIB/common-functions
function cleanup() {
sudo umount $TARGET_ROOT/proc
sudo umount $TARGET_ROOT/dev/pts
sudo umount $TARGET_ROOT/dev
sudo umount $TARGET_ROOT/sys
sudo umount $TMP_MOUNT_PATH/var/cache/zypp
}
trap cleanup EXIT
ZYPPER_TARGET_OPTS="--non-interactive --gpg-auto-import-keys --root $TARGET_ROOT"
ZYPPER_INSTALL_SYSTEM_PYTHON="python3"
DIB_DISTRIBUTION_MIRROR=${DIB_DISTRIBUTION_MIRROR:-https://download.opensuse.org}
ZYPPER_REPOS=${DIB_ZYPPER_REPOS:-''}
if [ -z "${ZYPPER_REPOS}" ] ; then
case ${DIB_RELEASE} in
# Old Leap releases
42*)
ZYPPER_REPOS="update=>${DIB_DISTRIBUTION_MIRROR}/update/leap/${DIB_RELEASE}/oss/ "
ZYPPER_REPOS+="oss=>${DIB_DISTRIBUTION_MIRROR}/distribution/leap/${DIB_RELEASE}/repo/oss/"
ZYPPER_INSTALL_SYSTEM_PYTHON="python"
;;
# New Leap releases
15*)
ZYPPER_REPOS="update=>${DIB_DISTRIBUTION_MIRROR}/update/leap/${DIB_RELEASE}/oss/ "
ZYPPER_REPOS+="oss=>${DIB_DISTRIBUTION_MIRROR}/distribution/leap/${DIB_RELEASE}/repo/oss/"
;;
# Tumbleweed
tumbleweed)
ZYPPER_REPOS="update=>${DIB_DISTRIBUTION_MIRROR}/update/${DIB_RELEASE}/ "
ZYPPER_REPOS+="oss=>${DIB_DISTRIBUTION_MIRROR}/${DIB_RELEASE}/repo/oss/"
;;
*) echo "Unsupported openSUSE release: ${DIB_RELEASE}"; exit 1 ;;
esac
fi
for repo in ${ZYPPER_REPOS}; do
refresh_repo=""
reponame=repo-${repo%%=>*}
repouri=${repo##*=>}
# Refresh all repos in TW and only the update one for the stable ones. This will ensure that
# we always get the latest information from the repo.
[[ ${DIB_RELEASE} == tumbleweed ]] || [[ ${reponame} == "repo-update" ]] && refresh_repo="-f"
sudo zypper ${ZYPPER_TARGET_OPTS} addrepo --name ${reponame} --keep-packages ${refresh_repo} ${repouri} ${reponame}
done
# It appears that zypper will clean up the repo's cache when it (re-)adds the
# repo so we need to add the cache now, once the repos are added. This is
# similar to what the zypper/50-zypper-cache script does
ZYPPER_CACHE_DIR=$DIB_IMAGE_CACHE/zypper
mkdir -p $ZYPPER_CACHE_DIR
sudo mkdir -p $TMP_MOUNT_PATH/var/cache/zypp
sudo mount --bind $ZYPPER_CACHE_DIR $TMP_MOUNT_PATH/var/cache/zypp
# Refresh it so we get updated data in cased we switched DIB_RELEASE
# since last run.
sudo zypper ${ZYPPER_TARGET_OPTS} refresh
# Note this is not usually done for root.d elements (see
# lib/common-functions:mount_proc_dev_sys) but it's important that
# we have things like /dev/urandom around inside the chroot for
# the rpm [pre|post]inst scripts within the packages.
sudo mkdir -p $TARGET_ROOT/proc $TARGET_ROOT/dev $TARGET_ROOT/sys
sudo mount -t proc none $TARGET_ROOT/proc
sudo mount --bind /dev $TARGET_ROOT/dev
sudo mount -t devpts $(mount_dev_pts_options) devpts $TARGET_ROOT/dev/pts
sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
# Install filesystem, base and useful tools
sudo zypper ${ZYPPER_TARGET_OPTS} install --no-recommends filesystem
# Install grep before base to avoid pulling in busybox-grep as it conflicts
# with rsync installation
sudo zypper ${ZYPPER_TARGET_OPTS} install --no-recommends grep
# Install gzip before base to avoid pulling in busybox-gzip as it conflicts
# with info installation
sudo zypper ${ZYPPER_TARGET_OPTS} install --no-recommends gzip
# Install xz before base to avoid pulling in busybox-xz
# https://bugzilla.opensuse.org/show_bug.cgi?id=1172209
sudo zypper ${ZYPPER_TARGET_OPTS} install --no-recommends xz
# Install basic components in order
sudo zypper ${ZYPPER_TARGET_OPTS} install \
${DIB_OPENSUSE_PATTERNS} ${ZYPPER_INSTALL_SYSTEM_PYTHON} \
zypper sudo ca-certificates-mozilla
# Remove the installed symlink, otherwise we wipe the resolv.conf
# outside the target_root (as the link is not relative)
# outside target_root
test -L $TARGET_ROOT/etc/resolv.conf && sudo rm -f $TARGET_ROOT/etc/resolv.conf
# Put in a dummy /etc/resolv.conf over the temporary one we used
# to bootstrap. systemd has a bug/feature [1] that it will assume
# you want systemd-networkd as the network manager and create a
# broken symlink to /run/... if the base image doesn't have one.
# This broken link confuses things like dhclient.
# [1] https://bugzilla.redhat.com/show_bug.cgi?id=1197204
echo -e "# This file intentionally left blank\n" | \
sudo tee $TARGET_ROOT/etc/resolv.conf
# set the most reliable UTF-8 locale
default_lang="C.UTF-8"
sudo sed -i -e "s,^RC_LANG=.*,RC_LANG=\"$default_lang\"," \
$TARGET_ROOT/etc/sysconfig/language
echo -e "LANG=\"$default_lang\"" | \
sudo tee $TARGET_ROOT/etc/locale.conf
# default to UTC
sudo chroot $TARGET_ROOT ln -sf /usr/share/zoneinfo/Etc/UTC \
/etc/localtime
# RPM doesn't know whether files have been changed since install
# At this point though, we know for certain that we have changed no
# config files, so anything marked .rpmnew is just a bug.
for newfile in $(sudo find $TARGET_ROOT -type f -name '*rpmnew') ; do
sudo mv $newfile $(echo $newfile | sed 's/.rpmnew$//')
done
# Unmounting of all the mount points is handled by the cleanup EXIT
# handler so there is nothing else to do here