diskimage-builder/diskimage_builder/elements/ubuntu-systemd-container/root.d/75-ubuntu-minimal-baseinstall
Ian Wienand 12b60c4088 Mount /sys RO
As noted inline, this works around potential issues by being a strong
indication you are in a container (e.g. [1]).  Since nothing should be
changing anything on the host/build system, this is a generically
safer way to operate.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1975588

Change-Id: Ic6802c4ffc2e825f129af10717860a2d1770fe80
2021-07-05 11:45:02 +10:00

56 lines
1.8 KiB
Bash
Executable file

#!/bin/bash
# Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
#
# See the License for the specific language governing permissions and
# limitations under the License.
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
# We should manage this in a betterer way
sudo bash -c "cat << EOF >$TARGET_ROOT/etc/apt/sources.list
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE ${DIB_DEBIAN_COMPONENTS//,/ }
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-updates ${DIB_DEBIAN_COMPONENTS//,/ }
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-backports ${DIB_DEBIAN_COMPONENTS//,/ }
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-security ${DIB_DEBIAN_COMPONENTS//,/ }
EOF"
sudo mount -t proc none $TARGET_ROOT/proc
sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo
# Need to update to retrieve the signed Release file
$apt_get update
$apt_get clean
$apt_get dist-upgrade -y
to_install=""
# pre-bionic (18.04) brought this in via debootstrap, but init
# dependencies have narrowed in the container world, so now we add it
# explicitly here so it's brought in early.
if [ $DIB_RELEASE != "trusty" ] && [ $DIB_RELEASE != "xenial" ]; then
to_install+="systemd-sysv "
fi
# default required
to_install+="sudo python3 " # dib-lint: safe_sudo
$apt_get install -y $to_install