diskimage-builder/diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall
Ian Wienand 12b60c4088 Mount /sys RO
As noted inline, this works around potential issues by being a strong
indication you are in a container (e.g. [1]).  Since nothing should be
changing anything on the host/build system, this is a generically
safer way to operate.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1975588

Change-Id: Ic6802c4ffc2e825f129af10717860a2d1770fe80
2021-07-05 11:45:02 +10:00

67 lines
2 KiB
Bash
Executable file

#!/bin/bash
# Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
#
# See the License for the specific language governing permissions and
# limitations under the License.
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
# NOTE(SamYaple): Add the keyring deboostrap used if specified
if [ -n "${DIB_APT_KEYRING:-${DIB_DEBIAN_KEYRING:-}}" ]; then
cat $DIB_APT_KEYRING | sudo chroot $TARGET_ROOT /usr/bin/apt-key add -
fi
# We should manage this in a betterer way
# Add "basic" release dist
sudo bash -c "cat << EOF >$TARGET_ROOT/etc/apt/sources.list
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE ${DIB_DEBIAN_COMPONENTS//,/ }
EOF"
# Add any extra dists
for dist in ${DIB_UBUNTU_MIRROR_DISTS//,/ } ; do
sudo bash -c "cat << EOF >>$TARGET_ROOT/etc/apt/sources.list
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-$dist ${DIB_DEBIAN_COMPONENTS//,/ }
EOF"
done
sudo mount -t proc none $TARGET_ROOT/proc
sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo
# Need to update to retrieve the signed Release file
$apt_get update
$apt_get clean
$apt_get dist-upgrade -y
to_install=""
# pre-bionic (18.04) brought this in via debootstrap, but init
# dependencies have narrowed in the container world, so now we add it
# explicitly here so it's brought in early.
if [ $DIB_RELEASE != "trusty" ] && [ $DIB_RELEASE != "xenial" ]; then
to_install+="systemd-sysv "
fi
# default required
to_install+="busybox sudo python3 " # dib-lint: safe_sudo
$apt_get install -y $to_install