[arch-general] How to build package in "clean chroot" using the "-U" parameter?

Discussion:

Manuel Reimer

2017-12-22 13:02:46 UTC

Hello,

I want to autobuild a set of packages. For this process, it is not
acceptable to use "sudo" as I don't want to enter some passwords and my
autobuild program also has to do some other stuff with root privileges.

The help page of "makechrootpkg" suggests, that there is an option for me:

-U Run makepkg as a specified user

But I tried this several times. So far without success.

I've copied the PKGBUILD to the /tmp directory, just to be sure it is
really readable by my build user.

Then my command was:

# makechrootpkg -c -U build -r /var/cache/PATH_TO_MY_CHROOT

This now seems to download the source files and also is validating them
against the stored MD5 sums.

But after that I get the error

==> ERROR: Running makepkg as root is not allowed as it can cause
permanent, catastrophic damage to your system.

Seems like makepkg is called once in context of my supplied "build user"
and then a second time without using the build user.

Where is my mistabe? Or is this a bug in makechrootpkg?

Thanks in advance

Manuel

Óscar García Amor

2017-12-22 13:16:33 UTC

Permalink

Post by Manuel Reimer
Hello,

Hi!

Post by Manuel Reimer
# makechrootpkg -c -U build -r /var/cache/PATH_TO_MY_CHROOT

You can do the following:

# su - user -c "command"

In this case:

# su - user -c "makechrootpkg -c -r /var/cache/PATH_TO_MY_CHROOT"

Greetings

--
Óscar García Amor | ogarcia at moire.org | http://ogarcia.me

Manuel Reimer

2017-12-22 13:20:50 UTC

Permalink

Post by Ãscar GarcÃa Amor
# su - user -c "command"
# su - user -c "makechrootpkg -c -r /var/cache/PATH_TO_MY_CHROOT"

Yes, of course, but then "makechrootpkg" at some point wants to call
"pacman" which will fail or will cause some unwanted sudo prompt to appear.

That's why I want to start with "root permissions" and only want to drop
to a less privileged user for the cases where software is built.

Óscar García Amor

2017-12-22 13:29:30 UTC

Permalink

Post by Manuel Reimer
Yes, of course, but then "makechrootpkg" at some point wants to call
"pacman" which will fail or will cause some unwanted sudo prompt to appear.

Yes, because makechrootpkg uses sudo for some operations. You can set
the NOPASSWD option in sudoers to avoid prompt the password.

--
Óscar García Amor | ogarcia at moire.org | http://ogarcia.me

Eli Schwartz via arch-general

2017-12-22 13:26:34 UTC

Permalink

Post by Manuel Reimer
Hello,
I want to autobuild a set of packages. For this process, it is not
acceptable to use "sudo" as I don't want to enter some passwords and my
autobuild program also has to do some other stuff with root privileges.
-UÂ Â Â Â Â Â Â Â Run makepkg as a specified user
But I tried this several times. So far without success.
I've copied the PKGBUILD to the /tmp directory, just to be sure it is
really readable by my build user.
# makechrootpkg -c -U build -r /var/cache/PATH_TO_MY_CHROOT
This now seems to download the source files and also is validating them
against the stored MD5 sums.
But after that I get the error
==> ERROR: Running makepkg as root is not allowed as it can cause
permanent, catastrophic damage to your system.
Seems like makepkg is called once in context of my supplied "build user"
and then a second time without using the build user.
Where is my mistabe? Or is this a bug in makechrootpkg?

AFAIK this should work fine, for its intended goal. Though I don't think
it gets a lot of testing.

makechrootpkg elevates to root if needed, using sudo. It then has to run
makepkg to update sources, *before* entering the chroot for building.
Usually it does that by sudo -u $SUDO_USER makepkg --verifysource,
however that relies on detecting the user that ran `sudo makechrootpkg`
via the SUDO_USER variable. So the -U flag can be used to specify the
user to use instead.

That is the first time the makepkg command is run. The second time, is
inside the chroot, which should automatically be run as the "builduser"
user inside a systemd-nspawn container (we don't actually use chroot).

Both times, makechrootpkg will drop privileges using sudo.

--
Eli Schwartz

Manuel Reimer

2017-12-22 13:31:40 UTC

Permalink

Post by Eli Schwartz via arch-general
AFAIK this should work fine, for its intended goal. Though I don't think
it gets a lot of testing.

Question is: What is the intended goal. I guess it is not what I want to do?

Post by Eli Schwartz via arch-general
makechrootpkg elevates to root if needed, using sudo.

... which doesn't help me.

My autobuild process runs as root. It also directly updates the chroot
which also needs root permissions so it's the best to start with "root"
and then drop privileges for the tasks that shouldn't run with root
privileges. The whole system is a dedicated build VM, so there is no
reason to not use "root" for the main purpose of this machine.

Post by Eli Schwartz via arch-general
It then has to run
makepkg to update sources, *before* entering the chroot for building.

That seems to be the one that works for me.

Post by Eli Schwartz via arch-general
That is the first time the makepkg command is run. The second time, is
inside the chroot, which should automatically be run as the "builduser"
user inside a systemd-nspawn container (we don't actually use chroot).

And this one fails. But why? Does makechrootpkg for some reason miss to
drop privileges if the "-U" parameter is used?

Manuel

Eli Schwartz via arch-general

2017-12-22 13:37:13 UTC

Permalink

Post by Manuel Reimer
My autobuild process runs as root. It also directly updates the chroot
which also needs root permissions so it's the best to start with "root"
and then drop privileges for the tasks that shouldn't run with root
privileges. The whole system is a dedicated build VM, so there is no
reason to not use "root" for the main purpose of this machine.

makechrootpkg already runs systemd-nspawn to enter the chroot and run
pacman -Syu as the root user, so this isn't strictly necessary.

Post by Manuel Reimer

And this one fails. But why? Does makechrootpkg for some reason miss to
drop privileges if the "-U" parameter is used?

The -U parameter is completely ignored in the chroot. Once sources are
downloaded, it runs systemd-nspawn to enter the chroot as root, then
runs /chrootbuild, which uses a hardcoded command:

sudo -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@"

Once you enter the chroot, nothing you do should matter, unless the
chroot itself is completely damaged.

--
Eli Schwartz

Giancarlo Razzolini via arch-general

2017-12-22 14:17:50 UTC

Permalink

Post by Manuel Reimer
Question is: What is the intended goal. I guess it is not what I want to do?

Well, so far you said you want to autobuild some packages and that it MUST run
as root, with no good reason why.

There's no reason to change the way the software gets built either. It seems
to me you're trying to avoid some extra work by running everything as root.

Post by Manuel Reimer
That seems to be the one that works for me.

If you share more of what you're trying to do, and your goals, perhaps we can
help more. So far it seems like a mild XY problem.

Regards,
Giancarlo Razzolini

Manuel Reimer

2017-12-22 16:55:52 UTC

Permalink

Post by Giancarlo Razzolini via arch-general
Well, so far you said you want to autobuild some packages and that it MUST run
as root, with no good reason why.

I have a set of PKGBUILD's (around 40) and a self-made "build system":

http://repo-make.tuxfamily.org/

The autobuild system works completely without user interaction. You just
call "repo-make" and it will do *everything* that is needed to finally
have a working local repository.

This is meant to be used on a dedicated build VM and never on any
productive system.

Now my idea was to improve this process by doing every build in a chroot
environment.

So far my build system does things like installing packages directly, so
makepkg never has to do this as this would cause silly sudo password
prompts that I don't want to have in a fully automated build.

Post by Giancarlo Razzolini via arch-general
There's no reason to change the way the software gets built either. It seems
to me you're trying to avoid some extra work by running everything as root.

I want to avoid unnecessary work that is not needed on a system that is
meant only to be used to build some packages. If I ever trash this
system, I just restore the VM from a backup.

Post by Giancarlo Razzolini via arch-general
If you share more of what you're trying to do, and your goals, perhaps we can
help more. So far it seems like a mild XY problem.

I have an existing build system that I call with root permissions and
from this point on it does everything on its own. Including creating the
required build user, fetching build dependencies, building packages in
context of the build user, ...

My idea was to make use of "chroot building" to have a clean state of
packages for every build. If this is possible, I would add this. If
fully automated processing doesn't work with the existing tools, I'll
stick with my way and keep building without chroot.

Manuel

Giancarlo Razzolini via arch-general

2017-12-22 17:36:17 UTC

Permalink

Post by Manuel Reimer

Post by Giancarlo Razzolini via arch-general
Well, so far you said you want to autobuild some packages and that it MUST run
as root, with no good reason why.

http://repo-make.tuxfamily.org/
The autobuild system works completely without user interaction. You just
call "repo-make" and it will do *everything* that is needed to finally
have a working local repository.
This is meant to be used on a dedicated build VM and never on any
productive system.
Now my idea was to improve this process by doing every build in a chroot
environment.
So far my build system does things like installing packages directly, so
makepkg never has to do this as this would cause silly sudo password
prompts that I don't want to have in a fully automated build.

Now that things are a little more clear, I can tell you that, you mixes building
software, packaging software and installing it. Of the three, only the last one
(usually) requires root permissions.

Post by Manuel Reimer
I want to avoid unnecessary work that is not needed on a system that is
meant only to be used to build some packages. If I ever trash this
system, I just restore the VM from a backup.

If you build software always as root, you might mask some problems. I
personally wouldn't trust any software that cannot be built as a regular
user.

Post by Manuel Reimer
I have an existing build system that I call with root permissions and
from this point on it does everything on its own. Including creating the
required build user, fetching build dependencies, building packages in
context of the build user, ...
My idea was to make use of "chroot building" to have a clean state of
packages for every build. If this is possible, I would add this. If
fully automated processing doesn't work with the existing tools, I'll
stick with my way and keep building without chroot.

You keep saying chroot and I guess that arises from the name of the tool,
makechrootpkg. But keep in mind that you don't actually use a chroot, you
use a container. There's a difference, and it's not just semantics.

To me, it seems, that all you need is to give NOPASSWD permissions to
whatever user you choose to use on your VM. That way you would not get
any prompts and build everything with the minimal permission set possible.

Regards,
Giancarlo Razzolini

Leonid Isaev via arch-general

2017-12-22 18:01:22 UTC

Permalink

Post by Giancarlo Razzolini via arch-general

I'm sorry for an unrelated question, but why is it really necessary to make a
new container for each pkg? It seems lots of unnecessary copies (I think
rsync(1) call in makechrootpkg doesn't do hardlinks)...

I understand the issue about getting unlisted deps in packages, but in my
experience this problem is minor. So just boot a build container and ssh in
there as a non-root user (in fact, you don't even need root inside the
container). And keep it clean. At least this has worked for me for years.

Also, with newer -ARCH kernels, you can do non-privileged containers, so
makechrootpkg should run as a ordinary user to begin with...

Cheers,

--
Leonid Isaev

Giancarlo Razzolini via arch-general

2017-12-22 18:15:09 UTC

Permalink

Post by Leonid Isaev via arch-general
I'm sorry for an unrelated question, but why is it really necessary to make a
new container for each pkg? It seems lots of unnecessary copies (I think
rsync(1) call in makechrootpkg doesn't do hardlinks)...

A new container is *spawned*, not made. You don't have lots and lots of copies.

Post by Leonid Isaev via arch-general
I understand the issue about getting unlisted deps in packages, but in my
experience this problem is minor. So just boot a build container and ssh in
there as a non-root user (in fact, you don't even need root inside the
container). And keep it clean. At least this has worked for me for years.

Keep in mind that root inside a container is not equal root outside it. But
we use the build user as well inside the container.

Post by Leonid Isaev via arch-general
Also, with newer -ARCH kernels, you can do non-privileged containers, so
makechrootpkg should run as a ordinary user to begin with...

It already runs as an ordinary user. The container itself is ran as root,
but the actual build happens as the calling user.

Regards,
Giancarlo Razzolini