Add a rootless bootstrap mode using bubblewrap
Set up a bubblewrap sandbox suitable for bootstrap. Since bubblewrap can operate without root permissions when user namespaces are allowed, this effectively adds a rootless bootstrap mode.
This commit is contained in:
parent
8330ab4504
commit
1e67477ff2
|
@ -23,13 +23,15 @@ Get me started!
|
||||||
installed.
|
installed.
|
||||||
|
|
||||||
a. Alternatively, run ``./rootfs.py --chroot`` to run it in a chroot.
|
a. Alternatively, run ``./rootfs.py --chroot`` to run it in a chroot.
|
||||||
b. Alternatively, run ``./rootfs.py`` but don’t run the actual
|
b. Alternatively, run ``./rootfs.py --bwrap`` to run it in a bubblewrap
|
||||||
|
sandbox. When user namespaces are supported, this mode is rootless.
|
||||||
|
c. Alternatively, run ``./rootfs.py`` but don’t run the actual
|
||||||
virtualization and instead copy sysa/tmp/initramfs to a USB or
|
virtualization and instead copy sysa/tmp/initramfs to a USB or
|
||||||
some other device and boot from bare metal. NOTE: we now require
|
some other device and boot from bare metal. NOTE: we now require
|
||||||
a hard drive. This is currently hardcoded as sda. You also need
|
a hard drive. This is currently hardcoded as sda. You also need
|
||||||
to put ``sysc/tmp/disk.img`` onto your sda on the bootstrapping
|
to put ``sysc/tmp/disk.img`` onto your sda on the bootstrapping
|
||||||
machine.
|
machine.
|
||||||
c. Alternatively, do not use python at all, see "Python-less build"
|
d. Alternatively, do not use python at all, see "Python-less build"
|
||||||
below.
|
below.
|
||||||
|
|
||||||
5. Wait.
|
5. Wait.
|
||||||
|
|
39
rootfs.py
39
rootfs.py
|
@ -7,6 +7,7 @@ you can run bootstap inside chroot.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
# SPDX-FileCopyrightText: 2022 Dor Askayo <dor.askayo@gmail.com>
|
||||||
# SPDX-FileCopyrightText: 2021 Andrius Štikonas <andrius@stikonas.eu>
|
# SPDX-FileCopyrightText: 2021 Andrius Štikonas <andrius@stikonas.eu>
|
||||||
# SPDX-FileCopyrightText: 2021 Bastian Bittorf <bb@npl.de>
|
# SPDX-FileCopyrightText: 2021 Bastian Bittorf <bb@npl.de>
|
||||||
# SPDX-FileCopyrightText: 2021 Melg Eight <public.melg8@gmail.com>
|
# SPDX-FileCopyrightText: 2021 Melg Eight <public.melg8@gmail.com>
|
||||||
|
@ -30,7 +31,7 @@ def create_configuration_file(args):
|
||||||
config_path = os.path.join('sysa', 'bootstrap.cfg')
|
config_path = os.path.join('sysa', 'bootstrap.cfg')
|
||||||
with open(config_path, "w", encoding="utf_8") as config:
|
with open(config_path, "w", encoding="utf_8") as config:
|
||||||
config.write("FORCE_TIMESTAMPS=" + str(args.force_timestamps) + "\n")
|
config.write("FORCE_TIMESTAMPS=" + str(args.force_timestamps) + "\n")
|
||||||
config.write("CHROOT=" + str(args.chroot) + "\n")
|
config.write("CHROOT=" + str(args.chroot or args.bwrap) + "\n")
|
||||||
config.write("UPDATE_CHECKSUMS=" + str(args.update_checksums) + "\n")
|
config.write("UPDATE_CHECKSUMS=" + str(args.update_checksums) + "\n")
|
||||||
config.write("DISK=sda1\n")
|
config.write("DISK=sda1\n")
|
||||||
|
|
||||||
|
@ -45,6 +46,8 @@ def main():
|
||||||
default="x86")
|
default="x86")
|
||||||
parser.add_argument("-c", "--chroot", help="Run inside chroot",
|
parser.add_argument("-c", "--chroot", help="Run inside chroot",
|
||||||
action="store_true")
|
action="store_true")
|
||||||
|
parser.add_argument("-bw", "--bwrap", help="Run inside a bwrap sandbox",
|
||||||
|
action="store_true")
|
||||||
parser.add_argument("-p", "--preserve", help="Do not remove temporary dir",
|
parser.add_argument("-p", "--preserve", help="Do not remove temporary dir",
|
||||||
action="store_true")
|
action="store_true")
|
||||||
parser.add_argument("-t", "--tmpdir", help="Temporary directory")
|
parser.add_argument("-t", "--tmpdir", help="Temporary directory")
|
||||||
|
@ -81,6 +84,8 @@ def main():
|
||||||
count += 1
|
count += 1
|
||||||
if args.chroot:
|
if args.chroot:
|
||||||
count += 1
|
count += 1
|
||||||
|
if args.bwrap:
|
||||||
|
count += 1
|
||||||
if args.minikernel:
|
if args.minikernel:
|
||||||
count += 1
|
count += 1
|
||||||
if args.bare_metal:
|
if args.bare_metal:
|
||||||
|
@ -139,6 +144,38 @@ print(shutil.which('chroot'))
|
||||||
init = os.path.join(os.sep, 'bootstrap-seeds', 'POSIX', arch, 'kaem-optional-seed')
|
init = os.path.join(os.sep, 'bootstrap-seeds', 'POSIX', arch, 'kaem-optional-seed')
|
||||||
run('sudo', 'env', '-i', 'PATH=/bin', chroot_binary, system_a.tmp_dir, init)
|
run('sudo', 'env', '-i', 'PATH=/bin', chroot_binary, system_a.tmp_dir, init)
|
||||||
|
|
||||||
|
elif args.bwrap:
|
||||||
|
system_c.prepare(mount_tmpfs=False,
|
||||||
|
create_disk_image=False)
|
||||||
|
system_a.prepare(mount_tmpfs=False,
|
||||||
|
copy_sysc=True,
|
||||||
|
create_initramfs=False)
|
||||||
|
|
||||||
|
# sysa
|
||||||
|
arch = stage0_arch_map.get(args.arch, args.arch)
|
||||||
|
init = os.path.join(os.sep, 'bootstrap-seeds', 'POSIX', arch, 'kaem-optional-seed')
|
||||||
|
run('bwrap', '--unshare-user',
|
||||||
|
'--uid', '0',
|
||||||
|
'--gid', '0',
|
||||||
|
'--cap-add', 'CAP_SYS_CHROOT', # Required for chroot from sysa to sysc
|
||||||
|
'--clearenv',
|
||||||
|
'--setenv', 'PATH', '/usr/bin',
|
||||||
|
'--bind', system_a.tmp_dir, '/',
|
||||||
|
'--dir', '/dev',
|
||||||
|
'--dev-bind', '/dev/null', '/dev/null',
|
||||||
|
'--dev-bind', '/dev/zero', '/dev/zero',
|
||||||
|
'--dev-bind', '/dev/random', '/dev/random',
|
||||||
|
'--dev-bind', '/dev/urandom', '/dev/urandom',
|
||||||
|
'--dir', '/sysc/dev',
|
||||||
|
'--dev-bind', '/dev/null', '/sysc/dev/null',
|
||||||
|
'--dev-bind', '/dev/zero', '/sysc/dev/zero',
|
||||||
|
'--dev-bind', '/dev/random', '/sysc/dev/random',
|
||||||
|
'--dev-bind', '/dev/urandom', '/sysc/dev/urandom',
|
||||||
|
'--proc', '/sysc/proc',
|
||||||
|
'--bind', '/sys', '/sysc/sys',
|
||||||
|
'--tmpfs', '/sysc/tmp',
|
||||||
|
init)
|
||||||
|
|
||||||
elif args.minikernel:
|
elif args.minikernel:
|
||||||
if os.path.isdir('kritis-linux'):
|
if os.path.isdir('kritis-linux'):
|
||||||
shutil.rmtree('kritis-linux')
|
shutil.rmtree('kritis-linux')
|
||||||
|
|
Loading…
Reference in New Issue