From 549681f6e217d6e713afb943d571afda83542a2f Mon Sep 17 00:00:00 2001 From: Serge Schneider Date: Tue, 8 Nov 2022 11:28:18 +0000 Subject: [PATCH 1/2] Updates to avoid common pitfalls when changing the RELEASE variable Fixes #635, fixes #645, fixes #632 --- README.md | 13 ++++++++----- build.sh | 2 +- stage0/prerun.sh | 5 +++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 05230cf..35f2c98 100644 --- a/README.md +++ b/README.md @@ -27,10 +27,10 @@ Getting started is as simple as cloning this repository on your build machine. Y can do so with: ```bash -git clone --depth 1 https://github.com/RPI-Distro/pi-gen.git +git clone https://github.com/RPI-Distro/pi-gen.git ``` -Using `--depth 1` with `git clone` will create a shallow clone, only containing +`--depth 1` can be added afer `git clone` to create a shallow clone, only containing the latest revision of the repository. Do not do this on your development machine. Also, be careful to clone the repository to a base path **NOT** containing spaces. @@ -80,8 +80,11 @@ The following environment variables are supported: * `RELEASE` (Default: bullseye) - The release version to build images against. Valid values are jessie, stretch, - buster, bullseye, and testing. + The release version to build images against. Valid values are any supported + Debian release. However, since different releases will have different sets of + packages available, you'll need to either modify your stages accordingly, or + checkout the appropriate branch. For example, if you'd like to build a + `buster` image, you should do so from the `buster` branch. * `APT_PROXY` (Default: unset) @@ -489,7 +492,7 @@ A 64 bit image can be generated from the `arm64` branch in this repository. Just replace the command from [this section](#getting-started-with-building-your-images) by the one below, and follow the rest of the documentation: ```bash -git clone --depth 1 --branch arm64 https://github.com/RPI-Distro/pi-gen.git +git clone --branch arm64 https://github.com/RPI-Distro/pi-gen.git ``` If you want to generate a 64 bits image from a Raspberry Pi running a 32 bits diff --git a/build.sh b/build.sh index ea96633..8966bc7 100755 --- a/build.sh +++ b/build.sh @@ -226,7 +226,7 @@ export TARGET_HOSTNAME=${TARGET_HOSTNAME:-raspberrypi} export FIRST_USER_NAME=${FIRST_USER_NAME:-pi} export FIRST_USER_PASS export DISABLE_FIRST_BOOT_USER_RENAME=${DISABLE_FIRST_BOOT_USER_RENAME:-0} -export RELEASE=${RELEASE:-bullseye} +export RELEASE=${RELEASE:-bullseye} # Don't forget to update stage0/prerun.sh export WPA_ESSID export WPA_PASSWORD export WPA_COUNTRY diff --git a/stage0/prerun.sh b/stage0/prerun.sh index d4dd0a1..024d369 100755 --- a/stage0/prerun.sh +++ b/stage0/prerun.sh @@ -1,5 +1,10 @@ #!/bin/bash -e +if [ "$RELEASE" != "bullseye" ]; then + echo "WARNING: RELEASE does not match the intended option for this branch." + echo " Please check the relevant README.md section." +fi + if [ ! -d "${ROOTFS_DIR}" ] || [ "${USE_QCOW2}" = "1" ]; then bootstrap ${RELEASE} "${ROOTFS_DIR}" http://raspbian.raspberrypi.org/raspbian/ fi From c3083ecd503629eac5184ec692f65bbbd28ac317 Mon Sep 17 00:00:00 2001 From: Serge Schneider Date: Tue, 8 Nov 2022 12:04:09 +0000 Subject: [PATCH 2/2] Add parameter to keep cap_setfcap Fixes #643 --- README.md | 7 +++++++ build.sh | 4 ++++ scripts/common | 4 ++-- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 35f2c98..d7beb1f 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,13 @@ The following environment variables are supported: public key authentication. Note that if SSH is not enabled this will take effect when SSH becomes enabled. + * `SETFCAP` (Default: unset) + + * Setting to `1` will prevent pi-gen from dropping the "capabilities" + feature. Generating the root filesystem with capabilities enabled and running + it from a filesystem that does not support capabilities (like NFS) can cause + issues. Only enable this if you understand what it is. + * `STAGE_LIST` (Default: `stage*`) If set, then instead of working through the numeric stages in order, this list will be followed. For example setting to `"stage0 stage1 mystage stage2"` will run the contents of `mystage` before stage2. Note that quotes are needed around the list. An absolute or relative path can be given for stages outside the pi-gen directory. diff --git a/build.sh b/build.sh index 8966bc7..986f81c 100755 --- a/build.sh +++ b/build.sh @@ -283,6 +283,10 @@ fi export NO_PRERUN_QCOW2="${NO_PRERUN_QCOW2:-1}" +if [ "$SETFCAP" != "1" ]; then + export CAPSH_ARG="--drop=cap_setfcap" +fi + dependencies_check "${BASE_DIR}/depends" #check username is valid diff --git a/scripts/common b/scripts/common index e476f0f..14be1c2 100644 --- a/scripts/common +++ b/scripts/common @@ -17,7 +17,7 @@ bootstrap(){ BOOTSTRAP_ARGS+=("$@") printf -v BOOTSTRAP_STR '%q ' "${BOOTSTRAP_ARGS[@]}" - setarch linux32 capsh --drop=cap_setfcap -- -c "'${BOOTSTRAP_CMD}' $BOOTSTRAP_STR" || true + setarch linux32 capsh $CAPSH_ARG -- -c "'${BOOTSTRAP_CMD}' $BOOTSTRAP_STR" || true if [ -d "$2/debootstrap" ] && ! rmdir "$2/debootstrap"; then cp "$2/debootstrap/debootstrap.log" "${STAGE_WORK_DIR}" @@ -90,7 +90,7 @@ on_chroot() { mount --bind /sys "${ROOTFS_DIR}/sys" fi - setarch linux32 capsh --drop=cap_setfcap "--chroot=${ROOTFS_DIR}/" -- -e "$@" + setarch linux32 capsh $CAPSH_ARG "--chroot=${ROOTFS_DIR}/" -- -e "$@" } export -f on_chroot