#!/bin/bash
# License: GNU GPLv2
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
m4_include(lib/common.sh)
shopt -s nullglob
init_variables() {
default_makepkg_args=(-s --noconfirm -L --holdver)
makepkg_args=("${default_makepkg_args[@]}")
repack=false
update_first=false
clean_first=false
install_pkg=
run_namcap=false
temp_chroot=false
chrootdir=
passeddir=
declare -a install_pkgs
declare -i ret=0
bindmounts_ro=()
bindmounts_rw=()
copy=$USER
[[ -n ${SUDO_USER:-} ]] && copy=$SUDO_USER
[[ -z "$copy" || $copy = root ]] && copy=copy
src_owner=${SUDO_USER:-$USER}
}
usage() {
echo "Usage: ${0##*/} [options] -r <chrootdir> [--] [makepkg args]"
echo ' Run this script in a PKGBUILD dir to build a package inside a'
echo ' clean chroot. Arguments passed to this script after the'
echo ' end-of-options marker (--) will be passed to makepkg.'
echo ''
echo ' The chroot dir consists of the following directories:'
echo ' <chrootdir>/{root, copy} but only "root" is required'
echo ' by default. The working copy will be created as needed'
echo ''
echo 'The chroot "root" directory must be created via the following'
echo 'command:'
echo ' mkarchroot <chrootdir>/root base-devel'
echo ''
echo "Default makepkg args: ${default_makepkg_args[*]}"
echo ''
echo 'Flags:'
echo '-h This help'
echo '-c Clean the chroot before building'
echo '-d <dir> Bind directory into build chroot as read-write'
echo '-D <dir> Bind directory into build chroot as read-only'
echo '-u Update the working copy of the chroot before building'
echo ' This is useful for rebuilds without dirtying the pristine'
echo ' chroot'
echo '-r <dir> The chroot dir to use'
echo '-I <pkg> Install a package into the working copy of the chroot'
echo '-l <copy> The directory to use as the working copy of the chroot'
echo ' Useful for maintaining multiple copies'
echo " Default: $copy"
echo '-n Run namcap on the package'
echo '-T Build in a temporary directory'
exit 1
}
# {{{ functions
# Usage: load_vars $makepkg_conf
# Globals:
# - SRCDEST
# - SRCPKGDEST
# - PKGDEST
# - LOGDEST
# - MAKEFLAGS
# - PACKAGER
load_vars() {
local makepkg_conf="$1" var
[[ -f $makepkg_conf ]] || return 1
for var in {SRC,SRCPKG,PKG,LOG}DEST MAKEFLAGS PACKAGER; do
[[ -z ${!var:-} ]] && eval $(grep "^${var}=" "$makepkg_conf")
done
return 0
}
# Usage: btrfs_subvolume_id $SUBVOLUME
btrfs_subvolume_id() (
set -o pipefail
LC_ALL=C btrfs subvolume show "$1" | sed -n 's/^\tSubvolume ID:\s*//p'
)
# Usage: btrfs_subvolume_list_all $FILEPATH
#
# Given $FILEPATH somewhere on a mounted btrfs filesystem, print the
# ID and full path of every subvolume on the filesystem, one per line
# in the format "$ID $PATH".
btrfs_subvolume_list_all() (
set -o pipefail
local mountpoint
mountpoint="$(df --output=target "$1" | sed 1d)" || return $?
LC_ALL=C btrfs subvolume list -a "$mountpoint" | sed -r 's|^ID ([0-9]+) .* path (<FS_TREE>/)?(\S*).*|\1 \3|'
)
# Usage: btrfs_subvolume_list $SUBVOLUME
#
# Assuming that $SUBVOLUME is a btrfs subvolume, list all child
# subvolumes; from most deeply nested to most shallowly nested.
#
# This is intended to be a sane version of `btrfs subvolume list`.
btrfs_subvolume_list() {
local subvolume=$1
local id all path subpath
id="$(btrfs_subvolume_id "$subvolume")" || return $?
all="$(btrfs_subvolume_list_all "$subvolume")" || return $?
path="$(sed -n "s/^$id //p" <<<"$all")"
while read -r id subpath; do
if [[ "$subpath" = "$path"/* ]]; then
printf '%s\n' "${subpath#"${path}/"}"
fi
done <<<"$all" | LC_ALL=C sort --reverse
}
# Usage: btrfs_subvolume_delete $SUBVOLUME
#
# Assuming that $SUBVOLUME is a btrfs subvolume, delete it and all
# subvolumes below it.
#
# This is intended to be a recursive version of
# `btrfs subvolume delete`.
btrfs_subvolume_delete() {
local dir="$1"
local subvolumes subvolume
subvolumes=($(btrfs_subvolume_list "$dir")) || return $?
for subvolume in "${subvolumes[@]}"; do
btrfs subvolume delete "$dir/$subvolume" || return $?
done
btrfs subvolume delete "$dir"
}
# Usage: sync_chroot $CHROOTDIR/$CHROOT <$CHROOTCOPY|$copydir>
sync_chroot() {
local chrootdir=$1
local copy=$2
local copydir=''
if [[ ${copy:0:1} = / ]]; then
copydir=$copy
else
copydir="$chrootdir/$copy"
fi
if [[ "$chrootdir/root" -ef "$copydir" ]]; then
error 'Cannot sync copy with itself: %s' "$copydir"
return 1
fi
# Detect chrootdir filesystem type
local chroottype=$(stat -f -c %T "$chrootdir")
# Get a read lock on the root chroot to make
# sure we don't clone a half-updated chroot
slock 8 "$chrootdir/root.lock" \
"Locking clean chroot [%s]" "$chrootdir/root"
stat_busy "Synchronizing chroot copy [%s] -> [%s]" "$chrootdir/root" "$copydir"
if [[ "$chroottype" == btrfs ]] && ! mountpoint -q "$copydir"; then
if [[ -d $copydir ]]; then
btrfs_subvolume_delete "$copydir" >/dev/null ||
die "Unable to delete subvolume %s" "$copydir"
fi
btrfs subvolume snapshot "$chrootdir/root" "$copydir" >/dev/null ||
die "Unable to create subvolume %s" "$copydir"
else
mkdir -p "$copydir"
rsync -a --delete -q -W -x "$chrootdir/root/" "$copydir"
fi
stat_done
# Drop the read lock again
lock_close 8
# Update mtime
touch "$copydir"
}
# Usage: delete_chroot $copydir
delete_chroot() {
local copydir=$1
# Detect chrootdir filesystem type
local chroottype=$(stat -f -c %T "$copydir")
stat_busy "Removing chroot copy [%s]" "$copydir"
if [[ "$chroottype" == btrfs ]] && ! mountpoint -q "$copydir"; then
btrfs_subvolume_delete "$copydir" >/dev/null ||
die "Unable to delete subvolume %s" "$copydir"
else
# avoid change of filesystem in case of an umount failure
rm --recursive --force --one-file-system "$copydir" ||
die "Unable to delete %s" "$copydir"
fi
# remove lock file
rm -f "$copydir.lock"
stat_done
}
# Usage: install_packages $copydir $pkgs...
install_packages() {
local copydir=$1
local install_pkgs=("${@:2}")
declare -i ret=0
local pkgname
local install_pkg
for install_pkg in "${install_pkgs[@]}"; do
pkgname="${install_pkg##*/}"
cp "$install_pkg" "$copydir/$pkgname"
arch-nspawn "$copydir" \
"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
pacman -U /$pkgname --noconfirm
(( ret += !! $? ))
rm "$copydir/$pkgname"
done
return $ret
}
# Usage: prepare_chroot $copydir $HOME $repack $run_namcap
# Globals:
# - MAKEFLAGS
# - PACKAGER
prepare_chroot() {
local copydir=$1
local USER_HOME=$2
local repack=$3
local run_namcap=$4
$repack || rm -rf "$copydir/build"
mkdir -p "$copydir/build"
if ! grep -q 'BUILDDIR="/build"' "$copydir/etc/makepkg.conf"; then
echo 'BUILDDIR="/build"' >> "$copydir/etc/makepkg.conf"
fi
# Read .makepkg.conf and gnupg pubring
if [[ -r $USER_HOME/.gnupg/pubring.kbx ]]; then
install -D "$USER_HOME/.gnupg/pubring.kbx" "$copydir/build/.gnupg/pubring.kbx"
fi
if [[ -r $USER_HOME/.gnupg/pubring.gpg ]]; then
install -D "$USER_HOME/.gnupg/pubring.gpg" "$copydir/build/.gnupg/pubring.gpg"
fi
mkdir -p "$copydir/pkgdest"
if ! grep -q 'PKGDEST="/pkgdest"' "$copydir/etc/makepkg.conf"; then
echo 'PKGDEST="/pkgdest"' >> "$copydir/etc/makepkg.conf"
fi
mkdir -p "$copydir/srcpkgdest"
if ! grep -q 'SRCPKGDEST="/srcpkgdest"' "$copydir/etc/makepkg.conf"; then
echo 'SRCPKGDEST="/srcpkgdest"' >> "$copydir/etc/makepkg.conf"
fi
mkdir -p "$copydir/logdest"
if ! grep -q 'LOGDEST="/logdest"' "$copydir/etc/makepkg.conf"; then
echo 'LOGDEST="/logdest"' >> "$copydir/etc/makepkg.conf"
fi
# These two get bind-mounted read-only
# XXX: makepkg dislikes having these dirs read-only, so separate them
mkdir -p "$copydir/startdir" "$copydir/startdir_host"
mkdir -p "$copydir/srcdest" "$copydir/srcdest_host"
if ! grep -q 'SRCDEST="/srcdest"' "$copydir/etc/makepkg.conf"; then
echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf"
fi
builduser_uid=${SUDO_UID:-$UID}
# We can't use useradd without chrooting, otherwise it invokes PAM modules
# which we might not be able to load (i.e. when building i686 packages on
# an x86_64 host).
printf 'builduser:x:%d:100:builduser:/build:/bin/bash\n' "$builduser_uid" >>"$copydir/etc/passwd"
chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
if [[ -n ${MAKEFLAGS:-} ]]; then
sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf"
echo "MAKEFLAGS='${MAKEFLAGS}'" >> "$copydir/etc/makepkg.conf"
fi
if [[ -n ${PACKAGER:-} ]]; then
sed -i '/^PACKAGER=/d' "$copydir/etc/makepkg.conf"
echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf"
fi
if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then
cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
Defaults env_keep += "HOME"
builduser ALL = NOPASSWD: /usr/bin/pacman
EOF
chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
fi
if ! grep -q '^\[repo\]' "$copydir/etc/pacman.conf"; then
local line=$(grep -n '^\[' "$copydir/etc/pacman.conf" |grep -Fv ':[options]'|sed 's/:.*//;1q')
local ins='[repo]
SigLevel = Optional TrustAll
Server = file:///repo
'
sed -i "${line}i${ins//$'\n'/\\n}" "$copydir/etc/pacman.conf"
fi
# This is a little gross, but this way the script is recreated every time in the
# working copy
{
printf '#!/bin/bash\n'
declare -f _chrootprepare
printf '_chrootprepare "$@"\n'
} > "$copydir/chrootprepare"
chmod +x "$copydir/chrootprepare"
{
printf '#!/bin/bash\n'
declare -f _chrootbuild
printf '_chrootbuild "$@" || exit\n'
if $run_namcap; then
cat <<'EOF'
pacman -S --needed --noconfirm namcap
for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
echo "Checking ${pkgfile##*/}"
sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
done
EOF
fi
} >"$copydir/chrootbuild"
chmod +x "$copydir/chrootbuild"
}
# Usage: download_sources $copydir $src_owner
# Globals:
# - SRCDEST
# - USER
download_sources() {
local copydir=$1
local src_owner=$2
local builddir="$(mktemp -d)"
chmod 1777 "$builddir"
# Ensure sources are downloaded
if [[ $USER != $src_owner ]]; then
sudo -u $src_owner env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \
makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o
else
( export SRCDEST BUILDDIR="$builddir"
makepkg --asroot --config="$copydir/etc/makepkg.conf" --verifysource -o
)
fi
(( $? != 0 )) && die "Could not download sources."
# Clean up garbage from verifysource
rm -rf "$builddir"
}
_chrootprepare() {
# This function isn't run in makechrootpkg,
# so no global variables
. /etc/profile
export HOME=/build
shopt -s nullglob
# XXX: Workaround makepkg disliking read-only dirs
rm -rf -- /srcdest/* /startdir/*
ln -sft /srcdest /srcdest_host/*
ln -sft /startdir /startdir_host/*
# XXX: Keep bzr and svn sources writable
# Since makepkg 4.1.1 they get checked out via cp -a, copying the symlink
for dir in /srcdest /startdir; do
for vcs in bzr svn; do
cd "$dir"
for vcsdir in */.$vcs; do
rm "${vcsdir%/.$vcs}"
cp -a "${dir}_host/${vcsdir%/.$vcs}" .
chown -R builduser "${vcsdir%/.$vcs}"
done
done
done
cd /startdir
# XXX: Keep PKGBUILD writable for pkgver()
rm PKGBUILD*
cp /startdir_host/PKGBUILD* .
chown builduser PKGBUILD*
# Safety check
if [[ ! -w PKGBUILD ]]; then
echo "Can't write to PKGBUILD!"
exit 1
fi
# Sync deps now, as networking may be disabled during _chrootbuild
cp /repo/repo.db /var/lib/pacman/sync/repo.db
sudo -u builduser makepkg "$@" --nobuild
}
_chrootbuild() {
# This function isn't run in makechrootpkg,
# so no global variables
. /etc/profile
export HOME=/build
shopt -s nullglob
cd /startdir
sudo -u builduser makepkg "$@" --noextract --noprepare
}
# Usage: move_products $copydir $owner
# Globals:
# - PKGDEST
# - LOGDEST
move_products() {
local copydir=$1
local src_owner=$2
local pkgfile
for pkgfile in "$copydir"/pkgdest/*; do
chown "$src_owner" "$pkgfile"
mv "$pkgfile" "$PKGDEST"
if [[ $PKGDEST != $PWD ]]; then
ln -sf "$PKGDEST/${pkgfile##*/}" .
fi
done
local l
for l in "$copydir"/logdest/*; do
[[ $l == */logpipe.* ]] && continue
chown "$src_owner" "$l"
mv "$l" "$LOGDEST"
done
for s in "$copydir"/srcpkgdest/*; do
chown "$src_owner" "$s"
mv "$s" "$SRCPKGDEST"
done
}
# }}}
main() {
init_variables
orig_argv=("$@")
while getopts 'hcur:I:l:nTD:d:' arg; do
case "$arg" in
c) clean_first=true ;;
D) bindmounts_ro+=(--bind-ro="$OPTARG") ;;
d) bindmounts_rw+=(--bind="$OPTARG") ;;
u) update_first=true ;;
r) passeddir="$OPTARG" ;;
I) install_pkgs+=("$OPTARG") ;;
l) copy="$OPTARG" ;;
n) run_namcap=true; makepkg_args+=(-i) ;;
T) temp_chroot=true; copy+="-$$" ;;
h|*) usage ;;
esac
done
[[ ! -f PKGBUILD && -z "${install_pkgs[*]}" ]] && die 'This must be run in a directory containing a PKGBUILD.'
check_root "$0" "${orig_argv[@]}"
# Canonicalize chrootdir, getting rid of trailing /
chrootdir=$(readlink -e "$passeddir")
[[ ! -d $chrootdir ]] && die "No chroot dir defined, or invalid path '%s'" "$passeddir"
[[ ! -d $chrootdir/root ]] && die "Missing chroot dir root directory. Try using: mkarchroot %s/root base-devel" "$chrootdir"
if [[ ${copy:0:1} = / ]]; then
copydir=$copy
else
copydir="$chrootdir/$copy"
fi
# Pass all arguments after -- right to makepkg
makepkg_args+=("${@:$OPTIND}")
# See if -R was passed to makepkg
for arg in "${@:OPTIND}"; do
case ${arg%%=*} in
-*R*|--repackage)
repack=true
break 2
;;
esac
done
if [[ -n $SUDO_USER ]]; then
eval "USER_HOME=~$SUDO_USER"
else
USER_HOME=$HOME
fi
umask 0022
load_vars "$USER_HOME/.makepkg.conf"
load_vars /etc/makepkg.conf
# Use PKGBUILD directory if these don't exist
[[ -d $PKGDEST ]] || PKGDEST=$PWD
[[ -d $SRCDEST ]] || SRCDEST=$PWD
[[ -d $SRCPKGDEST ]] || SRCPKGDEST=$PWD
[[ -d $LOGDEST ]] || LOGDEST=$PWD
# Lock the chroot we want to use. We'll keep this lock until we exit.
lock 9 "$copydir.lock" "Locking chroot copy [%s]" "$copy"
if [[ ! -d $copydir ]] || $clean_first; then
sync_chroot "$chrootdir" "$copy"
fi
$update_first && arch-nspawn "$copydir" \
"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
pacman -Syu --noconfirm
if [[ -n ${install_pkgs[*]:-} ]]; then
install_packages "$copydir" "${install_pkgs[@]}"
ret=$?
# If there is no PKGBUILD we have done
[[ -f PKGBUILD ]] || return $ret
fi
download_sources "$copydir" "$src_owner"
prepare_chroot "$copydir" "$USER_HOME" "$repack"
if arch-nspawn "$copydir" \
--bind-ro="$PWD:/startdir_host" \
--bind-ro="$SRCDEST:/srcdest_host" \
"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
/chrootprepare "${makepkg_args[@]}" &&
arch-nspawn "$copydir" \
--bind-ro="$PWD:/startdir_host" \
--bind-ro="$SRCDEST:/srcdest_host" \
"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
/chrootbuild "${makepkg_args[@]}"
then
move_products "$copydir" "$src_owner"
else
(( ret += 1 ))
fi
$temp_chroot && delete_chroot "$copydir"
if (( ret != 0 )); then
if $temp_chroot; then
die "Build failed"
else
die "Build failed, check %s/build" "$copydir"
fi
else
true
fi
}