Merge remote-tracking branch 'origin/no-root-build' into github/fork/TheLinuxNinja/dockerfile-typo

.github/workflows/main.yml

@@ -0,0 +1,12 @@
+name: Github-Actions
+
+on: [push, pull_request]
+
+jobs:
+  ci-test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: make ci-test
+      run: make rootfs ci-test

.gitignore

@@ -2,3 +2,4 @@
 *.orig
 /.idea
 /archlinux.tar
+rootfs/etc/pacman.conf

Dockerfile

@@ -2,9 +2,12 @@ FROM scratch
 ADD archlinux.tar.xz /
 
 # manually run all alpm hooks that can't be run inside the fakechroot
-RUN ldconfig && update-ca-trust && locale-gen
+RUN ldconfig && update-ca-trust && locale-gen 
 RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers '
 
+# update /etc/os-release
+RUN ln -s /usr/lib/os-release /etc/os-release
+
 # initialize the archlinux keyring, but discard any private key that may be shipped.
 RUN pacman-key --init && pacman-key --populate archlinux && rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*
 

Makefile

@@ -10,16 +10,27 @@ hooks:
 
 rootfs: hooks
 	mkdir -vp $(BUILDDIR)/var/lib/pacman/
+	cp /usr/share/devtools/pacman-extra.conf rootfs/etc/pacman.conf
+	cat pacman-conf.d-noextract.conf >> rootfs/etc/pacman.conf
 	fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \
 		--noconfirm --dbpath $(PWD)/$(BUILDDIR)/var/lib/pacman \
-		--config pacman.conf \
+		--config rootfs/etc/pacman.conf \
 		--noscriptlet \
 		--hookdir $(PWD)/alpm-hooks/usr/share/libalpm/hooks/ $(shell cat packages)
 	cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/
-	tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar
+	
+	# remove passwordless login for root (see CVE-2019-5021 for reference)
+	sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"
+
+	# fakeroot to map the gid/uid of the builder process to root
+	# fixes #22
+	fakeroot -- tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar
 	rm -rf $(BUILDDIR) alpm-hooks
 
-compress-rootfs: rootfs
+archlinux.tar: rootfs
+
+compress-rootfs: archlinux.tar
+	xz -f archlinux.tar
 	xz -9e -T0 -f archlinux.tar
 
 docker-image: compress-rootfs
@@ -28,8 +39,7 @@ docker-image: compress-rootfs
 docker-image-test: docker-image
 	# FIXME: /etc/mtab is hidden by docker so the stricter -Qkk fails
 	docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Sy && /usr/bin/pacman -Qqk"
-	docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v"
-	# Ensure that the image does not include a private key
+	docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v" # Ensure that the image does not include a private key
 	! docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) pacman-key --lsign-key pierre@archlinux.de
 	docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/id -u http"
 	docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm grep && locale | grep -q UTF-8"

packages

@@ -2,3 +2,9 @@ sed
 gzip
 pacman
 systemd
+gawk
+file
+grep
+tar
+procps-ng
+licenses

pacman-conf.d-noextract.conf

@@ -0,0 +1,9 @@
+[options]
+NoExtract  = usr/share/help/* !usr/share/help/en*
+NoExtract  = usr/share/gtk-doc/html/* usr/share/doc/*
+NoExtract  = usr/share/locale/* usr/share/X11/locale/* usr/share/i18n/*
+NoExtract   = !*locale*/en*/* !usr/share/i18n/charmaps/UTF-8.gz !usr/share/*locale*/locale.*
+NoExtract   = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso*
+NoExtract   = !usr/share/*locales/trans*
+NoExtract  = usr/share/man/* usr/share/info/*
+NoExtract  = usr/share/vim/vim*/lang/*