From 19fb8aeb466e06a872155aad74b61e7a843d2241 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Sun, 6 Oct 2019 12:31:21 -0400 Subject: [PATCH 01/10] Makefile: add fix for CVE-2019-5021 The previous instances of the docker image allowed for passwordless root login. Update the default shadow setting so the root account to disallow this. --- Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 4cfd2ee..8588436 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,10 @@ rootfs: hooks --noscriptlet \ --hookdir $(PWD)/alpm-hooks/usr/share/libalpm/hooks/ $(shell cat packages) cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/ + + # remove passwordless login for root (see CVE-2019-5021 for reference) + sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow" + tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar rm -rf $(BUILDDIR) alpm-hooks From a2b08c5fc19eabce752840e69b9cfb387ffe6657 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Sun, 6 Oct 2019 12:32:39 -0400 Subject: [PATCH 02/10] Makefile:compress:use the existing archlinux.tar The requirements for the compress rule used to rebuild the rootfs regardless. Update the requirement to use the existing archlinux archive for compression --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8588436..9f7ff04 100644 --- a/Makefile +++ b/Makefile @@ -23,7 +23,7 @@ rootfs: hooks tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar rm -rf $(BUILDDIR) alpm-hooks -compress-rootfs: rootfs +compress-rootfs: archlinux.tar xz archlinux.tar docker-image: compress-rootfs From 368a504fa3bb4dcc04131fd8cbac486e1f880839 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 23 Oct 2019 20:22:50 -0400 Subject: [PATCH 03/10] Makefile: use fakeroot for tar-ing rootfs When tar-ing the rootfs, the permissions preserved are from the worker process. This is not the intended behavior, as we want to preserve the permissions of the root user to most of the files. Use fakeroot during the tar process to automagically map the uid of the user to that of root's. Fixes #22 Signed-off-by: Santiago Torres --- Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 9f7ff04..8a5274a 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,9 @@ rootfs: hooks # remove passwordless login for root (see CVE-2019-5021 for reference) sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow" - tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar + # fakeroot to map the gid/uid of the builder process to root + # fixes #22 + fakeroot -- tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar rm -rf $(BUILDDIR) alpm-hooks compress-rootfs: archlinux.tar From ed424bc02f3183b7de110d544ad9c749b5d85771 Mon Sep 17 00:00:00 2001 From: Christian Rebischke Date: Sat, 12 Oct 2019 15:29:12 +0200 Subject: [PATCH 04/10] add Github Actions Signed-off-by: Christian Rebischke --- .github/workflows/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..9d120d3 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,12 @@ +name: Github-Actions + +on: [push, pull_request] + +jobs: + ci-test: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + - name: make ci-test + run: make ci-test From e5ee97ef26e20fb689b4ecd8d9cef62744c7845e Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Wed, 23 Oct 2019 21:04:36 -0400 Subject: [PATCH 05/10] github-actions: add rootfs target to make This is relevant for the no-root-build. --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9d120d3..f43c10f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,4 +9,4 @@ jobs: steps: - uses: actions/checkout@v1 - name: make ci-test - run: make ci-test + run: make rootfs ci-test From 2fc6d9f3eeba6c108915a6a633c53494a3550729 Mon Sep 17 00:00:00 2001 From: Eli Schwartz Date: Thu, 28 Feb 2019 14:53:48 -0500 Subject: [PATCH 06/10] pacstrap: usie NoExtract to prune dead weight A docker container does not need tons of locales in order to do its job, nor does it need extensive (or any) documentation. With this change, a bare pacstrapped directory drops from 500MB to 390MB --- .gitignore | 1 + Makefile | 2 ++ pacman-conf.d-noextract.conf | 9 +++++++++ 3 files changed, 12 insertions(+) create mode 100644 pacman-conf.d-noextract.conf diff --git a/.gitignore b/.gitignore index a583ac7..e573ef4 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ *.orig /.idea /archlinux.tar +rootfs/etc/pacman.conf diff --git a/Makefile b/Makefile index 8a5274a..8a85f42 100644 --- a/Makefile +++ b/Makefile @@ -10,6 +10,8 @@ hooks: rootfs: hooks mkdir -vp $(BUILDDIR)/var/lib/pacman/ + cp /usr/share/devtools/pacman-extra.conf rootfs/etc/pacman.conf + cat pacman-conf.d-noextract.conf >> rootfs/etc/pacman.conf fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \ --noconfirm --dbpath $(PWD)/$(BUILDDIR)/var/lib/pacman \ --config pacman.conf \ diff --git a/pacman-conf.d-noextract.conf b/pacman-conf.d-noextract.conf new file mode 100644 index 0000000..76b762b --- /dev/null +++ b/pacman-conf.d-noextract.conf @@ -0,0 +1,9 @@ +[options] +NoExtract = usr/share/help/* !usr/share/help/en* +NoExtract = usr/share/gtk-doc/html/* usr/share/doc/* +NoExtract = usr/share/locale/* usr/share/X11/locale/* usr/share/i18n/* +NoExtract = !*locale*/en*/* !usr/share/i18n/charmaps/UTF-8.gz !usr/share/*locale*/locale.* +NoExtract = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso* +NoExtract = !usr/share/*locales/trans* +NoExtract = usr/share/man/* usr/share/info/* +NoExtract = usr/share/vim/vim*/lang/* From 4ebfbe58833529a3ea8bab334b979fb237f870e8 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Tue, 26 Nov 2019 16:02:21 -0500 Subject: [PATCH 07/10] packages: add base group --- Makefile | 2 +- packages | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8a85f42..ac188a8 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ rootfs: hooks cat pacman-conf.d-noextract.conf >> rootfs/etc/pacman.conf fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \ --noconfirm --dbpath $(PWD)/$(BUILDDIR)/var/lib/pacman \ - --config pacman.conf \ + --config rootfs/etc/pacman.conf \ --noscriptlet \ --hookdir $(PWD)/alpm-hooks/usr/share/libalpm/hooks/ $(shell cat packages) cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/ diff --git a/packages b/packages index 39dffd0..5ef6e83 100644 --- a/packages +++ b/packages @@ -2,3 +2,4 @@ sed gzip pacman systemd +gawk From 9091d1ebb9cca5b86a0298dc3169fc7dd3efdc33 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Tue, 26 Nov 2019 17:02:56 -0500 Subject: [PATCH 08/10] Makefile: add archlinux.tar target, force xz --- Makefile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index ac188a8..b1800c4 100644 --- a/Makefile +++ b/Makefile @@ -27,8 +27,10 @@ rootfs: hooks fakeroot -- tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar rm -rf $(BUILDDIR) alpm-hooks +archlinux.tar: rootfs + compress-rootfs: archlinux.tar - xz archlinux.tar + xz -f archlinux.tar docker-image: compress-rootfs docker build -t $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) . @@ -36,8 +38,7 @@ docker-image: compress-rootfs docker-image-test: docker-image # FIXME: /etc/mtab is hidden by docker so the stricter -Qkk fails docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Sy && /usr/bin/pacman -Qqk" - docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v" - # Ensure that the image does not include a private key + docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v" # Ensure that the image does not include a private key ! docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) pacman-key --lsign-key pierre@archlinux.de docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/id -u http" docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm grep && locale | grep -q UTF-8" From 8f683e3cdc7ae7a6504c525829edf2b039959d8f Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Tue, 26 Nov 2019 17:03:20 -0500 Subject: [PATCH 09/10] packages: +likely necessary pkgs from base group --- packages | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages b/packages index 5ef6e83..2c07590 100644 --- a/packages +++ b/packages @@ -3,3 +3,8 @@ gzip pacman systemd gawk +file +grep +tar +procps-ng +licenses From 9bd11c95c2b13af854388498ac948f363bd78bcc Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Mon, 8 Jun 2020 10:54:44 -0400 Subject: [PATCH 10/10] Dockerfile: manually symlink os-release --- Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e071867..5470c0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,9 +2,12 @@ FROM scratch ADD archlinux.tar.xz / # manually run all alpm hooks that can't be run inside the fakechroot -RUN ldconfig && update-ca-trust && locale-gen +RUN ldconfig && update-ca-trust && locale-gen RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers ' +# update /etc/os-release +RUN ln -s /usr/lib/os-release /etc/os-release + # initialize the archilnux keyring, but discard any private key that may be shipped. RUN pacman-key --init && pacman-key --populate archlinux RUN rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pugring.gpg~,gnupg.S.}*