#!/bin/bash # License: GNU GPLv2 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. m4_include(lib/archroot.sh) m4_include(lib/common.sh) m4_include(lib/messages.sh) shopt -s nullglob usage() { print "Usage: %s [options] -r [--] [makepkg args]" "${0##*/}" echo '' prose 'Builds a package inside a clean chroot, assuming that a PKGBUILD exists in the present working directory. Arguments passed to this script after the end-of-options marker (--) will be passed to makepkg.' echo '' prose 'The chroot dir consists of the following directories: /{root, copy}; but only "root" is required by default. The working copy will be created as needed.' echo '' prose 'The chroot "root" directory must be created via the following command:' echo ' mkarchroot /root base-devel' echo '' prose 'Note that this script is not normally initiated by the user, but is used internally by `libremakepkg`. `libremakepkg` is the preferred tool for building "release-ready" Parabola packages. When using `libremakepkg`, create the chroot with `librechroot`.' echo '' prose 'This script reads {SRC,SRCPKG,PKG,LOG}DEST, MAKEFLAGS and PACKAGER from makepkg.conf(5), if those variables are not part of the environment.' echo '' prose 'Note that, when run on a PKGBUILD which includes a mksource() function, and if a new libre source-ball was created as a result, or if the libre sources do not match the checksums in the PKGBUILD, this script will inject the correct checksums into the PKGBUILD, fork a new instance of the calling process to handle it (usually libremakepkg), and exit immediately' echo '' print "Default makepkg args: %s" "${default_makepkg_args[*]}" print "Default working copy name: %s" "${copy}" echo '' flag 'Options:' \ '-h' 'This help' \ '-c' 'Clean the chroot before building' \ "-d <$(_ DIR)>" 'Bind a directory into build chroot as read-write This option may be given multiple times' \ "-D <$(_ DIR)>" 'Bind a directory into build chroot as read-only This option may be given multiple times' \ '-u' 'Update the working copy of the chroot before building This is useful for rebuilds without dirtying the pristine chroot' \ "-r <$(_ DIR)>" 'The base dir of the chroot-set to use' \ "-I <$(_ PKG)>" 'Install a package into the working copy of the chroot This option may be given multiple times' \ "-l <$(_ COPY)>" 'The directory to use as the working copy of the chroot Useful for maintaining multiple copies.' \ '-n' 'Run namcap on the package' \ '-T' 'Build in a temporary directory' \ '-U' 'Run makepkg as a specified user' exit 1 } # {{{ functions # Usage: load_vars $makepkg_conf # Globals: # - SRCDEST # - SRCPKGDEST # - PKGDEST # - LOGDEST # - MAKEFLAGS # - PACKAGER load_vars() { local makepkg_conf="$1" var [[ -f $makepkg_conf ]] || return 1 for var in {SRC,SRCPKG,PKG,LOG}DEST MAKEFLAGS PACKAGER; do [[ -z ${!var:-} ]] && eval "$(grep -a "^${var}=" "$makepkg_conf")" done return 0 } # Usage: sync_chroot $rootdir $copydir [$copy] sync_chroot() { local rootdir=$1 local copydir=$2 local copy=${3:-$2} if [[ "$rootdir" -ef "$copydir" ]]; then error 'Cannot sync copy with itself: %s' "$copydir" return 1 fi # Get a read lock on the root chroot to make # sure we don't clone a half-updated chroot slock 8 "$rootdir.lock" \ "Locking clean chroot [%s]" "$rootdir" stat_busy "Synchronizing chroot copy [%s] -> [%s]" "$rootdir" "$copy" if is_subvolume "$rootdir" && is_same_fs "$rootdir" "$(dirname -- "$copydir")" && ! mountpoint -q "$copydir"; then if is_subvolume "$copydir"; then subvolume_delete_recursive "$copydir" || die "Unable to delete subvolume %s" "$copydir" else # avoid change of filesystem in case of an umount failure rm --recursive --force --one-file-system "$copydir" || die "Unable to delete %s" "$copydir" fi btrfs subvolume snapshot "$rootdir" "$copydir" >/dev/null || die "Unable to create subvolume %s" "$copydir" else mkdir -p "$copydir" rsync -a --delete -q -W -x "$rootdir/" "$copydir" fi stat_done # Drop the read lock again lock_close 8 # Update mtime touch "$copydir" } # Usage: delete_chroot $copydir [$copy] delete_chroot() { local copydir=$1 local copy=${1:-$2} stat_busy "Removing chroot copy [%s]" "$copy" if is_subvolume "$copydir" && ! mountpoint -q "$copydir"; then subvolume_delete_recursive "$copydir" || die "Unable to delete subvolume %s" "$copydir" else # avoid change of filesystem in case of an umount failure rm --recursive --force --one-file-system "$copydir" || die "Unable to delete %s" "$copydir" fi # remove lock file rm -f "$copydir.lock" stat_done } # Usage: install_packages $copydir $pkgs... install_packages() { local copydir=$1 local install_pkgs=("${@:2}") local -a pkgnames local ret pkgnames=("${install_pkgs[@]##*/}") cp -- "${install_pkgs[@]}" "$copydir/root/" chroot-run "$copydir" "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ pacman -U --noconfirm -- "${pkgnames[@]/#//root/}" ret=$? rm -- "${pkgnames[@]/#/$copydir/root/}" return $ret } # Usage: prepare_chroot $copydir $HOME $keepbuilddir $run_namcap # Globals: # - MAKEFLAGS # - PACKAGER prepare_chroot() { local copydir=$1 local USER_HOME=$2 local keepbuilddir=$3 local run_namcap=$4 [[ $keepbuilddir = true ]] || rm -rf "$copydir/build" local builduser_uid builduser_gid builduser_uid="${SUDO_UID:-$UID}" builduser_gid="$(id -g "$builduser_uid")" local install="install -o $builduser_uid -g $builduser_gid" local x # We can't use useradd without chrooting, otherwise it invokes PAM modules # which we might not be able to load (i.e. when building i686 packages on # an x86_64 host). sed -e '/^builduser:/d' -i "$copydir"/etc/{passwd,shadow,group} printf >>"$copydir/etc/group" 'builduser:x:%d:\n' "$builduser_gid" printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' "$builduser_uid" "$builduser_gid" printf >>"$copydir/etc/shadow" 'builduser:!!:%d::::::\n' "$(( $(date -u +%s) / 86400 ))" $install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest} sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf" for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \ "MAKEFLAGS='${MAKEFLAGS:-}'" "PACKAGER='${PACKAGER:-}'" do grep -q "^$x" "$copydir/etc/makepkg.conf" && continue echo "$x" >>"$copydir/etc/makepkg.conf" done cat > "$copydir/etc/sudoers.d/builduser-pacman" </dev/null || true printf '_chrootbuild "$@" || exit\n' if [[ $run_namcap = true ]]; then declare -f _chrootnamcap printf '_chrootnamcap || exit\n' fi } >"$copydir/chrootbuild" chmod +x "$copydir/chrootbuild" } # These functions aren't run in makechrootpkg, # so no global variables _chrootbuild() { # No coredumps ulimit -c 0 # shellcheck source=/dev/null . /etc/profile # Beware, there are some stupid arbitrary rules on how you can # use "$" in arguments to commands with "sudo -i". ${foo} or # ${1} is OK, but $foo or $1 isn't. # https://bugzilla.sudo.ws/show_bug.cgi?id=765 sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@" ret=$? case $ret in 0|14) return 0;; *) return $ret;; esac } _chrootnamcap() { pacman -S --needed --noconfirm namcap for pkgfile in /startdir/PKGBUILD /pkgdest/*; do echo "Checking ${pkgfile##*/}" sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log" done } # Usage: VerifyLibreSources # Description: verify the number of libre source-balls which should be, # and were downloaded/created via the mksource() mechanism # Globals: # - SRCDEST # Output: # - "N N" (n_srcs_required n_srcs_exist) VerifyLibreSources() ( local is_sig_required=$( [[ -n "$1" ]] ; echo $(( ! $? )) ) local src_n src_file_url src_file repo local is_libre_src src_exists is_sig local n_srcs_required=0 local n_srcs_exist=0 load_conf librefetch.conf MIRRORS || exit source PKGBUILD ; cd ${SRCDEST} ; for (( src_n=0 ; src_n < ${#source[@]} ; ++src_n )) do src_file_url=${source[src_n]} src_file=${src_file_url##*/} for repo in "${MIRRORS[@]}" do is_libre_src=$( [[ "$src_file_url" == "$repo"* ]] ; echo $(( ! $? )) ) src_exists=$( [[ -f "${src_file}" ]] ; echo $(( ! $? )) ) is_sig=$( [[ "${src_file/*.}" =~ (asc|sig) ]] ; echo $(( ! $? )) ) if (( is_libre_src )); then n_srcs_required=$(( n_srcs_required + ( ! is_sig || is_sig_required ) )) n_srcs_exist=$(( n_srcs_exist + ( src_exists ) )) fi done done ) # Usage: download_sources $copydir $makepkg_user # Globals: # - SRCDEST # - SRCPKGDEST # - PKGDEST download_sources() { local copydir=$1 local makepkg_user=$2 local n_libre_sources_in=$(VerifyLibreSources) local n_libre_sources_out n_libre_sources_required n_libre_sources_exist local sums_msg done_msg restart_msg rerun_msg fail_msg die_msg local this_cmd=() h_rule local builddir builddir="$(mktemp -d)" chown "$makepkg_user:" "$builddir" # Ensure sources are downloaded sudo -u "$makepkg_user" --preserve-env=GNUPGHOME \ env SRCDEST="$SRCDEST" SRCPKGDEST="$SRCPKGDEST" PKGDEST="$PKGDEST" BUILDDIR="$builddir" \ makepkg --config="$copydir/etc/makepkg.conf" --allsource || : # die "Could not download sources." if (( $? )) then # Ensure that all libre sources have been downloaded, # or created via the mksource() mechanism. # There are multiple reasons for why the preceding `makepkg` invokation may have failed # (invalid checksums/sigs, download failure, borked PKGBUILD, etc); # so we must deduce the cause of failure here. # The expected failure here, is a missing signature or an invalid checksum # for the newly created libre source-ball. # In that case, we inject the new checksum into the PKGBUILD, # then fork a new instance of libremakepkg, and exit this process. # The newly spawned instance of libremakepkg will not validate the GPG signature; # because it was intentionally not created (librerelease will create it later). is_new_srcball=$( [[ -f "$LIBRE_SRCBALL_CREATION_MARKER" ]] ; echo $(( ! $? )) ; ) n_libre_sources_out=$(VerifyLibreSources $(( ! is_new_srcball))) n_libre_sources_required=${n_libre_sources_out% *} n_libre_sources_exist=${n_libre_sources_out#* } sums_msg="$(_ "Running \`updpkgsums\` to account for the newly created libre source-ball(s)")" done_msg="$(_ "MkSource completed successfully")" restart_msg="$(_ "Restarting libremakepkg to complete the build")" rerun_msg="$(_ "Run libremakepkg again to complete the build")" fail_msg="$(_ "Could not download upstream sources")" this_cmd=( $(ps --pid=$$ --format=args --no-headers) ) h_rule="--$(dd if=/dev/zero bs=${#restart_msg} count=1 2> /dev/null | tr '\0' '-')--" if [[ "$n_libre_sources_out" != "$n_libre_sources_in" ]] && (( n_libre_sources_exist + n_libre_sources_required )) && (( n_libre_sources_exist == n_libre_sources_required )) then msg "${sums_msg}" sudo -u "$makepkg_user" updpkgsums msg "${done_msg}" if [[ "${this_cmd[@]}" =~ ([^\ ]*libremakepkg)(\ .*)? ]] then this_cmd=(${BASH_REMATCH[@]:1}) printf "\n${h_rule}\n| ${restart_msg} |\n${h_rule}\n" sleep 5 && ${this_cmd[@]} & die_msg='' else die_msg="${rerun_msg}" fi else die_msg="${fail_msg}" fi fi # Clean up garbage from verifysource rm -rf "$builddir" [[ -z "${die_msg}" ]] || die "${die_msg//}" } # Usage: move_products $copydir $owner # Globals: # - PKGDEST # - LOGDEST # - SRCPKGDEST move_products() { local copydir=$1 local src_owner=$2 local pkgfile for pkgfile in "$copydir"/pkgdest/*; do chown "$src_owner" "$pkgfile" mv "$pkgfile" "$PKGDEST" # Fix broken symlink because of temporary chroot PKGDEST /pkgdest if [[ "$PWD" != "$PKGDEST" && -L "$PWD/${pkgfile##*/}" ]]; then ln -sf "$PKGDEST/${pkgfile##*/}" fi done local l for l in "$copydir"/logdest/*; do [[ $l == */logpipe.* ]] && continue chown "$src_owner" "$l" mv "$l" "$LOGDEST" done for s in "$copydir"/srcpkgdest/*; do chown "$src_owner" "$s" mv "$s" "$SRCPKGDEST" # Fix broken symlink because of temporary chroot SRCPKGDEST /srcpkgdest if [[ "$PWD" != "$SRCPKGDEST" && -L "$PWD/${s##*/}" ]]; then ln -sf "$SRCPKGDEST/${s##*/}" fi done } # }}} main() { default_makepkg_args=(--syncdeps --noconfirm --log --holdver --skipinteg) local makepkg_args=("${default_makepkg_args[@]}") local keepbuilddir=false local update_first=false local clean_first=false local run_namcap=false local temp_chroot=false local chrootdir= local passeddir= local makepkg_user= declare -a install_pkgs declare -i ret=0 bindmounts_ro=() bindmounts_rw=() copy=$USER [[ -n ${SUDO_USER:-} ]] && copy=$SUDO_USER [[ -z "$copy" || $copy = root ]] && copy=copy src_owner=${SUDO_USER:-$USER} while getopts 'hcur:I:l:nTD:d:U:' arg; do case "$arg" in c) clean_first=true ;; D) bindmounts_ro+=(-b "-Br:$OPTARG:$OPTARG") ;; d) bindmounts_rw+=(-b "-B:$OPTARG:$OPTARG") ;; u) update_first=true ;; r) passeddir="$OPTARG" ;; I) install_pkgs+=("$OPTARG") ;; l) copy="$OPTARG" ;; n) run_namcap=true; makepkg_args+=(--install) ;; T) temp_chroot=true; copy+="-$$" ;; U) makepkg_user="$OPTARG" ;; h|*) usage ;; esac done [[ ! -f PKGBUILD && -z "${install_pkgs[*]}" ]] && die 'This must be run in a directory containing a PKGBUILD.' [[ -n $makepkg_user && -z $(id -u "$makepkg_user") ]] && die 'Invalid makepkg user.' makepkg_user=${makepkg_user:-${SUDO_USER:-$USER}} check_root SOURCE_DATE_EPOCH,GNUPGHOME # Canonicalize chrootdir, getting rid of trailing / chrootdir=$(readlink -e "$passeddir") [[ ! -d $chrootdir ]] && die "No chroot dir defined, or invalid path '%s'" "$passeddir" [[ ! -d $chrootdir/root ]] && die "Missing chroot dir root directory. Try using: mkarchroot %s/root base-devel" "$chrootdir" if [[ ${copy:0:1} = / ]]; then copydir=$copy else copydir="$chrootdir/$copy" fi # Pass all arguments after -- right to makepkg makepkg_args+=("${@:$OPTIND}") # See if -R or -e was passed to makepkg for arg in "${makepkg_args[@]}"; do case ${arg%%=*} in --repackage|--noextract) keepbuilddir=true; break ;; --repackage|--noextract) keepbuilddir=true; break ;; --*) ;; -*R*|-*e*) keepbuilddir=true; break ;; esac done if [[ -n $SUDO_USER ]]; then eval "USER_HOME=~$SUDO_USER" else USER_HOME=$HOME fi umask 0022 load_vars "${XDG_CONFIG_HOME:-$USER_HOME/.config}/pacman/makepkg.conf" || load_vars "$USER_HOME/.makepkg.conf" load_vars /etc/makepkg.conf # Use PKGBUILD directory if these don't exist [[ -d $PKGDEST ]] || PKGDEST=$PWD [[ -d $SRCDEST ]] || SRCDEST=$PWD [[ -d $SRCPKGDEST ]] || SRCPKGDEST=$PWD [[ -d $LOGDEST ]] || LOGDEST=$PWD # Lock the chroot we want to use. We'll keep this lock until we exit. lock 9 "$copydir.lock" "Locking chroot copy [%s]" "$copy" if [[ ! -d $copydir ]] || $clean_first; then sync_chroot "$chrootdir/root" "$copydir" "$copy" fi $update_first && chroot-run "$copydir" \ "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ pacman -Syu --noconfirm if [[ -n ${install_pkgs[*]:-} ]]; then install_packages "$copydir" "${install_pkgs[@]}" ret=$? # If there is no PKGBUILD we have done [[ -f PKGBUILD ]] || return $ret fi if [[ "$(id -u "$makepkg_user")" == 0 ]]; then error "Running makepkg as root is not allowed." exit 1 fi download_sources "$copydir" "$makepkg_user" prepare_chroot "$copydir" "$USER_HOME" "$keepbuilddir" "$run_namcap" if chroot-run "$copydir" \ -b "-B:$PWD:/startdir" \ -b "-B:$SRCDEST:/srcdest" \ "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ /chrootbuild "${makepkg_args[@]}" then move_products "$copydir" "$src_owner" else (( ret += 1 )) fi $temp_chroot && delete_chroot "$copydir" "$copy" if (( ret != 0 )); then if $temp_chroot; then die "Build failed" else die "Build failed, check %s/build" "$copydir" fi else true fi } main "$@"