distrobuilder: 3.1 -> 3.2

https://discuss.linuxcontainers.org/t/distrobuilder-3-2-has-been-released/23385 Also rebased generator patch
2025-04-08 21:12:03 -04:00 · 2025-04-08 21:12:03 -04:00 · 3cb4032774
commit 3cb4032774
parent 7c1d5a6b5e
2 changed files with 80 additions and 48 deletions
--- a/pkgs/by-name/di/distrobuilder/nixos-generator.patch
+++ b/pkgs/by-name/di/distrobuilder/nixos-generator.patch
@ -1,16 +1,16 @@
-diff --git a/distrobuilder/lxc.generator b/distrobuilder/lxc.generator
-index dc5b506..0265da8 100644
--- a/distrobuilder/lxc.generator
-+++ b/distrobuilder/lxc.generator
-@@ -21,16 +21,6 @@ is_incus_vm() {
- 	[ -e /dev/virtio-ports/org.linuxcontainers.incus ]
+diff --git c/distrobuilder/lxc.generator w/distrobuilder/lxc.generator
+index 5f854d3..927f2df 100644
+--- c/distrobuilder/lxc.generator
+++ w/distrobuilder/lxc.generator
+@@ -16,16 +16,6 @@ is_lxc_privileged_container() {
+ 	grep -qw 4294967295$ /proc/self/uid_map
 }
 
 -# is_in_path succeeds if the given file exists in on of the paths
 -is_in_path() {
 -	# Don't use $PATH as that may not include all relevant paths
 -	for path in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin; do
-		[ -e "${path}/$1" ] && return 0
+-		[ -e "${path}/${1}" ] && return 0
 -	done
 -
 -	return 1
@ -19,21 +19,23 @@ index dc5b506..0265da8 100644
 ## Fix functions
 # fix_ro_paths avoids udevd issues with /sys and /proc being writable
 fix_ro_paths() {
-@@ -42,38 +32,6 @@ fix_ro_paths() {
+@@ -47,41 +37,6 @@ fix_ro_run() {
 		EOF
 }
 
 -# fix_nm_link_state forces the network interface to a DOWN state ahead of NetworkManager starting up
 -fix_nm_link_state() {
-	[ -e "/sys/class/net/$1" ] || return 0
-	ip_path=
-	if [ -f /sbin/ip ]; then
-		ip_path=/sbin/ip
-	elif [ -f /bin/ip ]; then
-		ip_path=/bin/ip
+-	[ -e "/sys/class/net/${1}" ] || return 0
+-
+-	ip=
+-	if [ -f "/sbin/ip" ]; then
+-		ip="/sbin/ip"
+-	elif [ -f "/bin/ip" ]; then
+-		ip="/bin/ip"
 -	else
 -		return 0
 -	fi
+-
 -	cat <<-EOF > /run/systemd/system/network-device-down.service
 -		# This file was created by distrobuilder
 -		[Unit]
@ -44,13 +46,14 @@ index dc5b506..0265da8 100644
 -		[Service]
 -		# do not turn off if there is a default route to 169.254.0.1, i.e. the device is a routed nic
 -		ExecCondition=/bin/sh -c '! /usr/bin/grep -qs 00000000.0100FEA9 /proc/net/route'
-		ExecStart=-${ip_path} link set $1 down
+-		ExecStart=-${ip} link set ${1} down
 -		Type=oneshot
 -		RemainAfterExit=true
 -
 -		[Install]
 -		WantedBy=default.target
 -		EOF
+-
 -	mkdir -p /run/systemd/system/default.target.wants
 -	ln -sf /run/systemd/system/network-device-down.service /run/systemd/system/default.target.wants/network-device-down.service
 -}
@ -58,78 +61,105 @@ index dc5b506..0265da8 100644
 # fix_systemd_override_unit generates a unit specific override
 fix_systemd_override_unit() {
 	dropin_dir="/run/systemd/${1}.d"
-@@ -113,16 +71,7 @@ fix_systemd_mask() {
+@@ -122,16 +77,7 @@ fix_systemd_mask() {
 # fix_systemd_udev_trigger overrides the systemd-udev-trigger.service to match the latest version
 # of the file which uses "ExecStart=-" instead of "ExecStart=".
 fix_systemd_udev_trigger() {
-	cmd=
+-	udev=
 -	if [ -f /usr/bin/udevadm ]; then
-		cmd=/usr/bin/udevadm
+-		udev=/usr/bin/udevadm
 -	elif [ -f /sbin/udevadm ]; then
-		cmd=/sbin/udevadm
+-		udev=/sbin/udevadm
 -	elif [ -f /bin/udevadm ]; then
-		cmd=/bin/udevadm
+-		udev=/bin/udevadm
 -	else
 -		return 0
 -	fi
-+	cmd=udevadm
+	udev=/run/current-system/sw/bin/udevadm
 
 	mkdir -p /run/systemd/system/systemd-udev-trigger.service.d
 	cat <<-EOF > /run/systemd/system/systemd-udev-trigger.service.d/zzz-lxc-override.conf
-@@ -134,38 +83,13 @@ fix_systemd_udev_trigger() {
+@@ -143,52 +89,40 @@ fix_systemd_udev_trigger() {
 		EOF
 }
 
 -# fix_systemd_sysctl overrides the systemd-sysctl.service to use "ExecStart=-" instead of "ExecStart=".
 -fix_systemd_sysctl() {
-	cmd=/usr/lib/systemd/systemd-sysctl
-	! [ -e "${cmd}" ] && cmd=/lib/systemd/systemd-sysctl
+-	sysctl=/usr/lib/systemd/systemd-sysctl
+-	[ ! -e "${sysctl}" ] && sysctl=/lib/systemd/systemd-sysctl
+-
 -	mkdir -p /run/systemd/system/systemd-sysctl.service.d
 -	cat <<-EOF > /run/systemd/system/systemd-sysctl.service.d/zzz-lxc-override.conf
 -		# This file was created by distrobuilder
 -		[Service]
 -		ExecStart=
-		ExecStart=-${cmd}
+-		ExecStart=-${sysctl}
 -		EOF
 -}
 -
 ## Main logic
-# Nothing to do in Incus VM but deployed in case it is later converted to a container
-is_incus_vm && exit 0
- 
 # Exit immediately if not an Incus/LXC container
 is_lxc_container || exit 0
 
-# Check for NetworkManager
-nm_exists=0
-
-is_in_path NetworkManager && nm_exists=1
-
 # Determine systemd version
+-SYSTEMD=""
 -for path in /usr/lib/systemd/systemd /lib/systemd/systemd; do
 -	[ -x "${path}" ] || continue
-
-	systemd_version="$("${path}" --version | head -n1 | cut -d' ' -f2 | cut -d'~' -f1)"
+SYSTEMD="$(/run/current-system/sw/lib/systemd/systemd --version | head -n1 | cut -d' ' -f2 | cut -d'~' -f1)"
+ 
+-	SYSTEMD="$("${path}" --version | head -n1 | cut -d' ' -f2 | cut -d'~' -f1)"
 -	break
 -done
-+systemd_version="$(systemd --version | head -n1 | cut -d' ' -f2)"
 
- # Determine distro name and release
- ID=""
-@@ -196,7 +120,6 @@ fi
+-# Apply systemd overrides
+-if [ "${SYSTEMD}" -ge 244 ]; then
+-	fix_systemd_override_unit system/service
+-else
+-	# Setup per-unit overrides
+-	find /lib/systemd /etc/systemd /run/systemd /usr/lib/systemd -name "*.service" -type f | sed 's#/\(lib\|etc\|run\|usr/lib\)/systemd/##g'| while read -r service_file; do
+-		fix_systemd_override_unit "${service_file}"
+-	done
+-fi
+ 
+-# Workarounds for unprivileged containers.
+-if ! is_lxc_privileged_container; then
+-	fix_ro_paths systemd-networkd.service
+-	fix_ro_paths systemd-resolved.service
+
+# Overriding some systemd features is only needed if security.nesting=false
+# in which case, /dev/.lxc will be missing
+# Adding this conditional back for NixOS as we do not have the reported
+# problems, and the overrides could reduce potential service hardening
+if [ ! -d /dev/.lxc ]; then
+  # Apply systemd overrides
+  if [ "${SYSTEMD}" -ge 244 ]; then
+    fix_systemd_override_unit system/service
+  else
+    # Setup per-unit overrides
+    find /lib/systemd /etc/systemd /run/systemd /usr/lib/systemd -name "*.service" -type f | sed 's#/\(lib\|etc\|run\|usr/lib\)/systemd/##g'| while read -r service_file; do
+      fix_systemd_override_unit "${service_file}"
+    done
+  fi
+
+  # Workarounds for unprivileged containers.
+  if ! is_lxc_privileged_container; then
+    fix_ro_paths systemd-networkd.service
+    fix_ro_paths systemd-resolved.service
+  fi
+ fi
 
 # Ignore failures on some units.
 fix_systemd_udev_trigger
 -fix_systemd_sysctl
 
- # Mask some units.
- fix_systemd_mask dev-hugepages.mount
-@@ -226,11 +149,6 @@ if [ -d /etc/udev ]; then
+ # Fix issues with /run not being writable.
+ fix_ro_run systemd-nsresourced.service
+@@ -221,11 +155,6 @@ if [ -d /etc/udev ]; then
 		EOF
 fi
 
 -# Workarounds for NetworkManager in containers
-if [ "${nm_exists}" -eq 1 ]; then
+-if is_in_path NetworkManager; then
 -	fix_nm_link_state eth0
 -fi
 -
--- a/pkgs/by-name/di/distrobuilder/package.nix
+++ b/pkgs/by-name/di/distrobuilder/package.nix
@ -10,6 +10,7 @@
  gnutar,
  hivex,
  makeWrapper,
+  nix-update-script,
  nixosTests,
  pkg-config,
  squashfsTools,
@ -35,16 +36,15 @@ let
 in
 buildGoModule rec {
  pname = "distrobuilder";
-  version = "3.1";
+  version = "3.2";

-  vendorHash = "sha256-3oHLvOdHbOdaL2FTo+a5HmayNi/i3zoAsU/du9h1N30=";
+  vendorHash = "sha256-nlqapWxuSZlbt22F3Y9X1uXFxJHvEoUBZDl078x8ZnA=";

  src = fetchFromGitHub {
    owner = "lxc";
    repo = "distrobuilder";
-    rev = "refs/tags/distrobuilder-${version}";
-    sha256 = "sha256-cIzIoLQmg1kgI1QRAmFh/ca88PJBW2yIY92BKHKwTMk=";
-    fetchSubmodules = false;
+    tag = "distrobuilder-${version}";
+    sha256 = "sha256-aDCx2WGAKdTNf0uMzwxG0AUmbuuWBFPYzNyycKklYOY=";
  };

  buildInputs = bins;
@ -67,6 +67,8 @@ buildGoModule rec {
    };

    generator = callPackage ./generator.nix { inherit src version; };
+
+    updateScript = nix-update-script { };
  };

  meta = {