The emphasis of aurch is using an nspawn container for AUR 'build isolation' rather than a 'clean chroot'.
Aurch isolates the build environment to mitigate build script errors/malicious intent causing issues on host.
The original aurch script has been split up into two seperate scripts with a dedicated setup script now.
aurch-setup:
Aurch-setup sets up an nspawn container for building AUR packages and sets up a local AUR repo in the host.
The nspawn container has Aurutils setup within it with Aurch acting as an nspawn and aurutils wrapper.
The nspawn container is persistent, has an AUR repo, and is maintained to a minimal base package set.
ie: Currently 154 packages.
aurch:
Aurch builds AUR packages in the nspawn container isolated from the host.
After packages are built, they're copied into the host AUR cache and entered into host pacman sync db.
Automatically builds and saves all required AUR dependencies in the nspawn container AUR repo.
Installs any required pgp keys in the nspawn container.
Removes all official and AUR* packages used in the nspawn container build process upon completion,
maintaining a minimal footprint of a small, consistent set of base packages.
* Removed from the containers arch install while remaining in the containers local AUR repo.
Note:
Aurch script isolates the build process from the host, not to be confused with building packages in a 'clean chroot'.
Scripts such as devtools were not written to and do not isolate the build process from the host.
References:
Arch wiki: building in a clean chroot
https://www.reddit.com/r/archlinux/comments/q2qwbr/aur_build_in_chroot_to_mitigate_risks/hfn7x0p/
https://www.reddit.com/r/archlinux/comments/qk3rk7/wrote_script_to_setup_an_nspawn_chroot_and_build/hixia0b/
USAGE
aurch [operation[options]] [package | pgp key]
OPERATIONS
-B* --build Build new or update an existing AUR package.
-G --git Git clones an AUR package.
-C --compile Build an AUR package on existing PKGBUILD.(1)
-Rh Remove AUR pkg from host.(2)
-Rc Remove AUR pkg from nspawn container.(3)
-Syu --update Update nspawn container packages.(4)
-Lah* --lsaurh List AUR sync database contents/status of host.
-Lac* --lsaurc List AUR sync database contents/status of nspawn container.
-Luh* --lsudh List update info for AUR packages installed in host.
-Luc* --lsudc List update info for AUR pkgs/AUR deps in nspawn container.
-Lv List aurch variables.
--login Login to nspawn container for maintenance.
--clean Manually remove unneeded packages from nspawn container.
--pgp Manually import pgp key in nspawn container.
-h, --help Prints help.
-V, --version Prints aurch version.
(1) Useful for implementing changes to PKGBUILD, etc.
(2) Removes: /AURREPO/<package>, <package> if installed, and database entry.
(3) Removes: /build/<package>, /${HOME}/<build dir>, and database entry.
(4) Runs `pacman -Syu` inside the nspawn container.
OPTIONS *
-L, List:
Append 'q' to -L list operations for quiet mode.
Examples: aurch -Lahq
aurch -Luhq
aurch -Lacq
aurch -Lucq
Do not mix order or attempt to use 'q' other than described.
-B, Build:
Append 'i' to build operation -B to install package in host.
Example: aurch -Bi
Do not mix order or attempt to use 'i' other than described.
OVERVIEW
Run aurch-setup before using aurch.
Run aurch to manage AUR packages.
Aurch is designed to handle AUR packages individually, one at a time.
ie: No group updates or multi package per operation capability.
The aurch nspawn container must be periodically updated via aurch -Syu.
Update nspawn container before buiding packages.
EXAMPLES
SETUP FOR AURCH:
Set up nspawn container: aurch-setup --setupchroot
Set up local AUR repo: aurch-setup --setuphost
USING AURCH:
Build an AUR package(+): aurch -B <aur-package>
Build and install AUR package: aurch -Bi <aur-package>
Git clone package aurch -G <aur-package>
Build (Compile) AUR pkg on existing PKGBUILD aurch -C <aur-package>
Remove AUR package from host: aurch -Rh <aur-package>
Remove AUR package from nspawn container: aurch -Rc <aur-package>
List nspawn container AUR sync db contents: aurch -Lac
List nspawn container AUR repo updates: aurch -Luc
List host AUR sync database contents: aurch -Lah
List host AUR repo updates available: aurch -Luh
Manually import a pgp key in nspawn container: aurch --pgp <short/long id>
Manually remove unneeded pkgs from container: aurch --clean
Login to chroot for maintenance: aurch --login
(+) Package placed into host AUR repo and entry made in pacman AUR database.
Install with `pacman -S <aur-package>`
USER VARIABLES
BASEDIR = path to chroot base dir
AURREPO = path to host aur repo
REPONAME = host aur repo name
AURFM = AUR file manager,editor (mc = midnight commander)
Screenshot: aurch --setup
https://cody-learner.github.io/aurch-setup.html
Screenshot: aurch -B bauerbill
https://cody-learner.github.io/aurch-building-bauerbill.html
UPDATE For JANUARY 16, 2025
Bug fix: In a fresh aurch install, running aurch --clean
before building a package in a
clean chroot aurch -Cc
results in an error.
aurch.sh
- Relocated creation of directory
/var/tmp/aurch
from within functionbuild_clean_chroot
to beginning of script.
UPDATE For DECEMBER 05, 2024
aurch-setup.sh
- Corrected dependencies in script comments and
check_depends
function. - Added punctuation to printed message.
aurch.sh
- Corrected dependencies in script comments.
- Reworded and added printed comments.
- Changed name of file
/etc/sudoers.d/aurch
to/etc/sudoers.d/aurch-sudo
to avoid potential overwrite. - Added color cancel code to
if [[ -z ${*} ]]
printed script info after testing inarch install media
.
UPDATE For DECEMBER 03, 2024
aurch.sh:
- Changed temp work file names to enhance intuitive readablity.
- Replaced array and vars with temp work files where appropriate.
- Added printed message clarifying when rebuilding existing, current packages.
- Replaced parsing output from
aur fetch
to implementing--results=
file. - Implemented
pr
command for improved formatting printed messages. - Implemented
ln
options
for improved formatting printed messages. - Implemented parsing output of
repo-add
to be used for verification.
UPDATE For November 26, 2024
Bug fix: In a fresh aurch install, first run of '-B' operation with an empty local AUR repo, an empty 'find' result, resulted in aurch exiting.
aurch.sh:
- Remove trailing whitespace.
- Operation
--help
, reword-Ccb
info. - Function
build_pkg
, rewrite firstfind
command to not exit script on emptyfind
results.- ie: New or empty repo.
- ie: New or empty repo.
- Function
build_clean_chroot
:
- Change several
read
commands options including implementation of-p
to eliminate proceedingprintf
message lines. - On repetitive usage of the same variable in
while read
loops for user input, unset variable after each use.
- Change several
README.md:
- Update to reflect changes.
UPDATE For November 24, 2024
aurch.sh:
- Function
ck_per
, changed formatting sent to log. - Function
is_it_available
, added log upon error. - Added
--log
operation to displaylogfile
in less.
UPDATE For November 23, 2024
Today we offer an actual release, or somewhat of a 'tune up' on the urgently release bug fix yesterday.
ie: clean up, additional testing, shellcheck, minimal feature creep
Keeping the ck_per
function to check/correct the AUR repo permissions for now.
It will eventually be removed after additional testing time indicates everything is in order.
An aurch log file is now available, /var/log/aurch.log
.
aurch.sh:
- Removed
permlog
variable. - Added
logfile
variable. - Added creation, set permission of logfile if not present.
- Added
dt
variable (date time) used for logging. - Added basic logging capabilities.
README.md:
- Update to reflect changes.
UPDATE For November 22, 2024 (2nd)
This is a bug fix release that eliminates the AUR repo permission issues.
I spent more time describing the issue below than the actual fix once I had the tools needed for troubleshooting.
I'm too tired to get into great detail, so please see the commit comments link and diff for additional info:
https://github.com/Cody-Learner/aurch/commit/369ab0186a840176aa208f81d416d34a19e1d490
UPDATE And INFO For November 22, 2024
Getting a better handle on local AUR repo permission issues in both host and container. Obviously moving away from the current workaround of monitoring and correcting permissions would be the best path forward.
One issue is collisions upon rebuilding packages owned by user, that can't overwrite existing packages owned by root. Another issue is the aur db permissions randomly changing to root owner rather than user, making them inaccessible by user.
Made several changes that were possibly contributing to the issues in both aurch
and aurch-setup
.
Added automated diagnostic code in aurch
and supplied a separate script paths
, to use manually to provide a quick overview
of permissions on the potentially troublesome directories/files.
Added an automated chown -R user:group
to the directories containing the repos, when triggered by the db's owner being changed from user.
However, I'm unsure about how and when some of the permissions on packages in my local AUR repos were changed. I do way too much testing, etc on this machine that may have contributed to these issues, to attempt to track down the root cause until now.
With a fresh chown
and the changes described, it should be pretty straightforward tracking the issues into the future.
With the changes made including the elimination of several unneeded sudo
calls, time with testing will tell how this plays out.
If it does continue, there will be an evidence trail this time around in the new log file.
Having info on what operations are leading up to it should provide a solid path forward for troubleshooting.
aurch-setup.sh:
- Removed three dependencies used for clean chroot builds. The
aurch
script installs them upon first usage of-Cc*
operation. - Removed user
alpm
from permission settings. - Implemented
SUDO_USER
in various areas.
aurch.sh:
- Removed
clean local AUR repo
code frombuild_clean_chroot
function, to it's own function,cleanup_host
. - Replaced
set_perm
function withck_per
, changed repo permission correction from 'octal' to 'user:group' names, added printed warning notification when permissions have changed, and added diagnostic logging. - Eliminated the AUR repo 'placeholder' fake packages. Rewrote the
find
commands to exit zero on file not found. - Changed AUR repos permission checks/corrections to run once before
-B,-C,-R
operations. It's still located within thebuild_clean_chroot
function. - Eliminated several sudo calls that were unnecessary.
- Function
build_pkg
(-B*
,-C
operations), moved order of code around to get similar output as-Cc*
provides at end of build. - Function
cleanup_chroot
changed printf quoting in 'heredoc'. - Moved script comments to dedicated lines rather than trailing code lines.
- Function
build_clean_chroot
(-Cc*
operation), improved building/installing dependencies automatically after user confirmation and changed quoting on printf commands. - The
--clean
operation, addedcleanup_host
function. It still performs several container cleaning tasks and now cleans up host AUR repo. Added this after testing revealed a broken AUR pkg during a "clean chroot build" exit, resulted in host local AUR repo being polluted with dozens of official pkgs. - Added a
trap
command to handle cleanup upon script exit while building broken AUR packages.
aurch.sh diagnostics:
- Added
permlog
variable that sets the aurch log location. - All data sent to log is formatted: <year>-<month>-<day> : <args>
- All aurch commands with one or more args will be logged.
- All AUR repo permission corrections will be logged.
UPDATE For November 20, 2024
aurch.sh:
- Spelling corrections, rewording, add script comments.
- Clean up some existing code.
- Remove three dependencies listed and installed in aurch-setup that are only needed for
-Cc*
clean chroot build. These dependencies are checked, user asked for conformation if missing, then installed when running-Cc*
clean chroot build. - Changed function name
build-clean-chroot
tobuild_clean_chroot
to maintain consistency, using_
rather than-
for seperators.
UPDATE For November 19, 2024
aurch.sh
- Added option to
-Cc* --cchroot
operation,-Ccb
'b is for both', to copy and register package in both host and container. Running-Cc
copies and registers package into host only. This will be useful for example, thepython2
package. It requires building in a clean chroot to pass the default testing, and is a dependency of additional AUR packages. Using the-Ccb
option will placepython2
in the aurch container AUR cache and sync db, which enables it to be used as a dependency for other AUR builds, rather than building it as an unavailable in sync db AUR dependency. - Display the
-h --help
operation info in theless
(1) pager so it opens at top rather than bottom of the page. - Added
-Ccb
option to help page along with some rewording/reformatting. - Working on distinguishing the terms, 'container' vs 'chroot' in displayed info. Aurutils refers to their clean chroot container as 'chroot'. Aurch used to use the same, 'chroot' until some time ago I decided to change it to more accuracy point out the use of 'nspawn container', with 'container' as the short version. With the implementation of aurutils clean chroot building on the aurch host system now, I'd like clear distinction of these terms to avoid any possible confusion for users.
- Function
build-clean-chroot
(-Cc*
operation): Added code to facilitate theb
option.
(1) Note to self: Should probably either add less
(man-db
dep) as a dependency, check for less install and default to cat if needed,
or look into use/set PAGER...
UPDATE For November 18, 2024 (2nd)
aurch.sh
- Function
build-clean-chroot
(-Cc
operation): - Corrected variable used from
package
tobuild
that's printed to screen as current package being built. - Renamed
build.log
file toaurch-build.log
for improved script readability. - Improved
keeppkgs
variable to include additional AUR packages in-ignore
list used bypaccache
. - Corrected file used and improved formatting of printed 'copied and registered packages' list at end of build.
- Added and clarified various script comments.
UPDATE For November 18, 2024
aurch.sh:
- Function
build-clean-chroot
(-Cc
operation):
Added--keyserver keyserver.ubuntu.com
to thegpg --recv-key
command.
Note: Even thoughdirmngr --gpgconf-list
lists//keyserver.ubuntu.com
as default, the pgp key issues I experienced during testing stopped after making this change. - Fixed the 'packages built' list at end of clean chroot build that could list unrelated packages.
UPDATE For November 17, 2024
aurch.sh
-
Edited
cleanup_chroot
function (-Cc
operation), thecleanup_chroot
heredoc script, eliminated the need for 'fake pkg.tar' and refined info printed to screen. Added script notes. -
Edited
remove
function (-Rh -Rc
operations). Rewrote around one half the code. Replaced several 'set vars' to use withrm
commands withfind
-delete
,-print/-printf
and figured out how to implement variousfind
exit code conditions. Provide additional feedback printed to screen. Added script notes.
UPDATE For November 15, 2024
aurch.sh:
- Refined variable definition code for:
czm
,error
,warn
. Changes involved quoting and spaces. - Added
# shellcheck disable=SC2016 disable=SC2028
to script so as to not warn about intended behavior. - Edited
print_vars
function (-Lv
operation) to now provide output capable of copy, paste into shell, to set allaurch
variables currently set. This is to facilitate working with script. - Edited
help
function. - Replaced several
echo
commands withprintf
throughout script. - Edited
cleanup_chroot
function (--clean
operation). It's nowheredock
-ing a new script into the nspawn container if not present, then running the script. The script uninstalls all unneeded pkgs, cleans official pkg cache of all pkgs, cleans the AUR cache of all non AUR pkgs, removes older versions of existing AUR pkgs, removes anydownload-*
dirs left by pacman, and prints quantitative results to screen. - Edited
build-clean-chroot
function (-Cc
operation), adding existingis_it_available
function, reworded printed warning message, added printed info regarding pgp keys, added the removal of anydownload-*
dirs left by pacman.
UPDATE For November 13, 2024
aurch.sh:
- Added a new
-Cc --cchroot
operation. Builds package in a clean chroot. This involved a complete rewrite of the testing operation. Theaurch-cc
script has been eliminated with the new code residing in aurch.
Note: The new clean chroot operation is functional but needs additional testing and refinement. - Added a fix including printed text when it's ran. The issue is some build directories were left without a PKGBUILD.
The issue surfaces when an existing package is rebuilt. It was caused from early clean chroot testing.
- Replaced code that was parsing and using info printed to screen, with a more robust solution.
- Function
upd_aur_db
, changed anawk
command to be more flexible. ie:print $5
to$NF
.
aurch-setup.sh:
- New dependencies added for clean chroot builds: sudo devtools paccat.
These are checked for and optionally added in aurch when '-Cc' is ran as well.
- Added printed info regarding the sudo requirement over alternatives.
- Registered aurutils installation in container aur database.
README.md:
Updated 'info and updates' section to reflect changes.
UPDATE For November 8, 2024
aurch:
- Added 'warn' variable.
- Added if statement to 'fetch_pkg' function to 'mkdir $chroot/var/tmp/aurch' if not present. ie: for testing.
- Moved 'set_perm' and 'rest_perm' functions from option parsing to specifically wrap 'aur build' commands.
- Reworked, edited 'aur build --results=aur-build-raw.log' command to to utilize '--results=aur-build-raw.log' file rather than parsing and using raw output. Need a 'feature add' to aurutils for this to work.
- Added code to parse 'aur-build-raw.log' data.
UPDATE For November 5, 2024
aurch:
- Added
perm
variable, octal permission of"${chroot}"/build/aur.db.tar.gz
- Renamed
re_pr
function torest_perm
for improved future readability. - The
set_perm
andrest_perm
functions change permission on"${chroot}"/build/aur.db.tar.gz
from644
to646
, then back to644
, for the two functions requiring write access. The container system pacman sets it to644
. - Replaced
set_env
function withprint_vars
to print variables via-Lv
to terminal and write to file"${BASEDIR}"/.#aurch-vars
- Added info and reworded
--help
information. - Added additional info printed to terminal for
-Cc
operation. - Removed
set_env
from option parsing. Checking indicated this unnecessary.
aurch-setup:
- Removed
print_env
function, it's contents run on base script now. Function unneeded with newsudo
invocation requirement for script. - Reworded
--help
information. - Added if statement to create
"${BASEDIR}/.#aurch-vars"
if not present, with the message"To populate with variables run: 'aurch -Lv'"
. - Removed
print_env
function from option parsing.
aurch-cc:
- Reworded script header info. This info is now printed to terminal for additional info when using
-Cc
UPDATE And INFO Info November 4, 2024
Manual Intervention Required For aurch 2024-11-04
With pacman 7 implementing Linux landlock and user alpm
, this version of aurch-install
is placing the
chroot and local AUR repo outside the users home directory, relocating them under /usr/local/aurch/
.
This relocation required changes to aurch
as well, making this update non-backward compatible.
The motivating factor in this change was driven by the requirement to muck around with permissions to use pacman 7's enhanced security
features with aurch
. This update eliminates any potential $HOME
filesystem permission compromises required going forward.
To be clear, mixing previous versions of aurch-setup
script including the container it provides, with this release
of aurch
will not work together. The new release of aurch
has numerous permission related changes to enable it to work properly with
the new location of the nspawn container.
Run the following for the scripts version, which is also printed in the script headers.
aurch-setup -V
aurch -V
Unfortunately, as much of an outspoken proponent I am of 'never break backward compatability', I just couldn't justify not making breaking
changes in this case. A new nspawn container using aurch-setup
is the way forward.
My thoughts about the new nspawn setup requirement are anyone adventurous enough to be using aurch
most likely wouldn't need
instruction for the process. That said, I'll still provide an overview of the process I used for my first aurch container
switch, from the perspective of a long term user with a few dozen AUR package average over the years. Best case scenario is
this overview may foster some thought, leading to an improved process.
I'll start by providing the default locations of the previous and current nspawn containers and local AUR repos.
Previous versions aurch
default locations placed the container/repo under /home
:
- nspawn container:
$HOME/.cache/aurch/base/chroot-XXX/
- local AUR repo :
$HOME/.cache/aurch/repo/
Current version aurch
default locations place the container/repo under /usr
:
- nspawn container:
/usr/local/aurch/base/chroot-XXX
- local AUR repo :
/usr/local/aurch/repo
The update process I used went something like the following:
UPDATE PREP:
- Make sure your system is up to date.
- Remove
/etc/aurch.conf
- Remove the line
Include = /etc/aurch.conf
from/etc/pacman.conf
. - Remove
/var/lib/pacman/sync/aur.db
. - Remove
/var/lib/pacman/sync/aur.files
. - Make sure
/usr/local/aurch/
is not present. - Remove the previous version
aurch
scripts from $PATH.
I manually moved / entered previously built AUR packages and build directories from old to new locations.
A new install of AUR packages would be a viable option as well.
INSTALL AND SETUP:
- Place the latest version
aurch
scripts under $PATH. - Run the
aurch-setup
script, both the-Sc
and-Sh
operations. - For reinstalling AUR packages, you're done here. Use the latest version of
aurch
to reinstall. - Manually move the previously built AUR packages under container
/build/
and the host aur/repo/
to the new locations under/usr/local/aurch/
. - Use
repo-add
+ some bash to manually add the packages to the new databases. - Move the previously created build directories (containing .git) under
... /aurch/base/chroot-XXX/home/builduser/
from the old to new container.
Technically the pacman databases could be relocated and reused along with the packages.
I'll give this a try on the next update and consider reporting the process, depending on the outcome.
Any changes made to permissions as posted previously below, can now be reverted to their previous/default settings. Below are the default permissions of HOME on a fresh arch install.
$ stat ${HOME}
File: /home/jeff
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 8,4 Inode: 261633 Links: 9
Access: (0700/drwx------) Uid: ( 1000/ jeff) Gid: ( 1000/ jeff)
Access: 2024-11-04 16:26:28.510897414 -0800
Modify: 2024-11-04 16:26:41.680812205 -0800
Change: 2024-11-04 16:26:41.680812205 -0800
Birth: 2024-10-28 00:23:23.049409103 -0700
$ getfacl "${HOME}"
getfacl: Removing leading '/' from absolute path names
# file: home/jeff
# owner: jeff
# group: jeff
user::rwx
group::---
other::---
See the latest commmits for additional details on changes.
INFO For Nov 03, 2024
I noticed gpg stopped working in my Arch Linux aurch
nspawn container. There's a user gpg config
file that's automagically generated in nspawn containers, that's breaking pgp and is the culprit. I've not yet looked into
the details, but getting rid of the config will get gpg back up and running.
The file/dir is in an aurch nspawn container
.
The full path from host to config using default locations is:
And there's a directory being created there as well:
/home/jeff/.cache/aurch/base/chroot-Hj8/home/builduser/.gnupg/common.conf > single line: use-keyboxd
/home/jeff/.cache/aurch/base/chroot-Hj8/home/builduser/.gnupg/public-keys.d > 36 files
A little investigation with a fresh arch nspawn container revealed, these are created upon the first invocation of gpg. An auto generated config is not something I'd expect from Arch. Possibly a gnupg thing where it recognises it's in a container, or even a systemd thing?
The files/dirs are not present in my bare metal installs. When I get some time I may look into this a bit more.(*) I did see something related to the config, a daemon? When it worked again without the config I settled for good enough.
This config is already taken care of in the upcoming version of aurch-install
.
(*) https://gnupg.org/documentation/manuals/gnupg/GPG-Configuration.html
If the default home directory ~/.gnupg does not exist, GnuPG creates this directory and a common.conf file with "use-keyboxd".
This was not the case in my testing, as I was in the ~/.gnupg directory before starting gpg.
INFO For Oct 09, 2024
From my personal notes on aurch to use pacman7 new features.
This is a condensed summary of the previous two INFO posts below.
Of course my username and the gid numbers below will vary from system to system.
If you're trying to use aurch on a multiuser system where your user uid:gid are not 1000,
I've created a non released version of aurch that works in that environment.
Contact me for additional info.
Pacman7 must be installed prior to using this. ie: alpm group:user will be needed
These instructions are specifically for the AUR repo residing in default location under ${HOME}
An AUR repo under / has not been tested.
--------------------------------------------------------------------------------------------------------
Check file permissions:
$ stat ${HOME} | grep 'Access: ('
Access: (0750/drwxr-x---) Uid: ( 1000/ jeff) Gid: ( 970/ alpm)
$ stat ${HOME}/.cache/aurch/repo | grep 'Access: ('
Access: (0755/drwxr-xr-x) Uid: ( 1000/ jeff) Gid: ( 970/ alpm)
If the octal permissions and 'alpm' group for ${HOME} aren't set correctly,
use the following commands to change them as required.
$ sudo chown :alpm "${HOME}"
$ chmod 750 "${HOME}"
If the permissions on the AUR repo directory aren't set to 755, $USER:alpm per above
set them as required:
$ sudo chown -R :alpm "${HOME}/.cache/aurch/repo/"
$ chmod 755 "${HOME}/.cache/aurch/repo"
--------------------------------------------------------------------------------------------------------
Create the following directory and config file:
This is a configuration file for the nspawn container used by aurch.
It passes the Linux kernels landlock sandbox feature to the container.
$ sudo mkdir /etc/systemd/nspawn/
Create file '/etc/systemd/nspawn/.nspawn' with the following content:
$ sudo nano /etc/systemd/nspawn/<chroot-XXX>.nspawn
[Exec]
SystemCallFilter=@sandbox
--------------------------------------------------------------------------------------------------------
Check the pacman.conf settings in
both host and nspawn container are
set to the following default settings:
$ grep -E 'DownloadUser|DisableSandbox' /etc/pacman.conf
$ grep -E 'DownloadUser|DisableSandbox' ${HOME}/.cache/aurch/base/chroot-*/etc/pacman.conf
DownloadUser = alpm
#DisableSandbox
--------------------------------------------------------------------------------------------------------
Check "${HOME}" ACL settings:
The following should be set.
$ getfacl "${HOME}"
group::r-x
If not set correctly, run:
$ setfacl -m g:alpm:r-x "${HOME}"
If set correctly, you should see:
$ getfacl "${HOME}"
# owner: jeff
# group: alpm
user::rwx
group:alpm:r-x
INFO For Sep 30, 2024
I've figured out how to easily enable pacman 7.0 sandboxing in the nspawn container used by aurch.
These findings will eventually make their way into aurch-install.
To use pacman sandboxing in an nspawn container there are a few options.
Use '@sandbox' with '--system-call-filter=' on the CLI. ie:
$ sudo systemd-nspawn --system-call-filter=@sandbox .....
Or setup a config file as follows for regularly used containers. See refs below for details.
As root, create a dir '/etc/systemd/nspawn/' and file '/etc/systemd/nspawn/<nspawn-root-dir-name>.nspawn'
using the directory name containing the nspawn root FS or image name, with the following content.
ie: If directory 'chroot-Dz8' contains the root filesystem of an nspawn container.
$ sudo nano /etc/systemd/nspawn/chroot-Dz8.nspawn
[Exec]
SystemCallFilter=@sandbox
Be sure 'DownloadUser' is uncommented and 'DisableSandbox' is commented
in the nspawn container pacman config file '/etc/pacman.conf'.
References:
https://wiki.archlinux.org/title/Systemd-nspawn#Configuration
https://man.archlinux.org/man/systemd.nspawn.5
https://linux-audit.com/systemd/systemd-syscall-filtering/
https://man.archlinux.org/man/systemd.exec.5
INFO For Sep 18, 2024
Pacman 7 has added new security related features requiring manual intervention for both Arch and Aurch.
Systems using Aurch need changes to allow pacman user 'alpm' access to the local AUR repo.
The pacman user 'alpm', is a new, minimally permissioned system user:group used to download packages.
The following commands assume the local AUR repo is located in the default location, within $HOME.
The first two commands change $HOME directory group to 'alpm' and the 700 permission to 750.
The last command changes the AUR repo directory group to 'alpm' recursively.
$ chown :alpm "${HOME}"
$ chmod 750 "${HOME}"
$ sudo chown -R :alpm "${HOME}/.cache/aurch/repo"
An edit to pacman.conf in nspawn is also required as Linux 'landlock' is unavailable in the container.
In the AUR nspawn container, /etc/pacman.conf, comment out the following line containing DownloadUser.
Commenting out the 'DownloadUser' line will have pacman fall back to using root to download packages.
# DownloadUser = alpm
Additional Info:
Arch News: https://archlinux.org/news/manual-intervention-for-pacman-700-and-local-repositories-required/
Additional info: $ man pacman.conf
search: DownloadUser $ man pacman
search: --disable-sandbox
pacman-dev mail list: https://www.mail-archive.com/[email protected]/msg01132.html
Keep in mind the Arch News on pacman does not include the mandatory additional steps outlined above.
Opinion Short:
Unfortunately, changes to pacman affecting users has at times seemed tightly held within the pacman development team.
Seems the pacman project just doesn't place much emphsis or resources on user level documentation.
That said, this is nothing unusual for open source projects. It's almost as if these talented volunteer
programmers prefer writing code over writing accurate, thourough user level documentation!
I know, difficult to imagine! There's also source code available for a relaxing, insightful read.
Additional Show Stopping Findings:
If you've implemented the above and still have issues, see the link below for info on ACL permissions.
Search for 'Additional show stopping finding:' located near the bottom the page.
https://bbs.archlinux.org/viewtopic.php?pid=2196652#p2196652
I did have to make the ACL setting changes outlined in the link above on one Arch setup.
Last resort if all else fails in the host system:
(1) Try commenting out 'DownloadUser'.
(2) Lastly, uncomment 'DisableSandbox' in pacman.conf
Disabling the sandbox features in pacman would of course not take advantage of the new security enhancments.
Although I'd strongly advise against disabling snadboxing in the host system, there has never been a
reported case of a pacman security related exploit from downloading packages as root to my knowledge.
AFAIK, there has never been a security exploit of pacman reported since it's introduction ~20 years ago.
UPDATE For Aug 9, 2024
aurch-setup.sh:
Added container shell configs: colored shell prompts, header id's, and alias's.
Corrected script comments and printed comments replacing 'chroot' with 'container'/'nspawn-container'.
Changed 'sleep' times.
Added printed comments for added container configuration.
Cleaned up trailing white space.
README.md:
Updated to report changes.
UPDATE For Aug 3, 2024
Fixed the processing of a printed message to the user.
Added a file of experimental code for aurch to build packages in clean chroot,
rather the aurch nspawn container.
Somewhat Unrelated:
Added an .sh
suffix to several of the scripts in here and my other repos/scripts.
The suffix is used in the github-ca.sh
script to streamline installing my scripts in a new system.
UPDATE For Aug 1, 2024
aurch:
Worked on elimimating 'sudo timeouts' on long running package builds.
Edited 'cleanup_chroot' function to eliminate sudo timeouts,
works in conjunction with supplied '/etc/sudoers.d/aurch' example.
Edited 'check_host_updates' function to provide accurate results
on installed version if package is downgraded or held back from latest.
Cleaned up script comments.
UPDATE For July 19, 2024
Fixed "Review Files" for AUR dependency review when they are downloaded.
Renamed PAGER
variable to AURFM
to eliminate potential issues.
Corrected the incorrect/interchangeable usage of the words 'chroot' and 'nspawn container' in README.md
and '--help' sections of scripts.
UPDATE For July 14, 2024
Updated dependencies list in aurch.
Updated --help option and README file to mention PAGER variable.
UPDATE For April 21, 2024
Aurch-setup: Added 'mc' package as checked/installed dependency.
UPDATE For April 17, 2024
Aurch:
Fix info box "Chroot Path" line, to automatically align.
Added '-' to 'opt' variable in '# Optionally install package #' section for
incorrect shellcheck SC2154. # SC2154 opt is assigned in option parsing.
UPDATE For April 14, 2024
Added '-V --version' operation to both aurch and aurch-setup.
Append '-' to 'udb' variable in 'upd_aur_db' function as required by 'set -u'.
NEWS For April 12, 2024
Subject: Debug Packages
Some time back, pacman enabled debug packages by default in '/etc/makepkg.conf'.
This results in a dbug package being build for AUR packages.
If this is unwanted behavior, edit '/container-path/etc/makepkg.conf' appropriately.
See: Notes in makepkg.conf for add info.
To remove any unwanted AUR debug packages from the host and/or AUR sync db,
Install the 'package-debug' with pacman.
Remove it using aurch. ie: aurch -Rh 'package-debug'.
UPDATE For April 12, 2024
Setup virtual environment for testing.
Aurch-Setup:
Pacman's repo-add no longer allows a new, empty repo to be initialized.
Commit: https://gitlab.archlinux.org/pacman/pacman/-/commit/f91fa546f65af9ca7cdbe2b419c181df609969b7
Made changes to accommodate repo-adds new behavior.
Made changes to implement the use of 'set -euo pipefail'.
Aurch:
Discovered a new issue upon initial run caused by adding 'set -euo pipefail.
Script exited on a 'find' command returning an empty result, along with expected non zero exit code.
Set place holder files in AUR repos so find command returns a result, and zero exit code.
UPDATE For April 8, 2024
Fix 'Convert input to all lower case', positional parameter expansion to 'package' variable.
Added error handling for no package input used with '-B' and '-G' operations.
Cleaned up script comments and removed commented out testing code.
UPDATE For April 7, 2024
Although I don't base the quality of bash scripts on the use of the controversial 'set -euo pipefail',
I have been curious about what changes would be required to implement it.
Updated the aurch script to implement 'set -euo pipefail'.
Directly from my notes:
'set -u' Will not allow printing vars to file, lines 48-58. Appending '-' to all vars fixed issue.
'set -u' Will not allow using positional parameters. Appending '-' to all positional parameters fixed issue.
'set -u' Exits on: "/path/to/script/ line 147: $2: unbound variable"
Line 147, '$2' is part of an awk command inside an "EOF [here doc]" and not a bash positional parameter. (A bash bug?)
Rewrote 'fetch_pkg' function lines ~143-159, to accommodate 'set -u' by removing awk from the here doc.
UPDATE For March 10, 2023
Updated script for compatiblity with interface changes made to aurutils-11.
https://github.com/AladW/aurutils/releases/tag/11
Updated README to reflect changes and clarify info.
UPDATE For Jan 07, 2023
When deleting AUR packages from host, corrected ability to remove "all versions" of pkgs from the host AUR package cache.
Add an if statement to 'check_host_updates' function to properly handle and print message 'No Updates Available'.
Edited message in 'check_host_updates' function when package is newer than the AUR rpc version to:
"VCS Packages newer than AUR rpc version. Run 'aurch -Luc' to check them for updates.".
UPDATE For Feb 11, 2022
Change curl commands to reflect AUR RPC interface update/changes.
Add removal of /var/tmp/aurch/orig-pkgs.log ("${tmph}"/orig-pkgs.log) in chroot so 'orig package list' reflects edits/changes made to
.#orig-pkgs.log in base dir.
Add if statement to check build dir/s for .git dir. This allows adding misc dir's (ie: 'testing' toolchain pkgs) under buildusers home.
UPDATE For Jan 21, 2022
Disable 'set -e'.
Testing in virtual hw system revealed failure to build pkg that was not present on test system.
UPDATE For Jan 06, 2022
Implemented 'set -e' in script.
Added code line 162 to enable proper 'set -e'.
Added '-a' opt to systemd-nspawn commands.
Replaced cat with sort in subshell for comm command.
Added 'else' to if statement in upd_aur_db function.
UPDATE For Dec 14, 2021
Added operations:
aurch -Syu System update in chroot
aurch -Luh List updates available in host for installed AUR packages
aurch --login Login to chroot system to perform maintenance
Added check to avoid multiple re-downloading pgp keys.
Added AUR file inspection before building using PAGER with interactive y/n option in script.
Replaced some for loops with while loops when working with files.
Added code to remove operation in chroot to assure all possible conditions are handled.
Began implementation of 'aur build --results' file to replace grepped output for conditional processing.
Added missing aur database entry for rebuilt, overwritten, same version packages.
Removed install workaround in host for missing database entry using pacman -u.
UPDATE For Dec 10, 2021
The predominant focus this time around was implementing some additional flexibility to allow aurch to be usable for more
than my personal setup and preferences. Implemented virtual hardware testing as a start towards this objective.
Split the system setup and building packages into separate scripts. To many additional smaller changes to go over here.
Future road map includes implementing a built in inspection step of downloaded AUR data and running a check for existing
PGP keys to eliminate needless re-downloading.
UPDATE For Nov 29, 2021
Added pacutils as a dependency.
Added ability when overwriting existing packages in host to handle multiple entries from split packages.
Rewrote check_updates function to reduce and simplify code.
Added/changed the following operations/options:
Remove operation:
aurch -Rc Performs the following on chroot:
Removes package from local AUR repo, /build.
Removes build dir /home/builduser/<package>.
Removes <package> entry in AUR database.
aurch -Rh Performs the following on host:
Removes package from local AUR repo, AURREPO.
Removes <package> (pacman -Rns) if installed.
Removes <package> entry in AUR database.
Build operation option:
aurch -Bi [i][install] package in host after build.
List operation options:
aurch -Luq [q][quiet] lists available aur updates for chroot [packages only].
aurch -Lcq [q][quiet] lists chroot aur sync database [packages only].
aurch -Lhq [q][quiet] lists host aur sync database [packages only].
UPDATE For Nov 27, 2021
Rewrote 'here document' usage to extend systemd-nspawn functionality, rather than inserting multiple small scripts into chroot.
Added code and printed comments relating to rebuilding and reinstalling same version of packages.
Reworked 'setup_chroot' function to eliminated the evil 'eval' command.
Integrated /var/tmp directory usage in chroot and added file extensions to ease it's cleanup.
UPDATE For Nov 24, 2021
Added '-L --listup' operation, to lists updates.
The new function runs on the packages in the chroot AUR repo.
It compares local vs remote git HEAD and lists mismatching packages.
UPDATE For Nov 21, 2021
Added function to add packages to hosts AUR repo database.
UPDATE For Nov 20, 2021
Fixed for proper split package handling.
UPDATE For Nov 14, 2021
Rewrote aurch to no longer require AUR dependencies. No AUR helper required on host.
Creates a chroot with aurutils set up, including a local pacman AUR repo, inside the chroot.
Added ability to git clone and build package independently to ease customization.
AUR packages are retained in the chroot for dependency usage.
NEWS FOR Oct 31, 2021
Initial release of the aurch script.
The script is in the testing phase.