new pacman (6.0) doesn't downloads the <pkg>.sig files if SigLevel is
set to `Never`, an understandable optimization in general but for our
use case an issue.
We cache packages on the host, where we have internet but do not have
an archlinux trusted keyring setup, we then verify the non-bootstrap
packages (i.e., all but pacman and the keyring) in the bootstrapping
container itself
This is somewhat ugly, but one of the simpler options, an possible
alternative on the long run could be to package archlinux-keyring for
debian and have that as dependency for aab, then we could populate a
local directory (pacman gas a `--gpgdir` option) and fully verify all
that..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
`aab` installs `archlinux-keyring`, which in turn invokes `dirmngr` during
installation. `dirmngr` needs access (at least) to '/dev/null' (see [0]), which
`aab` only created afterwards (before populating the keyring). This lead to
`dirmngr` spinning (and filling the filesystem with a regular file
'${rootfs}/dev/null' containing error messages.
This patch changes the behavior of aab: it now creates the devices before
installing 'archlinux-keyring' and removes them after the keyring is populated.
In order to save one further `mkdir` call for the 'dev' directory, this was
appended to the `mkpath` invocation in ve_init.
[0] https://bbs.archlinux.org/viewtopic.php?id=222002
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
The mkdir in intialize is not too helpful since, ve_init, which usually gets
called soon after (`aab init` is followed by `aab bootstrap` in the Makefile)
has a `rmtree $self->{rootfs}` and recreates it directly afterwards again.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
This reduces a fresh containers' size by ~220M (170M for the gziped template)
and additionally prevents one spurious errormessage from
`systemd-tmpfiles --create` occuring during bootup and other invocations
(e.g. `pacman -S $package`)
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Since the container config for the build is created with O_EXCL, multiple
consecutive invocations of `make default` fail, if the config file exists.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
null31
Thomas Lamprecht
Oguz Bektas
Stoiko Ivanov
Wolfgang Bumiller
Dietmar Maurer