EROFS, like Squashfs, is a read-only file system. It can be used to store airootfs in an image file.
Its advantage is the support for POSIX ACLs. EROFS downside is that currently it only supports LZ4 compression (LZMA support is not yet fully implemented).
A difference from Squashfs is that, EROFS stores change time (ctime) not modification time (mtime). The reverse is true for Squashfs.
Implements https://gitlab.archlinux.org/archlinux/archiso/-/issues/59
configs/releng/packages.x86_64:
Add usbmuxd to list of packages, so that users have the option to use iOS devices out-of-the-box for data connection
during installation.
Fixes#99
`du --block-size=MiB` (and `du -m`) returns mebibytes not megabytes.
Additionally, shorten the du command. `du --block-size=MiB` is the same as `du -m`.
.gitlab/ci/build-host.sh:
Set shebang to /usr/bin/env bash to be more portable/flexible.
Turn all posix statements ([]) to bash style statements ([[]]), as we are using bash.
Terminate the list of parameters to rm or cp with --.
Replace the implementation of finding a local ISO to use with one that relies on a sorted list of potential images.
Use virtio-net-pci for networking with qemu.
Set the cow_spacesize to 4G for the archiso environment.
Use --needed in the call to pacman to not re-install already up-to-date targets.
Attempt a full system upgrade (but ignore the kernel).
Increase the timeout for when installing packages to the archiso environment using pacman to 120s, as a system upgrade
is being done as well.
Use systemctl poweroff -i to shut down the virtual machine as it is more future proof and robust.
.gitlab-ci.yml:
Add a build stage to the gitlab CI, that facilitates the scripts below .gitlab/ci/, building the baseline and releng
profiles in parallel.
Distinguish the use-case in which builds are done for master, schedules and tags in a secure environment and any other
where builds just have to be fast (for ensuring nothing is broken).
Use MiB as block size for the du call when generating data for the metrics file.
.gitlab/ci/build-host.sh:
Add script to be run in a container with access to qemu.
It is a slight modification of arch-boxes' build-host.sh script to cater to the specific archiso requirements.
.gitlab/ci/build-inside-vm.sh:
Add script to be run in virtualized environment, established by build-host.sh.
This script builds the actual archiso profiles and creates checksum for the resulting image files.
After pacman-mirrorlist is installed, /etc/pacman.d/hooks/uncomment-mirrors.hook will run a sed command which uncomments all Server lines in /etc/pacman.d/mirrorlist.
This brings us another step closer to the complete removal of customize_airootfs.sh.
Related to https://gitlab.archlinux.org/archlinux/archiso/-/issues/21 .
Booting via PXE we want to keep our DNS configuration. So remove
/etc/resolv.conf in new root before copying the current file.
Without this systemd-resolved fallback nameservers are used and we see an
error message when the root ships a symbolic link to systemd-resolved's
stub-resolv.conf:
cp: not writing through dangling symlink '/new_root/etc/resolv.conf'
To date the iso version was used for iso volume information and iso file name.
In my custom builds I do use it a lot more:
* Inside the root fs: The system knows about its own version. I use this to:
-> report the version to a server (poor man's inventory)
-> let the system update itself
* On the iso fs: The files are served via rsync, running systems transfer
version file first to check for available update.
* A grub environment file on the iso fs: Booting the iso from grub allows
to create cow directory per version:
loopback loop archlinux.iso
load_env -f (loop)/arch/grubenv
linux (loop)/arch/boot/x86_64/vmlinuz-linux ... \
cow_directory=archlinux/${VERSION} ...
So let's just create these files.
Usage: Launch run_archiso.sh -v ..., and then use a VNC viewer
(e.g. from https://wiki.archlinux.org/index.php/List_of_applications/Internet#Remote_desktop)
to connect (typically to `localhost`) on the default VNC port (5900).
This enables using run_archiso in a "headless" session; e.g. when SSH logged in
to the CLI of a VM, without a local display attached. This is handy e.g. when
playing https://en.wikipedia.org/wiki/Inception and running an archlinux*.iso
on any non-Arch (say Fedora workstation), on which one built a new ISO, that you
then "run_archiso", inside which you could build another ISO, which you could
itself start inside the nested VM... ;-)
Jokes apart, this could also be used to run automated CI/CD tests of the built ISO,
which is particularly interesting in combination with the cloud-init support;
see https://wiki.archlinux.org/index.php/Cloud-init.
see https://bugs.archlinux.org/task/69142
archiso/mkarchiso:
Make sure to always compare absolute paths in `_make_custom_airootfs()` (as `realpath` is used).
Remove `echo` calls that prevent the setting of actual file ownerships and modes.
configs/releng/profiledef.sh:
Set file mode of /root/.automated_script.sh to 755.
Fixes#82
profiledef.sh can now contain an associative array called file_permissions which can be used to set custom ownership and mode of custom airootfs files. The array's keys contain the path and the value is a colon separated list of owner UID, owner GID and access mode.
For example:
file_permissions=(
["/etc/shadow"]="0:0:400"
)
This means that mkarchiso now copies airootfs files (and directores) without permissions and anything that should be owned by a user other than root and/or if the mode should be something other than 644 for files and 755 for directories must to be listed in ${file_permission[@]} in profiledef.sh.
Fixes https://gitlab.archlinux.org/archlinux/archiso/-/issues/61 .
archiso/mkarchiso:
Guard the call to `_mksignature()` in `_prepare_airootfs_image()` by an if statement.
Using the `&&` logic leads to `_prepare_airootfs_image()` evaluating to false if `$gpg_key` is not set.
Add `_msg_info()` calls to `_set_override()` which prevent the function from evaluating to false if no override is
being done. Additionally this is great for debugging purposes.
Add `_msg_info()` calls to `_read_profile()` (which is great for debugging purposes).
Fixes#81