8ad791be13
Now that stages no longer access the network, drop CA certificate setup. In the future, we may want to restrict all network access to the container, but that requires more work. Signed-off-by: Tom Gundersen <teg@jklm.no>
84 lines
2.6 KiB
Python
Executable file
84 lines
2.6 KiB
Python
Executable file
#!/usr/bin/python3.6
|
|
|
|
import array
|
|
import json
|
|
import os
|
|
import socket
|
|
import subprocess
|
|
import sys
|
|
|
|
|
|
# copied from remoteloop.py
|
|
def load_fds(sock, msglen):
|
|
fds = array.array("i") # Array of ints
|
|
msg, ancdata, _, addr = sock.recvmsg(msglen, socket.CMSG_LEN(253 * fds.itemsize))
|
|
for cmsg_level, cmsg_type, cmsg_data in ancdata:
|
|
if (cmsg_level == socket.SOL_SOCKET and cmsg_type == socket.SCM_RIGHTS):
|
|
# Append data, ignoring any truncated integers at the end.
|
|
fds.frombytes(cmsg_data[:len(cmsg_data) - (len(cmsg_data) % fds.itemsize)])
|
|
return json.loads(msg), list(fds), addr
|
|
|
|
def ldconfig():
|
|
# ld.so.conf must exist, or `ldconfig` throws a warning
|
|
subprocess.run(["touch", "/etc/ld.so.conf"], check=True)
|
|
subprocess.run(["ldconfig"], check=True)
|
|
|
|
|
|
def sysusers():
|
|
try:
|
|
subprocess.run(["systemd-sysusers"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, check=True)
|
|
except subprocess.CalledProcessError as error:
|
|
sys.stderr.write(error.stdout)
|
|
sys.exit(1)
|
|
|
|
|
|
def tmpfiles():
|
|
# Allow systemd-tmpfiles to return non-0. Some packages want to create
|
|
# directories owned by users that are not set up with systemd-sysusers.
|
|
subprocess.run(["systemd-tmpfiles", "--create"], check=False)
|
|
|
|
|
|
def nsswitch():
|
|
# the default behavior is fine, but using nss-resolve does not
|
|
# necessarily work in a non-booted container, so make sure that
|
|
# is not configured.
|
|
try:
|
|
os.remove("/etc/nsswitch.conf")
|
|
except FileNotFoundError:
|
|
pass
|
|
|
|
|
|
def setup_stdio():
|
|
with socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM) as sock:
|
|
sock.setsockopt(socket.SOL_SOCKET, socket.SO_PASSCRED, 1)
|
|
sock.connect("/run/osbuild/api/osbuild")
|
|
req = {'method': 'setup-stdio'}
|
|
sock.send(json.dumps(req).encode('utf-8'))
|
|
msg, fds, _ = load_fds(sock, 1024)
|
|
for io in ['stdin', 'stdout', 'stderr']:
|
|
target = getattr(sys, io)
|
|
source = fds[msg[io]]
|
|
os.dup2(source, target.fileno())
|
|
os.close(source)
|
|
|
|
def python_alternatives():
|
|
"""/usr/bin/python3 is a symlink to /etc/alternatives/python3, which points
|
|
to /usr/bin/python3.6 by default. Recreate the link in /etc, so that
|
|
shebang lines in stages and assemblers work.
|
|
"""
|
|
os.makedirs("/etc/alternatives", exist_ok=True)
|
|
try:
|
|
os.symlink("/usr/bin/python3.6", "/etc/alternatives/python3")
|
|
except FileExistsError:
|
|
pass
|
|
|
|
if __name__ == "__main__":
|
|
setup_stdio()
|
|
ldconfig()
|
|
sysusers()
|
|
tmpfiles()
|
|
nsswitch()
|
|
python_alternatives()
|
|
|
|
r = subprocess.run(sys.argv[1:], check=False)
|
|
sys.exit(r.returncode)
|