[arch-general] How to build package in "clean chroot" using the "-U" parameter?

Eli Schwartz eschwartz at archlinux.org
Fri Dec 22 13:26:34 UTC 2017

On 12/22/2017 08:02 AM, Manuel Reimer wrote:
> Hello,
> I want to autobuild a set of packages. For this process, it is not
> acceptable to use "sudo" as I don't want to enter some passwords and my
> autobuild program also has to do some other stuff with root privileges.
> The help page of "makechrootpkg" suggests, that there is an option for me:
> -U         Run makepkg as a specified user
> But I tried this several times. So far without success.
> I've copied the PKGBUILD to the /tmp directory, just to be sure it is
> really readable by my build user.
> Then my command was:
> # makechrootpkg -c -U build -r /var/cache/PATH_TO_MY_CHROOT
> This now seems to download the source files and also is validating them
> against the stored MD5 sums.
> But after that I get the error
> ==> ERROR: Running makepkg as root is not allowed as it can cause
> permanent, catastrophic damage to your system.
> Seems like makepkg is called once in context of my supplied "build user"
> and then a second time without using the build user.
> Where is my mistabe? Or is this a bug in makechrootpkg?

AFAIK this should work fine, for its intended goal. Though I don't think
it gets a lot of testing.

makechrootpkg elevates to root if needed, using sudo. It then has to run
makepkg to update sources, *before* entering the chroot for building.
Usually it does that by sudo -u $SUDO_USER makepkg --verifysource,
however that relies on detecting the user that ran `sudo makechrootpkg`
via the SUDO_USER variable. So the -U flag can be used to specify the
user to use instead.

That is the first time the makepkg command is run. The second time, is
inside the chroot, which should automatically be run as the "builduser"
user inside a systemd-nspawn container (we don't actually use chroot).

Both times, makechrootpkg will drop privileges using sudo.

Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20171222/269d54f1/attachment.asc>

More information about the arch-general mailing list