[arch-general] How to build package in "clean chroot" using the "-U" parameter?

Eli Schwartz eschwartz at archlinux.org
Fri Dec 22 13:37:13 UTC 2017

On 12/22/2017 08:31 AM, Manuel Reimer wrote:
> My autobuild process runs as root. It also directly updates the chroot
> which also needs root permissions so it's the best to start with "root"
> and then drop privileges for the tasks that shouldn't run with root
> privileges. The whole system is a dedicated build VM, so there is no
> reason to not use "root" for the main purpose of this machine.

makechrootpkg already runs systemd-nspawn to enter the chroot and run
pacman -Syu as the root user, so this isn't strictly necessary.

>> That is the first time the makepkg command is run. The second time, is
>> inside the chroot, which should automatically be run as the "builduser"
>> user inside a systemd-nspawn container (we don't actually use chroot).
> And this one fails. But why? Does makechrootpkg for some reason miss to
> drop privileges if the "-U" parameter is used?

The -U parameter is completely ignored in the chroot. Once sources are
downloaded, it runs systemd-nspawn to enter the chroot as root, then
runs /chrootbuild, which uses a hardcoded command:

sudo -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@"

Once you enter the chroot, nothing you do should matter, unless the
chroot itself is completely damaged.

Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20171222/4d3871e8/attachment-0001.asc>

More information about the arch-general mailing list