-
Notifications
You must be signed in to change notification settings - Fork 261
/
Copy pathdj_make_chroot.in
executable file
·487 lines (413 loc) · 16.6 KB
/
dj_make_chroot.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
#!/bin/sh
# @configure_input@
#
# Script to generate a basic chroot environment with a Java JRE
# to allow for Java programs to run in a chroot.
#
# This script downloads and installs a Debian or Ubuntu base system.
# Minimum requirements: a Linux system with glibc >= 2.3, wget, ar and
# a POSIX shell in /bin/sh. About 335/610 MB disk space is needed. It
# must be run as root and will install the debootstrap package.
#
# Part of the DOMjudge Programming Contest Jury System and licensed
# under the GNU GPL. See README and COPYING for details.
# Abort when a single command fails:
set -e
cleanup() {
# Unmount things on cleanup
umount -f "$CHROOTDIR/proc" >/dev/null 2>&1 || /bin/true
umount -f "$CHROOTDIR/sys" >/dev/null 2>&1 || /bin/true
umount -f "$CHROOTDIR/dev/pts" >/dev/null 2>&1 || /bin/true
}
trap cleanup EXIT
# Default directory where to build the chroot tree:
CHROOTDIR="@judgehost_chrootdir@"
# Fallback Debian and release (codename) to bootstrap (note: overridden right below):
DISTRO="Debian"
RELEASE=""
# List of possible architectures to install chroot for:
DEBIAN_ARCHLIST="amd64,arm64,armel,armhf,i386,mips,mips64el,mipsel,ppc64el,s390x"
UBUNTU_ARCHLIST="amd64,arm64,armhf,i386,powerpc,ppc64el,s390x"
if ! command -v lsb_release; then
echo "Please install `lsb_release`."
exit 1
fi
# If host system is Debian or Ubuntu, use its release and architecture by default
if [ "$(lsb_release -i -s || true)" = 'Debian' ] || \
[ "$(lsb_release -i -s || true)" = 'Ubuntu' ]; then
DISTRO="$(lsb_release -i -s)"
RELEASE="$(lsb_release -c -s)"
if [ "$(lsb_release -i -s)" = 'Debian' ]; then
if [ "$(lsb_release -c -s)" = "sid" ]; then
RELEASE='unstable'
fi
if [ "$(lsb_release -r -s)" = 'testing' ]; then
RELEASE='testing'
fi
fi
if [ -z "$ARCH" ]; then
ARCH="$(dpkg --print-architecture)"
fi
fi
usage()
{
cat <<EOF
Usage: $0 [options]...
Creates a chroot environment with Java JRE support using the
Debian or Ubuntu GNU/Linux distribution.
Options:
-a <arch> Machine architecture to use.
-d <dir> Directory where to build the chroot environment.
-D <distro> Linux distribution to use: 'Debian' or 'Ubuntu'.
-R <release> Release for the selected Linux distribution.
-i <debs> List of extra package names to install (comma separated).
-r <debs> List of extra package names to remove (comma separated).
-l <debs> List of local package files to install (comma separated).
-s <lists> List of apt repository .list files that exist outside the chroot
to add to the chroot (comma separated). Signing keys for the
repository will be imported if they exist as <filename>.gpg,
<filename>.asc or <filename>.arm.
-H Use repository lists from the host. Useful to make sure
compiler/runner versions will be the same when using a custom
image.
-p <url> HTTP(S) Proxy URL to use during package install.
-m <url> Debian or Ubuntu mirror URL to be used for package installation.
-y Force overwriting the chroot dir and installing debootstrap.
-f Force the download of debootstrap even if it's already installed.
-h Display this help.
This script must be run as root, <chrootdir> is the non-existing
target location of the chroot (unless '-y' is specified). If the host
runs Debian/Ubuntu, the host architecture and release are used. The
default chrootdir is '@judgehost_chrootdir@'.
Available architectures:
Debian: $DEBIAN_ARCHLIST
Ubuntu: $UBUNTU_ARCHLIST
Environment Overrides:
DEBPROXY: Sets http(s) proxy to be used for package installation (Overridden if -p argument is used)
DEBMIRROR: Sets mirror URL to be used for package registry (Overridden if -m argument is used)
EOF
}
error()
{
echo "Error: $*"
echo
usage
exit 1
}
FORCEYES=0
FORCEDOWNLOAD=0
# Read command-line parameters:
while getopts 'a:d:D:R:i:r:l:s:p:m:Hyfh' OPT ; do
case $OPT in
a) ARCH=$OPTARG ;;
d) CHROOTDIR=$OPTARG ;;
D) DISTRO=$OPTARG ;;
R) RELEASE=$OPTARG ;;
i) INSTALLDEBS_EXTRA=$OPTARG ;;
r) REMOVEDEBS_EXTRA=$OPTARG ;;
l) LOCALDEBS=$OPTARG ;;
s) REPOLISTS=$OPTARG ;;
p) DEBPROXY=$OPTARG ;;
m) DEBMIRROR=$OPTARG ;;
H) HOSTLISTS=1 ;;
y) FORCEYES=1 ;;
f) FORCEDOWNLOAD=1 ;;
h) SHOWHELP=1 ;;
\?) error "Could not parse options." ;;
esac
done
shift $((OPTIND-1))
if [ $# -gt 0 ]; then
error "Additional arguments specified."
fi
if [ -n "$SHOWHELP" ]; then
usage
exit 0
fi
if [ "$DISTRO" != 'Debian' ] && [ "$DISTRO" != 'Ubuntu' ]; then
error "Invalid distribution specified, only 'Debian' and 'Ubuntu' are supported."
fi
# Use the correct default release based on the distro:
if [ "$DISTRO" = "Debian" ] && [ -z "$RELEASE" ]; then
RELEASE="stable"
echo "Defaulting to '$RELEASE' release for Debian"
fi
if [ "$DISTRO" = "Ubuntu" ] && [ -z "$RELEASE" ]; then
RELEASE="jammy"
echo "Defaulting to '$RELEASE' release for Ubuntu"
fi
if [ "$(id -u)" != 0 ]; then
echo "Warning: you probably need to run this program as root."
fi
[ -z "$CHROOTDIR" ] && error "No chroot directory given or default known."
[ -z "$ARCH" ] && error "No architecture given or detected."
ARCHLIST=','$DEBIAN_ARCHLIST','
if [ "$DISTRO" = "Ubuntu" ]; then
ARCHLIST=','$UBUNTU_ARCHLIST','
fi
if [ -n "${ARCHLIST##*",$ARCH,"*}" ]; then
error "Architecture $ARCH not supported for $DISTRO"
fi
# Various settings that can be tweaked, specific per distribution:
if [ "$DISTRO" = 'Debian' ]; then
# Packages to include during bootstrap process (comma separated):
INCLUDEDEBS="ca-certificates"
# Packages to install after upgrade (space separated):
INSTALLDEBS="gcc g++ make default-jdk-headless default-jre-headless pypy3 locales"
# For Rust support add: rustc to INSTALLDEBS, or, ./dj_make_chroot -i rustc
# For C# support add: mono-runtime libmono-system2.0-cil
# However running mono within chroot still gives errors...
# Packages to remove after upgrade (space separated):
REMOVEDEBS=""
# Which debootstrap package to install on non-Debian systems:
DEBOOTDEB="debootstrap_1.0.128+nmu2+deb12u1_all.deb"
# The Debian mirror/proxy below can be passed as environment
# variables; if none are given the following defaults are used.
# Debian mirror. deb.debian.org will pick the 'closest'.
[ -z "$DEBMIRROR" ] && DEBMIRROR="http://deb.debian.org/debian"
# A local caching proxy to use for apt-get,
# (typically an install of aptcacher-ng), for example:
#DEBPROXY="http://aptcacher-ng.example.com:3142/"
[ -z "$DEBPROXY" ] && DEBPROXY=""
fi
if [ "$DISTRO" = 'Ubuntu' ]; then
# Packages to include during bootstrap process (comma separated):
INCLUDEDEBS=""
# Packages to install after upgrade (space separated):
INSTALLDEBS="gcc g++ make default-jdk-headless default-jre-headless locales"
if [ "$ARCH" = "i386" ]; then
INSTALLDEBS="$INSTALLDEBS python3"
else
INSTALLDEBS="$INSTALLDEBS pypy3"
fi
# For C# support add: mono-mcs mono-devel
# However running mono within chroot still gives errors...
# Packages to remove after upgrade (space separated):
REMOVEDEBS=""
# Which debootstrap package to install on non-Ubuntu systems:
# This is only used when the default distro changed from Debian to
# Ubuntu. The version below corresponds to Ubuntu 22.04 Jammy.
DEBOOTDEB="debootstrap_1.0.126+nmu1_all.deb"
# The Debian mirror/proxy below can be passed as environment
# variables; if none are given the following defaults are used.
# Ubuntu mirror, modify to match closest mirror
if [ -z "$DEBMIRROR" ]; then
# x86(_64) can use the main Ubuntu repo's, other
# architectures need to use a mirror from ubuntu-ports.
MAINSTREAM="amd64 i386"
if [ -z "${MAINSTREAM##*"$ARCH"*}" ]; then
DEBMIRROR="http://us.archive.ubuntu.com/ubuntu/"
else
DEBMIRROR="http://ports.ubuntu.com/ubuntu-ports/"
fi
fi
# A local caching proxy to use for apt-get,
# (typically an install of aptcacher-ng), for example:
#DEBPROXY="http://aptcacher-ng.example.com:3142/"
[ -z "$DEBPROXY" ] && DEBPROXY=""
fi
INSTALLDEBS="$INSTALLDEBS $(echo "$INSTALLDEBS_EXTRA" | tr , ' ')"
REMOVEDEBS="$REMOVEDEBS $(echo "$REMOVEDEBS_EXTRA" | tr , ' ')"
# To prevent (libc6) upgrade questions:
export DEBIAN_FRONTEND=noninteractive
confirmation() {
if [ "$FORCEYES" = 0 ]; then
printf "%s (y/N): " "$1"
read -r yn
if [ "$yn" != "y" ] && [ "$yn" != "Y" ]; then
error "${2:-"Exiting."}"
fi
fi
}
if [ -e "$CHROOTDIR" ]; then
confirmation "$CHROOTDIR already exists, remove?" "Chrootdir already exists, exiting."
cleanup
rm -rf "$CHROOTDIR"
fi
mkdir -p "$CHROOTDIR"
cd "$CHROOTDIR"
CHROOTDIR="$PWD"
if [ "$FORCEDOWNLOAD" = 0 ] && command -v debootstrap >/dev/null; then
BOOTSTRAP_COMMAND=$(command -v debootstrap)
echo "Using debootstrap from $BOOTSTRAP_COMMAND"
elif [ "$FORCEDOWNLOAD" = 0 ] && [ -f /etc/debian_version ]; then
confirmation "Do you want to install debootstrap using apt-get?" "debootstrap is required, exiting."
apt-get install -y debootstrap
BOOTSTRAP_COMMAND=$(command -v debootstrap)
else
WORKDIR=$(mktemp -d)
echo "Downloading debootstrap to temporary directory at $WORKDIR"
(
cd "$WORKDIR"
wget "$DEBMIRROR/pool/main/d/debootstrap/$DEBOOTDEB"
ar -x "$DEBOOTDEB"
zcat data.tar.gz | tar x
)
# this allows debootstrap to run without being installed in /
BOOTSTRAP_COMMAND="DEBOOTSTRAP_DIR=\"$WORKDIR/usr/share/debootstrap\" \"$WORKDIR/usr/sbin/debootstrap\""
fi
INCLUDEOPT=""
if [ -n "$INCLUDEDEBS" ]; then
INCLUDEOPT="--include=$INCLUDEDEBS"
fi
EXCLUDEOPT=""
# shellcheck disable=SC2153
if [ -n "$EXCLUDEDEBS" ]; then
EXCLUDEOPT="--exclude=$EXCLUDEDEBS"
fi
if [ -n "$DEBPROXY" ]; then
BOOTSTRAP_COMMAND="http_proxy=\"$DEBPROXY\" $BOOTSTRAP_COMMAND"
fi
echo "Running debootstrap to install base system, this may take a while..."
# Add extra paths that are not set by default on Redhat-like systems.
# shellcheck disable=SC2086
eval PATH="$PATH:/bin:/sbin:/usr/sbin" $BOOTSTRAP_COMMAND $INCLUDEOPT $EXCLUDEOPT \
--variant=minbase --arch "$ARCH" "$RELEASE" "$CHROOTDIR" "$DEBMIRROR"
if [ -n "$WORKDIR" ] && [ -d "$WORKDIR" ]; then
rm -rf "$WORKDIR"
fi
# Add indication to interactive shell that the user is in the chroot
for bashrc in "root/.bashrc" "etc/bash.bashrc"; do
# shellcheck disable=SC2016
echo 'PS1=(chroot)$PS1' >> "$CHROOTDIR/$bashrc"
done
rm -f "$CHROOTDIR/etc/resolv.conf"
cp /etc/resolv.conf /etc/hosts /etc/hostname "$CHROOTDIR/etc" || true
cp /etc/ssl/certs/ca-certificates.crt "$CHROOTDIR/etc/ssl/certs/" || true
cp -r /usr/share/ca-certificates/* "$CHROOTDIR/usr/share/ca-certificates" || true
cp -r /usr/local/share/ca-certificates/* "$CHROOTDIR/usr/local/share/ca-certificates" || true
if [ "$DISTRO" = 'Debian' ]; then
if [ "$RELEASE" = 'testing' ] || [ "$RELEASE" = 'unstable' ]; then
DISABLE_SECURITY='#'
fi
SECURITY_RELEASE="$RELEASE-security"
if [ "$RELEASE" = 'jessie' ] || [ "$RELEASE" = 'stretch' ] || [ "$RELEASE" = 'buster' ]; then
SECURITY_RELEASE="$RELEASE/updates"
fi
cat > "$CHROOTDIR/etc/apt/sources.list" <<EOF
# Release as specified or taken from host (incl. optional security repository):
# $RELEASE
deb $DEBMIRROR $RELEASE main
${DISABLE_SECURITY}deb http://security.debian.org $SECURITY_RELEASE main
EOF
fi
if [ "$DISTRO" = 'Ubuntu' ]; then
cat > "$CHROOTDIR/etc/apt/sources.list" <<EOF
deb $DEBMIRROR $RELEASE main
deb $DEBMIRROR $RELEASE universe
deb $DEBMIRROR $RELEASE-updates main
deb $DEBMIRROR $RELEASE-updates universe
deb $DEBMIRROR $RELEASE-security main
deb $DEBMIRROR $RELEASE-security universe
EOF
fi
cat > "$CHROOTDIR/etc/apt/apt.conf" <<EOF
APT::Get::Assume-Yes "true";
APT::Get::Force-Yes "false";
APT::Get::Purge "true";
APT::Install-Recommends "false";
Acquire::Retries "3";
Acquire::PDiffs "false";
EOF
# Add apt proxy settings if desired
if [ -n "$DEBPROXY" ]; then
echo "Acquire::http::Proxy \"$DEBPROXY\";" >> "$CHROOTDIR/etc/apt/apt.conf"
fi
mount -t proc proc "$CHROOTDIR/proc"
mount -t sysfs sysfs "$CHROOTDIR/sys"
# Required for some warning messages about writing to log files
mount --bind /dev/pts "$CHROOTDIR/dev/pts"
# Prevent perl locale warnings in the chroot:
export LC_ALL=C
in_chroot() {
chroot "$CHROOTDIR" /bin/sh -c "$@"
}
in_chroot debconf-set-selections <<EOF
passwd passwd/root-password-crypted password
passwd passwd/user-password-crypted password
passwd passwd/root-password password
passwd passwd/root-password-again password
passwd passwd/user-password-again password
passwd passwd/user-password password
passwd passwd/shadow boolean true
passwd passwd/username-bad note
passwd passwd/password-mismatch note
passwd passwd/username string
passwd passwd/make-user boolean true
passwd passwd/md5 boolean false
passwd passwd/user-fullname string
passwd passwd/user-uid string
passwd passwd/password-empty note
debconf debconf/priority select high
debconf debconf/frontend select Noninteractive
locales locales/locales_to_be_generated multiselect
locales locales/default_environment_locale select None
EOF
if [ "$DISTRO" = 'Ubuntu' ]; then
# Disable upstart init scripts(so upgrades work), we don't need to actually run
# any services in the chroot, so this is fine.
# Refer to: http://ubuntuforums.org/showthread.php?t=1326721
in_chroot "dpkg-divert --local --rename --add /sbin/initctl"
in_chroot "ln -s /bin/true /sbin/initctl"
fi
# Use the repositories from the host
if [ -n "$HOSTLISTS" ]; then
for files in 'sources.list' 'sources.list.d' 'keyrings' 'trusted.gpg.d'; do
cp -r "/etc/apt/${files}" "$CHROOTDIR/etc/apt/"
done
in_chroot "apt-get update && apt-get install ca-certificates"
fi
# Add additional repository lists to the chroot for upstream repos
if [ -n "$REPOLISTS" ]; then
in_chroot "apt-get install ca-certificates"
SPLIT_LIST=$(printf %s "$REPOLISTS" | tr ',' ' ')
for provided_repo in $SPLIT_LIST ; do
cat "$provided_repo" >> "$CHROOTDIR/etc/apt/sources.list.d/upstream_chroot.list"
for filetype in asc arm gpg; do
repo_sign_key="${provided_repo}.${filetype}"
if [ -f "${repo_sign_key}" ]; then
GPGFILENAME=$(mktemp -p "$CHROOTDIR/etc/apt/trusted.gpg.d" 'upstream_gpg_XXXXXX.gpg')
file_head=$(head -n1 "${repo_sign_key}")
if [ "-----BEGIN PGP ARMORED FILE-----" = "$file_head" ]; then
gpg --dearmor "${repo_sign_key}"
repo_sign_key="${repo_sign_key}.gpg"
fi
cp "${repo_sign_key}" "$GPGFILENAME"
chmod +r "$GPGFILENAME"
fi
done
# Show if we can read from this new upstream repo
in_chroot "apt-get update"
done
fi
# Upgrade the system, and install/remove packages as desired
in_chroot "apt-get update && apt-get dist-upgrade"
in_chroot "apt-get clean"
in_chroot "apt-get install $INSTALLDEBS"
if [ -n "$LOCALDEBS" ]; then
DIR=$(mktemp -d -p "$CHROOTDIR/tmp" 'dj_chroot_debs_XXXXXX')
# shellcheck disable=SC2046
cp $(echo "$LOCALDEBS" | tr , ' ') "$DIR"
in_chroot "dpkg -i /${DIR#"$CHROOTDIR"}/*.deb"
fi
# Do some cleanup of the chroot
in_chroot "apt-get remove --purge $REMOVEDEBS"
in_chroot "apt-get autoremove --purge"
in_chroot "apt-get clean"
# Remove unnecessary setuid bits
in_chroot "chmod a-s /usr/bin/wall /usr/bin/newgrp \
/usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/expiry \
/usr/bin/gpasswd /usr/bin/passwd \
/bin/su /bin/mount /bin/umount /sbin/unix_chkpwd" || true
# Disable root account
sed -i "s/^root::/root:*:/" "$CHROOTDIR/etc/shadow"
# Create a file to test that in the judging environment no
# access to group root readable files is available:
echo "This file should not be readable inside the judging environment!" \
> "$CHROOTDIR/etc/root-permission-test.txt"
chmod 0640 "$CHROOTDIR/etc/root-permission-test.txt"
umount "$CHROOTDIR/dev/pts"
umount "$CHROOTDIR/sys"
umount "$CHROOTDIR/proc"
echo "Done building chroot in $CHROOTDIR"
exit 0