Avoid mknod (!65) · Merge requests · Debian Installer / debootstrap

bauen1 requested to merge bauen1/debootstrap:avoid-mknod into master Jan 07, 2022

Fallback to bind mounting devices instead of using mknod by default. This allows using debootstrap in most unprivileged setups, e.g. containers, sbuild, debian-installer with / mounted with nodev and others. However it retains the ability to use chroot to enter the newly installed system without setting up any additional mounts if you have the permissions required.

I'd like to ask for some feedback at this point, these things still need to be done before this can be merged:

Test that debootstrap works in an unprivileged user namespace:

perl script conveniently stolen from sbuild-createchroot, you will need to replace 165536 with your own values from /etc/subuid, /etc/subgid:

perl -e 'require "syscall.ph";pipe my $rfh, my $wfh;my $ppid = $$;my $cpid = fork() // die "fork() failed: $!";if ($cpid == 0) {close $wfh;0 == sysread $rfh, my $c, 1 or die "read() did not receive EOF";0 == system "newuidmap $ppid  0 165536 65536" or die "newuidmap failed: $!";0 == system "newgidmap $ppid  0 165536 65536" or die "newgidmap failed: $!";exit 0;}0 == syscall &SYS_unshare, 1006764032 or die "unshare() failed: $!";close $wfh;$cpid == waitpid $cpid, 0 or die "waitpid() failed: $!";if ($? != 0) {die "child had a non-zero exit status: $?";}0 == syscall &SYS_setgid, 0 or die "setgid failed: $!";0 == syscall &SYS_setuid, 0 or die "setuid failed: $!";0 == syscall &SYS_setgroups, 0, 0 or die "setgroups failed: $!";my $cpid = fork() // die "fork() failed: $!";if ($cpid != 0) {$cpid == waitpid $cpid, 0 or die "waitpid() failed: $!";exit ($? >> 8);}exec { $ARGV[0] } @ARGV or die "exec() failed: $!";' bash -li
ns # /usr/sbin/debootstrap sid /tmp/test2
ns # ls -al /tmp/test2/dev # should be empty

Test debian-installer

In theory these changes do not have any effect, and the devices nodes will still be created, I'm not sure if that is a good or a bad thing.
Test debian-installer: mark root filesystem as nodev
Verify that debian-installer resuce mode will work even if /dev does not contain nodes (i.e. does rescue mode bind mount /dev before entering ?) Yes, it mounts a devtmpfs on /dev if it exists.
Fix debian/changelog. At least I believe it is in the correct format now.
See if this is enough to close https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829134 might allow removing work-arounds from sbuild-createchroot

Feel free to squash on merge.

Edited Jan 16, 2022 by bauen1

Avoid mknod

Merge request reports