4844719b1d
Overview:
Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use
distcc for cross compilation anymore. It always falled back to running the
compiler in QEMU (which works, but is a lot slower). The reason for that is,
that distcc requires all compilers that are being used in a whitelist now.
This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote
code execution by any process connecting to the distccd server. We only run
distccd on localhost, but still this can be used for privilege escalation of
sandboxed processes running on the host system (not part of pmbootstrap
chroots).
Because the CVE is only partially fixed (see the comment in
`pmb/chroot/distccd.py` for details), we make sure that only the building
chroots can talk to the distcc server by running distcc over ssh.
Details:
* Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh
* Store the running distcc server's arguments as JSON now, not as INI
* Make debugging distcc issues easy:
* Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the
server after errors happened (this masks the original error!)
* New pmbootstrap parameters:
* `--distcc-nofallback`: avoids falling back to compiling with QEMU and not
throwing an error
* `--ccache-disable`: avoid ccache (when the compiler output is cached,
distcc does not get used)
* `--verbose` prints verbose output of the distcc too
* New test case, that uses the new pmbootstrap parameters to force
compilation through distcc, and shows the output of distcc and distccd in
verbose mode on error (as well as the log of sshd)
|
||
|---|---|---|
| .gitlab | ||
| aports | ||
| helpers | ||
| keys | ||
| pmb | ||
| test | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| CONTRIBUTING.md | ||
| LICENSE | ||
| MANIFEST.in | ||
| README.md | ||
| pmbootstrap.py | ||
| setup.cfg | ||
| setup.py | ||
README.md
pmbootstrap
Introduction | Security Warning | Devices
Sophisticated chroot/build/flash tool to develop and install postmarketOS.
Requirements
- 2 GB of RAM recommended for compiling
- Linux distribution (
x86,x86_64, oraarch64)- Windows subsystem for Linux (WSL) does not work! Please use VirtualBox instead.
- Kernels based on the grsec patchset do not work (Alpine: use linux-vanilla instead of linux-hardened, Arch: linux-hardened is not based on grsec)
- On Alpine Linux only:
apk add coreutils
- Python 3.4+
- OpenSSL
Usage Examples
Please refer to the postmarketOS wiki for in-depth coverage of topics such as porting to a new device or installation. The help output (pmbootstrap -h) has detailed usage instructions for every command. Read on for some generic examples of what can be done with pmbootstrap.
Basics
Initial setup:
$ git clone https://gitlab.com/postmarketOS/pmbootstrap.git
$ cd pmbootstrap
$ alias pmbootstrap=$PWD/pmbootstrap.py
$ pmbootstrap init
To make the pmbootstrap alias persistent, see the wiki.
Run this in a second window to see all shell commands that get executed:
$ pmbootstrap log
Packages
Build aports/main/hello-world:
$ pmbootstrap build hello-world
Cross-compile to armhf:
$ pmbootstrap build --arch=armhf hello-world
Build with source code from local folder:
$ pmbootstrap build linux-postmarketos-mainline --src=~/code/linux
Update checksums:
$ pmbootstrap checksum hello-world
Generate a template for a new package:
$ pmbootstrap newapkbuild "https://gitlab.com/postmarketOS/osk-sdl/-/archive/0.52/osk-sdl-0.52.tar.bz2"
Chroots
Enter the armhf building chroot:
$ pmbootstrap chroot -b armhf
Run a command inside a chroot:
$ pmbootstrap chroot -- echo test
Safely delete all chroots:
$ pmbootstrap zap
Device Porting Assistance
Analyze Android boot.img files (also works with recovery OS images like TWRP):
$ pmbootstrap bootimg_analyze ~/Downloads/twrp-3.2.1-0-fp2.img
Check kernel configs:
$ pmbootstrap kconfig check
Edit a kernel config:
$ pmbootstrap kconfig edit --arch=armhf postmarketos-mainline
Root File System
Build the rootfs:
$ pmbootstrap install
Update existing installation on SD card (full disk encryption disabled):
$ pmbootstrap install --sdcard=/dev/mmcblk0 --no-fde --rsync
Run the image in Qemu:
$ pmbootstrap qemu --image-size=1G
Flash to the device:
$ pmbootstrap flasher flash_kernel
$ pmbootstrap flasher flash_rootfs --partition=userdata
Export the rootfs, kernel, initramfs, boot.img etc.:
$ pmbootstrap export
Extract the initramfs
$ pmbootstrap initfs extract
Build and flash Android recovery zip:
$ pmbootstrap install --android-recovery-zip
$ pmbootstrap flasher --method=adb sideload
Repository Maintenance
Increase the pkgrel for each aport where the binary package has outdated dependencies (e.g. after soname bumps):
$ pmbootstrap pkgrel_bump --auto
Generate cross-compiler aports based on the latest version from Alpine's aports:
$ pmbootstrap aportgen binutils-armhf gcc-armhf
Manually rebuild package index:
$ pmbootstrap index
Delete local binary packages without existing aport of same version:
$ pmbootstrap zap -m
Debugging
Use -v on any action to get verbose logging:
$ pmbootstrap -v build hello-world
Parse a single APKBUILD and return it as JSON:
$ pmbootstrap apkbuild_parse hello-world
Parse a package from an APKINDEX and return it as JSON:
$ pmbootstrap apkindex_parse $WORK/cache_apk_x86_64/APKINDEX.8b865e19.tar.gz hello-world
ccache statistics:
$ pmbootstrap stats --arch=armhf
distccd log:
$ pmbootstrap log_distccd
Development
Testing
Install pytest (via your package manager or pip) and run it inside the pmbootstrap folder.