This adds support for dm-vertiy on the root filesystem.
Currently only squashfs is supported.
Three new flags are introduced.
* --dm-verity: Enable basic dm-verity support
* --dm-verity-fec NB_ROOTS: Enable forward error correction. Optional
* --dm-verity-sign SCRIPT: Specify signing script for the root hash. Optional
1) lb config rejected multiple checksum types
2) When using the installer, cdrom-checker requires a md5 checksum file,
use 'Check the integrity of the installation media' in the installer
3) The comments in the first lines of the checksum files caused
cdrom-checker to fail the integrity of the image
If grub/splash.png exists, assume the configuration editor intends
to have a grub-specific splash.png, and do not modify theme.txt.
But if syslinux has the only known splash.png, use it for both
syslinux and grub.
(This allows for a hybrid image where the grub side can have e.g. a
16:9 1920x1080 splash.png which gets grub is capable of automatically
scaling, while the syslinux side has a 640x480 splash.png which
effectively must be this fixed size.)
When a package lists contains only packages protected by a test
that doesn't match for the current run, then Expand_package_list
outputs nothing and the following "grep -v" fails because it
has not filtered anything. Avoid this by protecting the "grep -v"
call with "|| true".
Before commit 9f3e5fe8d (Fix the way the .disk/mkisofs file is created)
all these commands (`mkdir`, write to `binary/.disk/mkisofs` and
`xorriso`) were in the same `binary.sh` script. Since that commit, the
write was extracted, to prevent issues with quoting, but the related
mkdir was left in `binary.sh`. This means that the write is now executed
first, and the `mkdir` only afterwards, making the `mkdir` quite pointless.
In practice, this did not break becaue binary_disk also does the same
`mkdir` and runs before `binary_iso`, but if one runs commands manually
and skips `binary_iso`, then this does break.
Even though this is not really a supported usecase, just move the mkdir
outside of `binary.sh`, so it runs *before* the write again as intended.
Moved includes.chroot to includes.chroot_after_packages and added
includes.chroot_before_packages. includes.chroot does still work as before.
We also now use rsync for copying files if it is installed.
This improves runtime and space consumption for large includes.
Gbp-Dch: Short
Closes: #927128
Installation of flatpaks doesn't work with normal chroots.
This patch enables support for using systemd-nspawn in hooks.
Gbp-Dch: Short
Closes: #965953
avoids spitting out warning
> [2020-06-07 22:30:32] lb binary_grub-efi
> P: Begin preparing Grub based EFI support...
> Reading package lists...
> Building dependency tree...
> Reading state information...
> Package grub-efi-amd64-signed is not available, but is referred to by another package.
> This may mean that the package is missing, has been obsoleted, or
> is only available from another source
>
> E: Package 'grub-efi-amd64-signed' has no installation candidate
> W: UEFI Secure Boot disabled due to missing signed Grub/Shim.
this simplifies things to avoid the messy recursion.
it is also a necessary step to implementing handling of common options
like --debug. we need to process all options to decide how to approach
doing things (e.g. with debug messages to be output or not) before actually
performing any work, in order for options like --debug to be reacted to
properly.
also, as things were, options like `--debug` were not being passed along
in the recursive executions, while now that is no longer an issue.
the order of file/folder deletions for `--all`|`--purge`|`--remove`
actions is slightly changed here, but i don't see any issue with that and
it's cleaner to not preserve that.
Gbp-Dch: Short
This reverts commit 665372c19d.
the kali test failed due to their script using a hack of passing along a
custom option after an early terminator through to their auto/config file.
the change implemented here was valuable, but i'll have to look into
revising things to work with what Kali is doing.
Gbp-Dch: Ignore
some scripts temporarily install packages to accomplish some work before
then removing them. the list of packages installed is kept in memory in a
variable.
a weakness of this design is that if a failure occurs or the user cancels,
and then following this the user re-runs `lb build`, letting it try to
pick up and recover from where it left off, that list of packages that had
been installed is lost, resulting in those packages that were installed
then being a permanent part of the chroot.
here we fix this weakness by backing up the list to a file, which is always
read from on removal. thus in a recovery situation, any packages still
installed from a situation like that just described, will be removed upon
the next use of `Remove_package()`.
this is not perfect, since we are having to wait for opportunistic
execution of the remove function. we need to find a suitable place for the
`Cleanup_temp_packages()` function to be used.
- doing so in `Init_config_data()` would not be suitable because we don't
hold the lock when that's run, even if we ignored the hijacking of that
function for taking such action...
- doing it in `Exit()` doesn't seem a good fit either.
- putting it explicitly in every build script just seems a little messy...
perhaps a local exit trap like for removing the lock...?
note that `binary_rootfs` skips running the remove function after installing
tooling, since it just throws the wrapper chroot away, which then leaves the
file around with stale data for the next remove instance to pick up, which
then does not actually remove it because it's not installed. this is not
ideal either... perhaps the optimisation should be removed from that script?
Gbp-Dch: Short
after handling arguments, catch and report any remaining "non-option"
arguments.
for instance users could make the basic mistake of using
`lb config --bootloaders syslinux grub-efi`, i.e. failing to quote the
multiple bootloaders (i actually encountered a user doing this who swore
that "it just worked"). catching and reporting such mistakes could be
valuable to users.
previous behaviour:
```
$ lb config --bootloaders syslinux grub-efi
P: Updating config tree for a debian/buster/amd64 system
P: Symlinking hooks...
```
new behaviour:
```
$ lb config --bootloaders syslinux grub-efi
[2020-05-05 18:56:07] lb config --bootloaders syslinux grub-efi
E: Unexpected argument found: grub-efi
```
Gbp-Dch: Short
David Hewitt
Thore Sommer
Roland Clobus
Ryan Finnie
Luca Boccassi
Raphaël Hertzog
Marcel Partap
Jan Kot
Raphaël Hertzog
Matthijs Kooijman
Victor Gavro
Lyndon Brown