Skip to content

Commit

Permalink
feat: build stacker on Ubuntu 24.04 LTS (noble) (#644)
Browse files Browse the repository at this point in the history
Fix build on Ubuntu 24.04

- install libsystem-dev for static libsystemd library
- Use ppa:puzzleos/dev to pull in patched lxc 5.0.3 which includes
  liblxc.a in the lxc-dev package
- Handle modifying kernel tunables for user-namespace and apparmor
  restrictions
- Adjust Makefile to add -lsystemd to the libs when making
  stacker-dynamic, but omit the library when stacker-static is building
  built
- Add default container policy to rfs if not already present
- Fix whiteouts.bats test, don't quote the bsdtar | grep or we get
  command not found, further, check the grep return code, if it's
  0, then we found the whiteout file in the tar and the test should
  fail.

Fixes: #632

Signed-off-by: Ryan Harper <[email protected]>
  • Loading branch information
raharper authored Sep 11, 2024
1 parent 7b4a6e2 commit dbfe650
Show file tree
Hide file tree
Showing 4 changed files with 94 additions and 27 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ on:

jobs:
build:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
services:
registry:
image: ghcr.io/project-stacker/registry:2
Expand Down
13 changes: 12 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
SHELL=/bin/bash
TOP_LEVEL := $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
BUILD_D = $(TOP_LEVEL)/.build
export GOPATH ?= $(BUILD_D)/gopath
Expand Down Expand Up @@ -77,6 +78,16 @@ stacker-cov: $(STAGE1_STACKER) $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapp
--substitute VERSION_FULL=$(VERSION_FULL) \
--substitute WITH_COV=yes

# On Ubuntu 24.04 the lxc package does not link against libsystemd so the pkg-config
# below does list -lsystemd; we must add it to the list but only for stacker-dynamic
ifeq ($(shell awk -F= '/VERSION_ID/ {print $$2}' /etc/os-release),"24.04")
ifeq (stacker-dynamic,$(firstword $(MAKECMDGOALS)))
LXC_WRAPPER_LIBS=-lsystemd
else
LXC_WRAPPER_LIBS=
endif
endif

stacker-static: $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapper
$(call build_stacker,,static_build,-extldflags '-static',stacker)

Expand All @@ -91,7 +102,7 @@ stacker-dynamic: $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapper
$(call build_stacker,,,,stacker-dynamic)

cmd/stacker/lxc-wrapper/lxc-wrapper: cmd/stacker/lxc-wrapper/lxc-wrapper.c
make -C cmd/stacker/lxc-wrapper LDFLAGS=-static LDLIBS="$(shell pkg-config --static --libs lxc) -lpthread -ldl" lxc-wrapper
make -C cmd/stacker/lxc-wrapper LDFLAGS=-static LDLIBS="$(shell pkg-config --static --libs lxc) $(LXC_WRAPPER_LIBS) -lpthread -ldl" lxc-wrapper


.PHONY: go-download
Expand Down
101 changes: 78 additions & 23 deletions install-build-deps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -22,27 +22,58 @@ installdeps_fedora() {
}

installdeps_ubuntu() {
sudo add-apt-repository -y ppa:project-machine/squashfuse
sudo apt -yy install \
build-essential \
cryptsetup-bin \
jq \
libacl1-dev \
libcap-dev \
libcryptsetup-dev \
libdevmapper-dev \
libpam0g-dev \
libseccomp-dev \
libselinux1-dev \
libssl-dev \
libzstd-dev \
lxc-dev \
lxc-utils \
parallel \
pkg-config \
squashfs-tools \
squashfuse \
libarchive-tools
PKGS=(
build-essential
cryptsetup-bin
jq
libacl1-dev
libcap-dev
libcryptsetup-dev
libdevmapper-dev
liblxc-dev
libpam0g-dev
libseccomp-dev
libselinux1-dev
libssl-dev
libzstd-dev
lxc-dev
lxc-utils
parallel
pkg-config
squashfs-tools
squashfuse
libarchive-tools
)

case "$VERSION_ID" in
22.04)
sudo add-apt-repository -y ppa:project-machine/squashfuse
;;
24.04)
# lp:2080069
# temporarily add puzzleos/dev to pickup lxc-dev package which
# provides static liblxc.a
sudo add-apt-repository -y ppa:puzzleos/dev

# allow array to expand again
#shellcheck disable=2206
PKGS=( ${PKGS[*]} libsystemd-dev )

# 24.04 has additional apparmor restrictions, probably doesn't apply
# for root in github VM but developers will run into this
enable_userns
;;
esac

# allow array to expand
#shellcheck disable=2206
sudo apt -yy install ${PKGS[*]}

# Work around an Ubuntu packaging bug. Fixed in 23.04 onward.
if [ "$VERSION_ID" != "24.04" ]; then
sudo sed -i 's/#define LXC_DEVEL 1/#define LXC_DEVEL 0/' /usr/include/lxc/version.h
fi

# skopeo deps
sudo apt -yy install \
libgpgme-dev \
Expand All @@ -54,8 +85,24 @@ installdeps_ubuntu() {
sudo apt -yy install golang-go
go version
fi
# Work around an Ubuntu packaging bug. Fixed in 23.04 onward.
sudo sed -i 's/#define LXC_DEVEL 1/#define LXC_DEVEL 0/' /usr/include/lxc/version.h
}

enable_userns() {
SYSCTL_USERNS="/etc/sysctl.d/00-enable-userns.conf"
if ! [ -s "${SYSCTL_USERNS}" ]; then
echo "Add kernel tunables to enable user namespaces in $SYSCTL_USERNS "
cat <<EOF | sudo tee "${SYSCTL_USERNS}"
kernel.apparmor_restrict_unprivileged_io_uring = 0
kernel.apparmor_restrict_unprivileged_unconfined = 0
kernel.apparmor_restrict_unprivileged_userns = 0
kernel.apparmor_restrict_unprivileged_userns_complain = 0
kernel.apparmor_restrict_unprivileged_userns_force = 0
kernel.unprivileged_bpf_disabled = 2
kernel.unprivileged_userns_apparmor_policy = 0
kernel.unprivileged_userns_clone = 1
EOF
sudo sysctl -p /etc/sysctl.d/00-enable-userns.conf
fi
}

installdeps_golang() {
Expand All @@ -78,5 +125,13 @@ case $ID_LIKE in
;;
esac

# add container policy (if not already present
POLICY="/etc/containers/policy.json"
if ! [ -s "${POLICY}" ]; then
sudo mkdir -p "$(dirname $POLICY)"
echo "adding default containers policy (insecure):${POLICY}"
echo '{"default":[{"type":"insecureAcceptAnything"}]}' | sudo tee "${POLICY}"
fi

# install golang deps
installdeps_golang || exit 1
5 changes: 3 additions & 2 deletions test/whiteout.bats
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,9 @@ EOF
continue
}
bsdtar -tvf oci/blobs/sha256/$f
run "bsdtar -tvf oci/blobs/sha256/$f | grep '.wh.sensors.d'"
if [ "$status" -eq 0 ]; then
# we expect the grep to fail, if it returns success we fail the test since
# it means we have .wh files in the tar which we should NOT.
if run bsdtar -tvf oci/blobs/sha256/$f | grep '.wh.sensors.d'; then
echo "should not have a sensors.d whiteout!";
exit 1;
fi
Expand Down

0 comments on commit dbfe650

Please sign in to comment.