| 1 | #!/bin/sh
|
| 2 | #
|
| 3 | # Enter an Alpine rootfs with bwrap, not chroot.
|
| 4 |
|
| 5 | set -e
|
| 6 |
|
| 7 | user=$1
|
| 8 | shift
|
| 9 |
|
| 10 | # This is an alternative to alpine-chroot-install/enter-hook-chroot
|
| 11 | #
|
| 12 | # chroot . /usr/bin/env -i su -l "$user" \
|
| 13 | # sh -c '. /etc/profile; . /env.sh; "$@"' \
|
| 14 | # -- "$@"
|
| 15 | #
|
| 16 | # But note: we could do this all with bwrap?
|
| 17 | #
|
| 18 | # - instead of su $user, look up the uid and gid outside
|
| 19 | # - instead of su, look up the login shell, $HOME, and $PATH
|
| 20 | # - instead of su -l - not sure?
|
| 21 | # - oh does that just mean we invoke it with argv[0] as -sh?
|
| 22 | # - insetad of env -i, --clearenv instead of env -i
|
| 23 | # - instead of . /env.sh --setenv instead of . /env.sh
|
| 24 |
|
| 25 | # Notes:
|
| 26 | # - enter-chroot does cd $CHROOT_DIR
|
| 27 | # - overflow{uid,gid} is necessary for nested bwrap
|
| 28 |
|
| 29 | # TODO:
|
| 30 | # - We want --unshare-all by default?
|
| 31 | # - Well abuild rootbld already does --unshare net unless you configure it
|
| 32 | # 'options_has net'
|
| 33 | # - Then --unshare-all --share-net to allow the network
|
| 34 |
|
| 35 | # So then how do we allow these options from enter-chroot?
|
| 36 | #
|
| 37 | # enter-chroot -k contain-chroot
|
| 38 | # enter-chroot -k contain-bwrap-default
|
| 39 | # enter-chroot -k contain-bwrap-net
|
| 40 | #
|
| 41 | # The top-level script:
|
| 42 | # - accepts -u flag
|
| 43 | # - sets _sudo if we need it
|
| 44 | # - preserves env like ARCH|CI|QEMU_EMULATOR|TRAVIS - we can do without this
|
| 45 | # - yeah honestly I wonder if we can get rid of this whole damn thing
|
| 46 | # - we want to preserve SOME of the environment
|
| 47 | #
|
| 48 | # But we should just allow --setenv VAR value then? Make it opt-in, not opt-out
|
| 49 | #
|
| 50 | # Or we could have BWRAP_FLAGS='' env variable? Or OILS_APORTS_BWRAP_FLAGS?
|
| 51 | # because it only is read by this script
|
| 52 | #
|
| 53 | # Yeah the sudo hook is not useful. Because bwrap is ROOTLESS.
|
| 54 | #
|
| 55 | # All we need is to parse -u ourselves; it's tiny
|
| 56 |
|
| 57 | bwrap \
|
| 58 | --bind . / \
|
| 59 | --proc /proc \
|
| 60 | --bind /proc/sys/kernel/overflowuid /proc/sys/kernel/overflowuid \
|
| 61 | --bind /proc/sys/kernel/overflowgid /proc/sys/kernel/overflowgid \
|
| 62 | --dev /dev \
|
| 63 | -- \
|
| 64 | /usr/bin/env -i su -l "$user" \
|
| 65 | sh -c '. /etc/profile; . /env.sh; "$@"' \
|
| 66 | -- "$@"
|