Draft: Use namespaces, drop sudo

Caseyrequested to merge
casey/unshare into master

Vendor mkosi-sandbox into pmbootstrap and use it to unshare the entire pmbootstrap process, this stops pmb from polluting the global mount namespaces and removes the need to have files owned by root in your pmb workdir.

Additionally, the cache_* and some config dirs have been moved to a new cache subdir of the pmbootstrap workdir, this is the pmbootstrap config cache directory. This entire directory is now mounted inside chroots as /cache (rather than mounting each dir separately). This allows for having multiple pmbootstrap work dirs that all share a global cache. To facilitate this, pmb now checks for a config file (pmbootstrap.conf) in the current working directory (and parent directories), allowing for workflows like you may be used to with other build tools (make, meson, just, mkosi).

Opening this MR so folks can play around with it, i had to mess about with the permissions in my workdir, so I'd suggest just using a new one (copy your config and edit it, then set up a pmb alias to use the new config).

Status

  • unshare user and mount namespaces
  • adjust binfmt to work in mount namespace
    • test that this doesn't break anyones setup (kernel module loads automatically?)
  • refactor image building to not require loop devices
    • basic ext4/fat images with 512 sector size
    • 4k sector size (e.g. for devices with UFS storage) - pieces are there but mcopy seems to fail likely calculating sectors wrong
    • --split support
    • --single-partition support
    • cgpt chromebooks
    • btrfs and f2fs support not important, can be done with a separate script
    • erofs support this is a new feature, can be done later
  • Fix pmbootstrap CI (native scripts get confused since we are "root" in a user namespace but can't install packages).
  • implement some migration code to fix permissions when upgrading -> Ollie suggests just moving away from .local/share/pmbootstrap, we could use .cache/pmbootstrap instead.
  • find a workaround for install --disk. Now implemented by chowning the target disk prior to unshare, this is not really ideal but realistically the security concerns are minor.

Take two!

The current state of this MR proves that we can make pmb sudo-less (basically) and have nice isolated work dirs, but more work is needed to get this to be prime time ready...

  • Prompt to set up /etc/subuid/subgid automatically (using sudo)
    • Use systemd-nsresourced instead when available, this saves us all the hassle
  • Clean up argument parsing and init code, make it clear when the global environment is set up and enter the sandbox afterwards
    • Add fastpaths for "config" and other commands
  • Refactor sandboxing so that pmb pivots into the native chroot rather than staying on the host rootfs, then we can handle installing whatever host tools we need/expect and bind in the user home as /root (for ssh sideload)
  • Just abolish the idea of a default/global workdir and config file and always create them in whichever directory you run pmbootstrap from?
    • Maybe requires re-thinking how we handle pmbootstrap init, could split the config to global/local (with stuff like number of jobs and locale being global but device/ui are local)? Saner defaults too.
    • Alternatively have default global workdir and config as a "deprecated default", at least for a while, pretty easy to maintain. Make pmb init create a local config/workdir unless called with --global
    • Will unfortunately require fixing a lot of CI stuff lol but they should be using pmbootstrap config work rather than hardcoding anyways

!!! HOW TO TEST

This is a big change to pmbootstrap, notably, the permissions for the various cache and chroot dirs are now totally different, where many were owned by root or some other UID, they are all now subuids of your user.

To avoid any frustration when moving back and forth, you should use a new pmb workdir before checking out this branch. Run:

$ pmbootstrap config work $HOME/.local/var/pmbootstrap-unshare

For more rigidity you could clone a second copy of pmb with this branch (or use a worktree!), copy your pmbootstrap config and add an alias to /my/custom/pmb --config /my/copied/config, then use that alias to interact with this experimental branch.

Edited by Casey

Merge request reports