feat: build stacker on Ubuntu 24.04 LTS (noble) (#644)

raharper · web-flow · commit dbfe650846a8 · 2024-09-11T14:16:13.000-07:00
Fix build on Ubuntu 24.04 - install libsystem-dev for static libsystemd library - Use ppa:puzzleos/dev to pull in patched lxc 5.0.3 which includes liblxc.a in the lxc-dev package - Handle modifying kernel tunables for user-namespace and apparmor restrictions - Adjust Makefile to add -lsystemd to the libs when making stacker-dynamic, but omit the library when stacker-static is building built - Add default container policy to rfs if not already present - Fix whiteouts.bats test, don't quote the bsdtar | grep or we get command not found, further, check the grep return code, if it's 0, then we found the whiteout file in the tar and the test should fail. Fixes: #632 Signed-off-by: Ryan Harper <rharper@woxford.com>
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -32,7 +32,7 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     services:
       registry:
         image: ghcr.io/project-stacker/registry:2
diff --git a/Makefile b/Makefile
@@ -1,3 +1,4 @@
+SHELL=/bin/bash
 TOP_LEVEL := $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
 BUILD_D = $(TOP_LEVEL)/.build
 export GOPATH ?= $(BUILD_D)/gopath
@@ -77,6 +78,16 @@ stacker-cov: $(STAGE1_STACKER) $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapp
 		--substitute VERSION_FULL=$(VERSION_FULL) \
 		--substitute WITH_COV=yes
 
+# On Ubuntu 24.04 the lxc package does not link against libsystemd so the pkg-config
+# below does list -lsystemd; we must add it to the list but only for stacker-dynamic
+ifeq ($(shell awk -F= '/VERSION_ID/ {print $$2}' /etc/os-release),"24.04")
+ifeq (stacker-dynamic,$(firstword $(MAKECMDGOALS)))
+LXC_WRAPPER_LIBS=-lsystemd
+else
+LXC_WRAPPER_LIBS=
+endif
+endif
+
 stacker-static: $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapper
 	$(call build_stacker,,static_build,-extldflags '-static',stacker)
 
@@ -91,7 +102,7 @@ stacker-dynamic: $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapper
 	$(call build_stacker,,,,stacker-dynamic)
 
 cmd/stacker/lxc-wrapper/lxc-wrapper: cmd/stacker/lxc-wrapper/lxc-wrapper.c
-	make -C cmd/stacker/lxc-wrapper LDFLAGS=-static LDLIBS="$(shell pkg-config --static --libs lxc) -lpthread -ldl" lxc-wrapper
+	make -C cmd/stacker/lxc-wrapper LDFLAGS=-static LDLIBS="$(shell pkg-config --static --libs lxc) $(LXC_WRAPPER_LIBS) -lpthread -ldl" lxc-wrapper
 
 
 .PHONY: go-download
diff --git a/install-build-deps.sh b/install-build-deps.sh
@@ -22,27 +22,58 @@ installdeps_fedora() {
 }
 
 installdeps_ubuntu() {
-    sudo add-apt-repository -y ppa:project-machine/squashfuse
-    sudo apt -yy install \
-            build-essential \
-            cryptsetup-bin \
-            jq \
-            libacl1-dev \
-            libcap-dev \
-            libcryptsetup-dev \
-            libdevmapper-dev \
-            libpam0g-dev \
-            libseccomp-dev \
-            libselinux1-dev \
-            libssl-dev \
-            libzstd-dev \
-            lxc-dev \
-            lxc-utils \
-            parallel \
-            pkg-config \
-            squashfs-tools \
-            squashfuse \
-            libarchive-tools
+    PKGS=(
+        build-essential
+        cryptsetup-bin
+        jq
+        libacl1-dev
+        libcap-dev
+        libcryptsetup-dev
+        libdevmapper-dev
+        liblxc-dev
+        libpam0g-dev
+        libseccomp-dev
+        libselinux1-dev
+        libssl-dev
+        libzstd-dev
+        lxc-dev
+        lxc-utils
+        parallel
+        pkg-config
+        squashfs-tools
+        squashfuse
+        libarchive-tools
+    )
+
+    case "$VERSION_ID" in
+        22.04)
+            sudo add-apt-repository -y ppa:project-machine/squashfuse
+            ;;
+        24.04)
+            # lp:2080069
+            # temporarily add puzzleos/dev to pickup lxc-dev package which
+            # provides static liblxc.a
+            sudo add-apt-repository -y ppa:puzzleos/dev
+
+            # allow array to expand again
+            #shellcheck disable=2206
+            PKGS=( ${PKGS[*]} libsystemd-dev )
+
+            # 24.04 has additional apparmor restrictions, probably doesn't apply
+            # for root in github VM but developers will run into this
+            enable_userns
+            ;;
+    esac
+
+    # allow array to expand
+    #shellcheck disable=2206
+    sudo apt -yy install ${PKGS[*]}
+
+    # Work around an Ubuntu packaging bug. Fixed in 23.04 onward.
+    if [ "$VERSION_ID" != "24.04" ]; then
+        sudo sed -i 's/#define LXC_DEVEL 1/#define LXC_DEVEL 0/' /usr/include/lxc/version.h
+    fi
+
     # skopeo deps
     sudo apt -yy install \
        libgpgme-dev \
@@ -54,8 +85,24 @@ installdeps_ubuntu() {
         sudo apt -yy install golang-go
         go version
     fi
-    # Work around an Ubuntu packaging bug. Fixed in 23.04 onward.
-    sudo sed -i 's/#define LXC_DEVEL 1/#define LXC_DEVEL 0/' /usr/include/lxc/version.h
+}
+
+enable_userns() {
+    SYSCTL_USERNS="/etc/sysctl.d/00-enable-userns.conf"
+    if ! [ -s "${SYSCTL_USERNS}" ]; then
+        echo "Add kernel tunables to enable user namespaces in $SYSCTL_USERNS "
+        cat <<EOF | sudo tee "${SYSCTL_USERNS}"
+kernel.apparmor_restrict_unprivileged_io_uring = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 0
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_userns_complain = 0
+kernel.apparmor_restrict_unprivileged_userns_force = 0
+kernel.unprivileged_bpf_disabled = 2
+kernel.unprivileged_userns_apparmor_policy = 0
+kernel.unprivileged_userns_clone = 1
+EOF
+        sudo sysctl -p /etc/sysctl.d/00-enable-userns.conf
+    fi
 }
 
 installdeps_golang() {
@@ -78,5 +125,13 @@ case $ID_LIKE in
         ;;
 esac
 
+# add container policy (if not already present
+POLICY="/etc/containers/policy.json"
+if ! [ -s "${POLICY}" ]; then
+    sudo mkdir -p "$(dirname $POLICY)"
+    echo "adding default containers policy (insecure):${POLICY}"
+    echo '{"default":[{"type":"insecureAcceptAnything"}]}' | sudo tee "${POLICY}"
+fi
+
 # install golang deps
 installdeps_golang || exit 1
diff --git a/test/whiteout.bats b/test/whiteout.bats
@@ -27,8 +27,9 @@ EOF
         continue
     }
     bsdtar -tvf oci/blobs/sha256/$f
-    run "bsdtar -tvf oci/blobs/sha256/$f | grep '.wh.sensors.d'"
-    if [ "$status" -eq 0 ]; then
+    # we expect the grep to fail, if it returns success we fail the test since
+    # it means we have .wh files in the tar which we should NOT.
+    if run bsdtar -tvf oci/blobs/sha256/$f | grep '.wh.sensors.d'; then
       echo "should not have a sensors.d whiteout!";
       exit 1;
     fi
