Compare commits
2 commits
239b00fc3b
...
09be333ac6
Author | SHA1 | Date | |
---|---|---|---|
Peter Cai | 09be333ac6 | ||
Peter Cai | 91a78138a5 |
|
@ -1,5 +1,9 @@
|
|||
FROM dobu/deps-base-archlinux:latest
|
||||
|
||||
# This is used to invalidate cache as needed by build-image;
|
||||
# depends on TRACK_PACKAGE_ARCHLINUX set in control
|
||||
ARG UPSTREAM_VERSION
|
||||
|
||||
RUN pacman -Syu --noconfirm \
|
||||
&& pacman -S --noconfirm shattered-pixel-dungeon
|
||||
|
||||
|
|
2
apps/shattered-pixel-dungeon/control
Normal file
2
apps/shattered-pixel-dungeon/control
Normal file
|
@ -0,0 +1,2 @@
|
|||
#!/usr/bin/env bash
|
||||
TRACK_PACKAGE_ARCHLINUX="extra/any/shattered-pixel-dungeon"
|
|
@ -6,4 +6,16 @@ assert_prerequisites
|
|||
|
||||
image_name="$(path_to_image_name "$1")"
|
||||
|
||||
podman build -t "$image_name" "$1"
|
||||
# Load config if we have it
|
||||
[ -f "$script_path/$1/control" ] && . "$script_path/$1/control"
|
||||
|
||||
extra_args=""
|
||||
|
||||
if [ ! -z "${TRACK_PACKAGE_ARCHLINUX+x}" ]; then
|
||||
log "Fetching upstream package version from Arch Linux"
|
||||
upstream_ver="$(get_archlinux_pkg_ver "$TRACK_PACKAGE_ARCHLINUX")"
|
||||
log "Latest upstream version: $upstream_ver"
|
||||
extra_args="$extra_args --build-arg UPSTREAM_VERSION=$upstream_ver"
|
||||
fi
|
||||
|
||||
podman build -t "$image_name" "$script_path/$1" $extra_args
|
||||
|
|
|
@ -61,9 +61,7 @@ fi
|
|||
|
||||
# The fun part: start the container!
|
||||
# Don't detach like we did with Sommelier, though
|
||||
podman run --rm --userns=keep-id:uid=1100,gid=1100 \
|
||||
`# Use seccomp.json from Docker which blocks sub-namespaces (including sub-userns)` \
|
||||
--security-opt seccomp="$script_path/assets/seccomp.json" --name "$container_name" \
|
||||
podman run --rm "${podman_security_args[@]}" --name "$container_name" \
|
||||
`# Create tmpfs mountpoints for runtime directories` \
|
||||
--mount type=tmpfs,destination=/xdg_runtime \
|
||||
--mount type=tmpfs,destination=/tmp/.X11-unix \
|
||||
|
|
22
functions.sh
22
functions.sh
|
@ -9,8 +9,20 @@ DOBU_TMP=/tmp/dobu
|
|||
. "$script_path/config-default.sh"
|
||||
[ -f "$script_path/config.sh" ] && . "$script_path/config.sh"
|
||||
|
||||
# Default security-related arguments ALWAYS passed to podman
|
||||
# Install a seccomp filter that disallows sub-namespaces which could lead to exploits
|
||||
# and use the keep-id mode of userns, such that the user 1100 is mapped to the
|
||||
# current host user, and the root user inside the namespace is mapped to an unrelated
|
||||
# large uid on the host.
|
||||
podman_security_args=(
|
||||
--security-opt
|
||||
seccomp="$script_path/assets/seccomp.json"
|
||||
--userns=keep-id:uid=1100,gid=1100
|
||||
)
|
||||
|
||||
assert_prerequisites() {
|
||||
command -v podman >/dev/null 2>&1 || die "Podman is required"
|
||||
command -v jq >/dev/null 2>&1 || die "jq is required"
|
||||
[ -S "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" ] || die "Dobu must be run under a compliant Wayland compositor"
|
||||
}
|
||||
|
||||
|
@ -31,7 +43,7 @@ is_in_array() {
|
|||
}
|
||||
|
||||
path_to_image_name() {
|
||||
local context_path="$1"
|
||||
local context_path="$script_path/$1"
|
||||
|
||||
[ -d "$context_path" ] || die "$context_path does not exist"
|
||||
|
||||
|
@ -64,7 +76,7 @@ ensure_sommelier() {
|
|||
|
||||
log "Starting Sommelier as a nested compositor..."
|
||||
|
||||
podman run --rm -d --userns=keep-id:uid=1100,gid=1100 --name dobu-deps-sommelier \
|
||||
podman run --rm -d "${podman_security_args[@]}" --name dobu-deps-sommelier \
|
||||
-v "$DOBU_TMP/xdg_runtime":/xdg_runtime \
|
||||
`# Pass through host wayland display for Sommelier always as wayland-0` \
|
||||
-v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY":/xdg_runtime/wayland-0 \
|
||||
|
@ -73,8 +85,12 @@ ensure_sommelier() {
|
|||
`# DRM render nodes` \
|
||||
-v /dev/dri:/dev/dri \
|
||||
dobu/deps-sommelier
|
||||
|
||||
while [ ! -S "$DOBU_TMP/xdg_runtime/wayland-1" ] || [ ! -S "$DOBU_TMP/X11-unix/X1" ]; do
|
||||
|
||||
sleep 0.5
|
||||
done
|
||||
}
|
||||
|
||||
get_archlinux_pkg_ver() {
|
||||
curl https://archlinux.org/packages/$1/json/ 2>/dev/null | jq -r '. | .pkgver + "-" + .pkgrel'
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue