From 1fb1d2e5a57f164d82c4e7ef1bc12231b680fa00 Mon Sep 17 00:00:00 2001
From: Ryan Harper <rharper@woxford.com>
Date: Wed, 11 Sep 2024 10:22:39 -0500
Subject: [PATCH] feat: build stacker on Ubuntu 24.04 LTS (noble)

Fix build on Ubuntu 24.04

- install libsystem-dev for static libsystemd library
- Use ppa:puzzleos/dev to pull in patched lxc 5.0.3 which includes
  liblxc.a in the lxc-dev package
- Handle modifying kernel tunables for user-namespace and apparmor
  restrictions
- Adjust Makefile to add -lsystemd to the libs when making
  stacker-dynamic, but omit the library when stacker-static is building
  built
- Add default container policy to rfs if not already present
- Fix whiteouts.bats test, don't quote the bsdtar | grep or we get
  command not found, further, check the grep return code, if it's
  0, then we found the whiteout file in the tar and the test should
  fail.

Fixes: #632

Signed-off-by: Ryan Harper <rharper@woxford.com>
---
 .github/workflows/build.yaml |   2 +-
 Makefile                     |  13 ++++-
 install-build-deps.sh        | 101 +++++++++++++++++++++++++++--------
 test/whiteout.bats           |   5 +-
 4 files changed, 94 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 23f2fcf9..719b7356 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -32,7 +32,7 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     services:
       registry:
         image: ghcr.io/project-stacker/registry:2
diff --git a/Makefile b/Makefile
index 74716909..e123156b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,4 @@
+SHELL=/bin/bash
 TOP_LEVEL := $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
 BUILD_D = $(TOP_LEVEL)/.build
 export GOPATH ?= $(BUILD_D)/gopath
@@ -77,6 +78,16 @@ stacker-cov: $(STAGE1_STACKER) $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapp
 		--substitute VERSION_FULL=$(VERSION_FULL) \
 		--substitute WITH_COV=yes
 
+# On Ubuntu 24.04 the lxc package does not link against libsystemd so the pkg-config
+# below does list -lsystemd; we must add it to the list but only for stacker-dynamic
+ifeq ($(shell awk -F= '/VERSION_ID/ {print $$2}' /etc/os-release),"24.04")
+ifeq (stacker-dynamic,$(firstword $(MAKECMDGOALS)))
+LXC_WRAPPER_LIBS=-lsystemd
+else
+LXC_WRAPPER_LIBS=
+endif
+endif
+
 stacker-static: $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapper
 	$(call build_stacker,,static_build,-extldflags '-static',stacker)
 
@@ -91,7 +102,7 @@ stacker-dynamic: $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapper
 	$(call build_stacker,,,,stacker-dynamic)
 
 cmd/stacker/lxc-wrapper/lxc-wrapper: cmd/stacker/lxc-wrapper/lxc-wrapper.c
-	make -C cmd/stacker/lxc-wrapper LDFLAGS=-static LDLIBS="$(shell pkg-config --static --libs lxc) -lpthread -ldl" lxc-wrapper
+	make -C cmd/stacker/lxc-wrapper LDFLAGS=-static LDLIBS="$(shell pkg-config --static --libs lxc) $(LXC_WRAPPER_LIBS) -lpthread -ldl" lxc-wrapper
 
 
 .PHONY: go-download
diff --git a/install-build-deps.sh b/install-build-deps.sh
index 4d52557b..bae0a887 100755
--- a/install-build-deps.sh
+++ b/install-build-deps.sh
@@ -22,27 +22,58 @@ installdeps_fedora() {
 }
 
 installdeps_ubuntu() {
-    sudo add-apt-repository -y ppa:project-machine/squashfuse
-    sudo apt -yy install \
-            build-essential \
-            cryptsetup-bin \
-            jq \
-            libacl1-dev \
-            libcap-dev \
-            libcryptsetup-dev \
-            libdevmapper-dev \
-            libpam0g-dev \
-            libseccomp-dev \
-            libselinux1-dev \
-            libssl-dev \
-            libzstd-dev \
-            lxc-dev \
-            lxc-utils \
-            parallel \
-            pkg-config \
-            squashfs-tools \
-            squashfuse \
-            libarchive-tools
+    PKGS=(
+        build-essential
+        cryptsetup-bin
+        jq
+        libacl1-dev
+        libcap-dev
+        libcryptsetup-dev
+        libdevmapper-dev
+        liblxc-dev
+        libpam0g-dev
+        libseccomp-dev
+        libselinux1-dev
+        libssl-dev
+        libzstd-dev
+        lxc-dev
+        lxc-utils
+        parallel
+        pkg-config
+        squashfs-tools
+        squashfuse
+        libarchive-tools
+    )
+
+    case "$VERSION_ID" in
+        22.04)
+            sudo add-apt-repository -y ppa:project-machine/squashfuse
+            ;;
+        24.04)
+            # lp:2080069
+            # temporarily add puzzleos/dev to pickup lxc-dev package which
+            # provides static liblxc.a
+            sudo add-apt-repository -y ppa:puzzleos/dev
+
+            # allow array to expand again
+            #shellcheck disable=2206
+            PKGS=( ${PKGS[*]} libsystemd-dev )
+
+            # 24.04 has additional apparmor restrictions, probably doesn't apply
+            # for root in github VM but developers will run into this
+            enable_userns
+            ;;
+    esac
+
+    # allow array to expand
+    #shellcheck disable=2206
+    sudo apt -yy install ${PKGS[*]}
+
+    # Work around an Ubuntu packaging bug. Fixed in 23.04 onward.
+    if [ "$VERSION_ID" != "24.04" ]; then
+        sudo sed -i 's/#define LXC_DEVEL 1/#define LXC_DEVEL 0/' /usr/include/lxc/version.h
+    fi
+
     # skopeo deps
     sudo apt -yy install \
        libgpgme-dev \
@@ -54,8 +85,24 @@ installdeps_ubuntu() {
         sudo apt -yy install golang-go
         go version
     fi
-    # Work around an Ubuntu packaging bug. Fixed in 23.04 onward.
-    sudo sed -i 's/#define LXC_DEVEL 1/#define LXC_DEVEL 0/' /usr/include/lxc/version.h
+}
+
+enable_userns() {
+    SYSCTL_USERNS="/etc/sysctl.d/00-enable-userns.conf"
+    if ! [ -s "${SYSCTL_USERNS}" ]; then
+        echo "Add kernel tunables to enable user namespaces in $SYSCTL_USERNS "
+        cat <<EOF | sudo tee "${SYSCTL_USERNS}"
+kernel.apparmor_restrict_unprivileged_io_uring = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 0
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_userns_complain = 0
+kernel.apparmor_restrict_unprivileged_userns_force = 0
+kernel.unprivileged_bpf_disabled = 2
+kernel.unprivileged_userns_apparmor_policy = 0
+kernel.unprivileged_userns_clone = 1
+EOF
+        sudo sysctl -p /etc/sysctl.d/00-enable-userns.conf
+    fi
 }
 
 installdeps_golang() {
@@ -78,5 +125,13 @@ case $ID_LIKE in
         ;;
 esac
 
+# add container policy (if not already present
+POLICY="/etc/containers/policy.json"
+if ! [ -s "${POLICY}" ]; then
+    sudo mkdir -p "$(dirname $POLICY)"
+    echo "adding default containers policy (insecure):${POLICY}"
+    echo '{"default":[{"type":"insecureAcceptAnything"}]}' | sudo tee "${POLICY}"
+fi
+
 # install golang deps
 installdeps_golang || exit 1
diff --git a/test/whiteout.bats b/test/whiteout.bats
index 9cee2e91..71fa0008 100644
--- a/test/whiteout.bats
+++ b/test/whiteout.bats
@@ -27,8 +27,9 @@ EOF
         continue
     }
     bsdtar -tvf oci/blobs/sha256/$f
-    run "bsdtar -tvf oci/blobs/sha256/$f | grep '.wh.sensors.d'"
-    if [ "$status" -eq 0 ]; then
+    # we expect the grep to fail, if it returns success we fail the test since
+    # it means we have .wh files in the tar which we should NOT.
+    if run bsdtar -tvf oci/blobs/sha256/$f | grep '.wh.sensors.d'; then
       echo "should not have a sensors.d whiteout!";
       exit 1;
     fi