distrobuilder: 3.1 -> 3.2

https://discuss.linuxcontainers.org/t/distrobuilder-3-2-has-been-released/23385

Also rebased generator patch

pkgs/by-name/di/distrobuilder/nixos-generator.patch

@@ -1,16 +1,16 @@
-diff --git a/distrobuilder/lxc.generator b/distrobuilder/lxc.generator
+diff --git c/distrobuilder/lxc.generator w/distrobuilder/lxc.generator
-index dc5b506..0265da8 100644
+index 5f854d3..927f2df 100644
---- a/distrobuilder/lxc.generator
+--- c/distrobuilder/lxc.generator
-+++ b/distrobuilder/lxc.generator
++++ w/distrobuilder/lxc.generator
-@@ -21,16 +21,6 @@ is_incus_vm() {
+@@ -16,16 +16,6 @@ is_lxc_privileged_container() {
- 	[ -e /dev/virtio-ports/org.linuxcontainers.incus ]
+ 	grep -qw 4294967295$ /proc/self/uid_map
  }
  
 -# is_in_path succeeds if the given file exists in on of the paths
 -is_in_path() {
 -	# Don't use $PATH as that may not include all relevant paths
 -	for path in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin; do
--		[ -e "${path}/$1" ] && return 0
+-		[ -e "${path}/${1}" ] && return 0
 -	done
 -
 -	return 1
@@ -19,21 +19,23 @@ index dc5b506..0265da8 100644
  ## Fix functions
  # fix_ro_paths avoids udevd issues with /sys and /proc being writable
  fix_ro_paths() {
-@@ -42,38 +32,6 @@ fix_ro_paths() {
+@@ -47,41 +37,6 @@ fix_ro_run() {
  		EOF
  }
  
 -# fix_nm_link_state forces the network interface to a DOWN state ahead of NetworkManager starting up
 -fix_nm_link_state() {
--	[ -e "/sys/class/net/$1" ] || return 0
+-	[ -e "/sys/class/net/${1}" ] || return 0
--	ip_path=
+-
--	if [ -f /sbin/ip ]; then
+-	ip=
--		ip_path=/sbin/ip
+-	if [ -f "/sbin/ip" ]; then
--	elif [ -f /bin/ip ]; then
+-		ip="/sbin/ip"
--		ip_path=/bin/ip
+-	elif [ -f "/bin/ip" ]; then
+-		ip="/bin/ip"
 -	else
 -		return 0
 -	fi
+-
 -	cat <<-EOF > /run/systemd/system/network-device-down.service
 -		# This file was created by distrobuilder
 -		[Unit]
@@ -44,13 +46,14 @@ index dc5b506..0265da8 100644
 -		[Service]
 -		# do not turn off if there is a default route to 169.254.0.1, i.e. the device is a routed nic
 -		ExecCondition=/bin/sh -c '! /usr/bin/grep -qs 00000000.0100FEA9 /proc/net/route'
--		ExecStart=-${ip_path} link set $1 down
+-		ExecStart=-${ip} link set ${1} down
 -		Type=oneshot
 -		RemainAfterExit=true
 -
 -		[Install]
 -		WantedBy=default.target
 -		EOF
+-
 -	mkdir -p /run/systemd/system/default.target.wants
 -	ln -sf /run/systemd/system/network-device-down.service /run/systemd/system/default.target.wants/network-device-down.service
 -}
@@ -58,78 +61,105 @@ index dc5b506..0265da8 100644
  # fix_systemd_override_unit generates a unit specific override
  fix_systemd_override_unit() {
  	dropin_dir="/run/systemd/${1}.d"
-@@ -113,16 +71,7 @@ fix_systemd_mask() {
+@@ -122,16 +77,7 @@ fix_systemd_mask() {
  # fix_systemd_udev_trigger overrides the systemd-udev-trigger.service to match the latest version
  # of the file which uses "ExecStart=-" instead of "ExecStart=".
  fix_systemd_udev_trigger() {
--	cmd=
+-	udev=
 -	if [ -f /usr/bin/udevadm ]; then
--		cmd=/usr/bin/udevadm
+-		udev=/usr/bin/udevadm
 -	elif [ -f /sbin/udevadm ]; then
--		cmd=/sbin/udevadm
+-		udev=/sbin/udevadm
 -	elif [ -f /bin/udevadm ]; then
--		cmd=/bin/udevadm
+-		udev=/bin/udevadm
 -	else
 -		return 0
 -	fi
-+	cmd=udevadm
++	udev=/run/current-system/sw/bin/udevadm
  
  	mkdir -p /run/systemd/system/systemd-udev-trigger.service.d
  	cat <<-EOF > /run/systemd/system/systemd-udev-trigger.service.d/zzz-lxc-override.conf
-@@ -134,38 +83,13 @@ fix_systemd_udev_trigger() {
+@@ -143,52 +89,40 @@ fix_systemd_udev_trigger() {
  		EOF
  }
  
 -# fix_systemd_sysctl overrides the systemd-sysctl.service to use "ExecStart=-" instead of "ExecStart=".
 -fix_systemd_sysctl() {
--	cmd=/usr/lib/systemd/systemd-sysctl
+-	sysctl=/usr/lib/systemd/systemd-sysctl
--	! [ -e "${cmd}" ] && cmd=/lib/systemd/systemd-sysctl
+-	[ ! -e "${sysctl}" ] && sysctl=/lib/systemd/systemd-sysctl
+-
 -	mkdir -p /run/systemd/system/systemd-sysctl.service.d
 -	cat <<-EOF > /run/systemd/system/systemd-sysctl.service.d/zzz-lxc-override.conf
 -		# This file was created by distrobuilder
 -		[Service]
 -		ExecStart=
--		ExecStart=-${cmd}
+-		ExecStart=-${sysctl}
 -		EOF
 -}
 -
  ## Main logic
--# Nothing to do in Incus VM but deployed in case it is later converted to a container
--is_incus_vm && exit 0
- 
  # Exit immediately if not an Incus/LXC container
  is_lxc_container || exit 0
  
--# Check for NetworkManager
--nm_exists=0
--
--is_in_path NetworkManager && nm_exists=1
--
  # Determine systemd version
+-SYSTEMD=""
 -for path in /usr/lib/systemd/systemd /lib/systemd/systemd; do
 -	[ -x "${path}" ] || continue
--
++SYSTEMD="$(/run/current-system/sw/lib/systemd/systemd --version | head -n1 | cut -d' ' -f2 | cut -d'~' -f1)"
--	systemd_version="$("${path}" --version | head -n1 | cut -d' ' -f2 | cut -d'~' -f1)"
+ 
+-	SYSTEMD="$("${path}" --version | head -n1 | cut -d' ' -f2 | cut -d'~' -f1)"
 -	break
 -done
-+systemd_version="$(systemd --version | head -n1 | cut -d' ' -f2)"
  
- # Determine distro name and release
+-# Apply systemd overrides
- ID=""
+-if [ "${SYSTEMD}" -ge 244 ]; then
-@@ -196,7 +120,6 @@ fi
+-	fix_systemd_override_unit system/service
+-else
+-	# Setup per-unit overrides
+-	find /lib/systemd /etc/systemd /run/systemd /usr/lib/systemd -name "*.service" -type f | sed 's#/\(lib\|etc\|run\|usr/lib\)/systemd/##g'| while read -r service_file; do
+-		fix_systemd_override_unit "${service_file}"
+-	done
+-fi
+ 
+-# Workarounds for unprivileged containers.
+-if ! is_lxc_privileged_container; then
+-	fix_ro_paths systemd-networkd.service
+-	fix_ro_paths systemd-resolved.service
++
++# Overriding some systemd features is only needed if security.nesting=false
++# in which case, /dev/.lxc will be missing
++# Adding this conditional back for NixOS as we do not have the reported
++# problems, and the overrides could reduce potential service hardening
++if [ ! -d /dev/.lxc ]; then
++  # Apply systemd overrides
++  if [ "${SYSTEMD}" -ge 244 ]; then
++    fix_systemd_override_unit system/service
++  else
++    # Setup per-unit overrides
++    find /lib/systemd /etc/systemd /run/systemd /usr/lib/systemd -name "*.service" -type f | sed 's#/\(lib\|etc\|run\|usr/lib\)/systemd/##g'| while read -r service_file; do
++      fix_systemd_override_unit "${service_file}"
++    done
++  fi
++
++  # Workarounds for unprivileged containers.
++  if ! is_lxc_privileged_container; then
++    fix_ro_paths systemd-networkd.service
++    fix_ro_paths systemd-resolved.service
++  fi
+ fi
  
  # Ignore failures on some units.
  fix_systemd_udev_trigger
 -fix_systemd_sysctl
  
- # Mask some units.
+ # Fix issues with /run not being writable.
- fix_systemd_mask dev-hugepages.mount
+ fix_ro_run systemd-nsresourced.service
-@@ -226,11 +149,6 @@ if [ -d /etc/udev ]; then
+@@ -221,11 +155,6 @@ if [ -d /etc/udev ]; then
  		EOF
  fi
  
 -# Workarounds for NetworkManager in containers
--if [ "${nm_exists}" -eq 1 ]; then
+-if is_in_path NetworkManager; then
 -	fix_nm_link_state eth0
 -fi
 -

pkgs/by-name/di/distrobuilder/package.nix

@@ -10,6 +10,7 @@
   gnutar,
   hivex,
   makeWrapper,
+  nix-update-script,
   nixosTests,
   pkg-config,
   squashfsTools,
@@ -35,16 +36,15 @@ let
 in
 buildGoModule rec {
   pname = "distrobuilder";
-  version = "3.1";
+  version = "3.2";
 
-  vendorHash = "sha256-3oHLvOdHbOdaL2FTo+a5HmayNi/i3zoAsU/du9h1N30=";
+  vendorHash = "sha256-nlqapWxuSZlbt22F3Y9X1uXFxJHvEoUBZDl078x8ZnA=";
 
   src = fetchFromGitHub {
     owner = "lxc";
     repo = "distrobuilder";
-    rev = "refs/tags/distrobuilder-${version}";
+    tag = "distrobuilder-${version}";
-    sha256 = "sha256-cIzIoLQmg1kgI1QRAmFh/ca88PJBW2yIY92BKHKwTMk=";
+    sha256 = "sha256-aDCx2WGAKdTNf0uMzwxG0AUmbuuWBFPYzNyycKklYOY=";
-    fetchSubmodules = false;
   };
 
   buildInputs = bins;
@@ -67,6 +67,8 @@ buildGoModule rec {
     };
 
     generator = callPackage ./generator.nix { inherit src version; };
+
+    updateScript = nix-update-script { };
   };
 
   meta = {