s iptables -S -t nat | gr docker | gr -- -N | sed 's/-N/-X/'| while read -r l; do sudo iptables -t nat $l; done
}
-# usage mkschroot [-] distro codename packages
-# - means no piping in of sources.list
+# usage mkschroot [OPTIONS] SCHROOT_NAME DISTRO_CODENAME PACKAGES...
+#
+# -f Overwrite any existing schroot
+# -s SOURCES_LIST_FILE After debootstrap, install this (for example, to get updates section instead of just main).
+# -t TARGET_DIR Instead of default /nocow/schroot/SCHROOT_NAME
#
# note some useful post mkschroot i've used in the past
# tu /nocow/schroot/flidas/etc/sudoers <<EOF
fi
shift 2
;;
+ -t)
+ d="$2"
+ shift 2
+ ;;
esac
done
- distro=$1
+ n=$1
+ shift
+ codename=$1
shift
- case $distro in
- trisquel)
+
+ case $codename in
+ aramo|ecne|nabia|etiona)
repo=http://mirror.fsf.org/trisquel/
;;
- ubuntu)
+ noble|jammy)
repo=http://archive.ubuntu.com/ubuntu/
;;
- debian)
+ bookworm|bullseye)
repo=http://deb.debian.org/debian/
;;
esac
- n=$1
- shift
if ! $force && schroot -l | grep -xFq chroot:$n; then
echo "$0: $n schroot already installed, skipping"
return 0
fi
apps=($@)
- d=/nocow/schroot/$n
+ if [[ ! $d ]]; then
+ d=/nocow/schroot/$n
+ fi
sd /etc/schroot/chroot.d/$n.conf <<EOF
[$n]
description=$n
sudo mkdir -p $d
# resolvconf otherwise schroot fails with
# cp: not writing through dangling symlink '/var/run/schroot/mount/flidas-7a2362e0-81b3-4848-92c1-610203ef5976/etc/resolv.conf'
- sudo debootstrap --exclude=resolvconf $n $d $repo
+ sudo debootstrap --exclude=resolvconf $codename $d $repo
fi
if [[ $sources ]]; then
sudo install -m 644 $sources $d/etc/apt/sources.list
alerts() {
find /var/local/cron-errors /home/iank/cron-errors /sysd-mail-once-state -type f
}
-ralerts() { # remote alerts
+# remote alerts
+ralerts() {
local ret shell
local -a active_hosts
source /p/c/domain-info
if ! sudm mountpoint /root/mount_namespaces/$ns >/dev/null; then
m sudm unshare --propagation slave --mount=/root/mount_namespaces/$ns /bin/true
fi
+}
+# like mns() but without calling mns-setup
+#
+# When we are setting up a mount namespace, we use this to avoid
+# redundant calls of mns-setup
+mns-no-setup() {
+ local ns
+ ns=$1
+ shift
+ m sudm -E /usr/bin/nsenter --mount=/root/mount_namespaces/$ns "$@"
}
mns() { # mount namespace
m sudm -E /usr/bin/nsenter --mount=/root/mount_namespaces/$ns "$@"
}
-mnsd() { # mount namespace + systemd namespace
- local ns unit
+# systemd namespace + mount namespace
+sdmn() {
+ local ns unit user tmpf alt_user=false
+ local -a final_args
+ user=$USER
+ while [[ $1 ]]; do
+ case $1 in
+ -u)
+ alt_user=true
+ user="$2"
+ shift 2
+ ;;
+ -p)
+ pre_check="$2"
+ shift 2
+ ;;
+ *)
+ break
+ ;;
+ esac
+ done
+
ns=$1
unit=$2
shift 2
+ pid=$(servicepid $unit)
+ env-tmpf "$@"
+ if $alt_user; then
+ final_args=("$@")
+ else
+ final_args=(bash -c ". $tmpf")
+ fi
+ if [[ $pre_check ]]; then
+ sudm $pre_check
+ else
+ m sudm nsenter -t $pid -n -m mns-setup $ns
+ fi
+ m sudm nsenter -t $pid -n --mount=/root/mount_namespaces/$ns sudo -u $user -i "${final_args[@]}"
+}
- mns-setup $ns
+mnsd() { # mount namespace + systemd network namespace
+ local ns unit user tmpf alt_user=false
+ local -a final_args
+
+ ## begin command line args ##
+ user=$USER
+ while [[ $1 ]]; do
+ case $1 in
+ -u)
+ alt_user=true
+ user="$2"
+ shift 2
+ ;;
+ -p)
+ pre_check="$2"
+ shift 2
+ ;;
+ *)
+ break
+ ;;
+ esac
+ done
+ ns=$1
+ unit=$2
+ shift 2
+ ## end command line args ##
pid=$(servicepid $unit)
env-tmpf "$@"
- m sudo nsenter -t $pid -n --mount=/root/mount_namespaces/$ns sudo -u $USER -i bash -c ". $tmpf"
+ if $alt_user; then
+ final_args=("$@")
+ else
+ final_args=(bash -c ". $tmpf")
+ fi
+ if [[ $pre_check ]]; then
+ if ! sudm $pre_check; then
+ m sudm nsenter -t $pid -n -m mns-setup $ns
+ fi
+ fi
+ m sudo nsenter -t $pid -n --mount=/root/mount_namespaces/$ns sudo -u $user -i "${final_args[@]}"
}
day_logs=()
if [[ -e office_at_conference.fsf.org/$log_base ]]; then
day_logs+=(office_at_conference.fsf.org/$log_base)
- fi
+ fi
if [[ -e sys_at_conference.fsf.org/$log_base ]]; then
day_logs+=(office_at_conference.fsf.org/$log_base)
fi
# systemd namespace cmd
# usage: UNIT CMD...
sdncmd() {
- local unit pid tmpf
- if (( $# <= 1 )); then
+ local unit pid tmpf alt_user=false
+ local -a final_args
+ if [[ $1 == -u* ]]; then
+ alt_user=true
+ user=${1#-u}
+ shift
+ else
+ user=$USER
+ fi
+
+ if (( $# == 0 )); then
echo $0: error wrong number of args >&2
return 1
fi
+
unit=$1
shift
pid=$(servicepid $unit)
env-tmpf "$@"
- m sudo nsenter -t $pid -n -m sudo -u $USER -i bash -c ". $tmpf"
+ if $alt_user; then
+ final_args=("$@")
+ else
+ final_args=(bash -c ". $tmpf")
+ fi
+ m sudo nsenter -t $pid -n -m sudo -u $user -i "${final_args[@]}"
}
sdncmdroot() { # systemd namespace root command
unit=$1
shift
pid=$(servicepid $unit)
- m sudo nsenter -t $pid -n -m "$@"
+ m sudm nsenter -t $pid -n -m "$@"
}
## create tempfile script which runs command under same env then deletes itself.
# we could just set those explicity, PATH is the main one. It also
# seems less secure since another process could modify the temp file.
env-tmpf() {
- tmpf=$(mktemp --tmpdir $unit.XXXXXXXXXX)
+ if [[ $user != $USER ]]; then
+ tmpf=$(sudo -u $user mktemp --tmpdir $unit.XXXXXXXXXX)
+ sudo chmod 660 $tmpf
+ sudo chown iank $tmpf
+ else
+ tmpf=$(mktemp --tmpdir $unit.XXXXXXXXXX)
+ fi
{
export -p
printf "%s " "${@@Q}"
vpncmd() {
sdncmd openvpn-client-tr@client.service "$@"
}
+vpncmdroot() {
+ sdncmdroot openvpn-client-tr@client.service "$@"
+}
vpni() {
sdncmd openvpn-client-tr@client.service bash
}
snap-last() {
ls -lad /mnt/o/btrbk/o.* | tail -n2
for sub in a q; do
- ls -lad /mnt/root/btrbk/$sub.* | tail -n2
+ ls -lad /mnt/root/btrbk/$sub.* | tail -n2
done
- }
+}
export BASEFILE_DIR=/a/bin/fai-basefiles
Description: ubuntu-system-adjustments-dummy
EOF
equivs-build ubuntu-system-adjustments
- sudo dpkg -i ../ubuntu-system-adjustments_2030_all.deb
+ sudo dpkg -i /tmp/user/1000/ubuntu-system-adjustments_2030_all.deb
cd
rm -r "$tmpdir"
fi
# other than systemd showing in degraded state. So, we dont bother
# fixing the current state, let it fix on the next reboot.
# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a
-if pcheck binfmt-support; then
- tmp=$(systemctl cat binfmt-support.service | grep ^After=)
- if [[ $tmp != *systemd-binfmt.service* ]]; then
- s u /etc/systemd/system/binfmt-support.service.d/override.conf <<EOF
+
+case $codename_compat in
+ jammy)
+ if pcheck binfmt-support; then
+ tmp=$(systemctl cat binfmt-support.service | grep ^After=)
+ if [[ $tmp != *systemd-binfmt.service* ]]; then
+ s u /etc/systemd/system/binfmt-support.service.d/override.conf <<EOF
[Unit]
$tmp systemd-binfmt.service
EOF
- fi
-fi
+ fi
+ fi
+esac
# commented, not worth the hassle i think.
#seru enable psd
rm -fv /home/iank/.mpv/watch_later
rm -rf /home/iank/.mpv
-# apparently pip is deprecated in debian. try venv or pipx.
-## begin u24 message upon pip install
+
+## note: begin u24 message upon pip install
# If you wish to install a non-Debian-packaged Python package,
# create a virtual environment using python3 -m venv path/to/venv.
# Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
# See /usr/share/doc/python3.12/README.venv for more information.
## end
+## in ubuntu, you can install python3-venv
# if [[ ! -e ~/.local/bin/pip ]]; then
# tmp=$(mktemp)
equivs-build tox
sudo dpkg -i tox_1.0_all.deb
rm -rf ./tox*
- pi beets
cd
rm -r "$tmpdir"
fi
;;
esac
+pi beets beets-doc
+
# get rid of annoying message
s sed -ri "s/^([[:space:]]*ui.print_\('Playing)/#\1/" /usr/share/beets/beetsplug/play.py
+## end beets
+
# notes about barrier
# run barrier, do the gui config,
hiup
+/p/c/distro-extra
+
# if I was going to create a persistent vm, i might do it like this:
# variant=something # from: virt-install --os-variant list
# s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
fi
fi
+
# background:
-# ubuntu has 002 for non-system users, debian has 022. 002 makes groups
-# be rw instead of r.
#
-# I think the actual setting is somewhere in the pam settings, I haven't
-# bothered to figure that out.
+# When I last checked many years ago, ubuntu had 002 for non-system
+# users, debian had 022. I think 027 for my own user makes most sense,
+# but root owned files are expected to be 022 so you have to switch
+# files you edit when you want to install them, which is very annoying
+# and I dont have time for sorting that out right now.
#
-# ubuntu is more user friendly when using multiple users. However,
-# it also makes it so if you create a file as a regular user then move
-# it to become a system file, it's got slightly wrong permissions, and
-# sometimes thing break. Also, copying files between ubuntu and debian
-# makes things inconsistent. So stick with 022 umask always.
+# A builtin way to set umask for a specific user is like so:
+# chfn -o umask=0027 iank
+# and unset it:
+# chfn -o umask iank
#
-# One security concern is where some unixes put every user in a same
-# group, so if you copy files there with exact perms, that is probably
-# not what you want. I don't use a system like that, so I don't
-# care.
+# Note: setting with negative symbols means we won't remove stricter
+# security measure (i haven't encountered that yet).
#
# Note: duplicated in .bashrc
-umask 022
-# this is how we could test for non-system user
+umask g-w,o-w
+#
+# if [ "$USER" == iank ]; then
+# umask g-w,o-rwx
+# else
+# umask g-w,o-w
+# fi
+
+# this is how we could test for non-system user
#if test "$(id -u)" -ge 1000; then : fi
iankelling.org / git / distro-setup / commitdiff