diff --git a/README.md b/README.md index 35f2c98..d7beb1f 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,13 @@ The following environment variables are supported: public key authentication. Note that if SSH is not enabled this will take effect when SSH becomes enabled. + * `SETFCAP` (Default: unset) + + * Setting to `1` will prevent pi-gen from dropping the "capabilities" + feature. Generating the root filesystem with capabilities enabled and running + it from a filesystem that does not support capabilities (like NFS) can cause + issues. Only enable this if you understand what it is. + * `STAGE_LIST` (Default: `stage*`) If set, then instead of working through the numeric stages in order, this list will be followed. For example setting to `"stage0 stage1 mystage stage2"` will run the contents of `mystage` before stage2. Note that quotes are needed around the list. An absolute or relative path can be given for stages outside the pi-gen directory. diff --git a/build.sh b/build.sh index 8966bc7..986f81c 100755 --- a/build.sh +++ b/build.sh @@ -283,6 +283,10 @@ fi export NO_PRERUN_QCOW2="${NO_PRERUN_QCOW2:-1}" +if [ "$SETFCAP" != "1" ]; then + export CAPSH_ARG="--drop=cap_setfcap" +fi + dependencies_check "${BASE_DIR}/depends" #check username is valid diff --git a/scripts/common b/scripts/common index e476f0f..14be1c2 100644 --- a/scripts/common +++ b/scripts/common @@ -17,7 +17,7 @@ bootstrap(){ BOOTSTRAP_ARGS+=("$@") printf -v BOOTSTRAP_STR '%q ' "${BOOTSTRAP_ARGS[@]}" - setarch linux32 capsh --drop=cap_setfcap -- -c "'${BOOTSTRAP_CMD}' $BOOTSTRAP_STR" || true + setarch linux32 capsh $CAPSH_ARG -- -c "'${BOOTSTRAP_CMD}' $BOOTSTRAP_STR" || true if [ -d "$2/debootstrap" ] && ! rmdir "$2/debootstrap"; then cp "$2/debootstrap/debootstrap.log" "${STAGE_WORK_DIR}" @@ -90,7 +90,7 @@ on_chroot() { mount --bind /sys "${ROOTFS_DIR}/sys" fi - setarch linux32 capsh --drop=cap_setfcap "--chroot=${ROOTFS_DIR}/" -- -e "$@" + setarch linux32 capsh $CAPSH_ARG "--chroot=${ROOTFS_DIR}/" -- -e "$@" } export -f on_chroot