feat: build stacker on Ubuntu 24.04 LTS (noble)

Fix build on Ubuntu 24.04

- install libsystem-dev for static libsystemd library
- Use ppa:puzzleos/dev to pull in patched lxc 5.0.3 which includes
  liblxc.a in the lxc-dev package
- Handle modifying kernel tunables for user-namespace and apparmor
  restrictions
- Adjust Makefile to add -lsystemd to the libs when making
  stacker-dynamic, but omit the library when stacker-static is building
  built
- Add default container policy to rfs if not already present
- Fix whiteouts.bats test, don't quote the bsdtar | grep or we get
  command not found.

Fixes: #632

Signed-off-by: Ryan Harper <[email protected]>

Author: raharper

.github/workflows/build.yaml

@@ -32,7 +32,7 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     services:
       registry:
         image: ghcr.io/project-stacker/registry:2

Makefile

@@ -1,3 +1,4 @@
+SHELL=/bin/bash
 TOP_LEVEL := $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
 BUILD_D = $(TOP_LEVEL)/.build
 export GOPATH ?= $(BUILD_D)/gopath
@@ -77,6 +78,16 @@ stacker-cov: $(STAGE1_STACKER) $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapp
 		--substitute VERSION_FULL=$(VERSION_FULL) \
 		--substitute WITH_COV=yes
 
+# On Ubuntu 24.04 the lxc package does not link against libsystemd so the pkg-config
+# below does list -lsystemd; we must add it to the list but only for stacker-dynamic
+ifeq ($(shell awk -F= '/VERSION_ID/ {print $$2}' /etc/os-release),"24.04")
+ifeq (stacker-dynamic,$(firstword $(MAKECMDGOALS)))
+LXC_WRAPPER_LIBS=-lsystemd
+else
+LXC_WRAPPER_LIBS=
+endif
+endif
+
 stacker-static: $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapper
 	$(call build_stacker,,static_build,-extldflags '-static',stacker)
 
@@ -91,7 +102,7 @@ stacker-dynamic: $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapper
 	$(call build_stacker,,,,stacker-dynamic)
 
 cmd/stacker/lxc-wrapper/lxc-wrapper: cmd/stacker/lxc-wrapper/lxc-wrapper.c
-	make -C cmd/stacker/lxc-wrapper LDFLAGS=-static LDLIBS="$(shell pkg-config --static --libs lxc) -lpthread -ldl" lxc-wrapper
+	make -C cmd/stacker/lxc-wrapper LDFLAGS=-static LDLIBS="$(shell pkg-config --static --libs lxc) $(LXC_WRAPPER_LIBS) -lpthread -ldl" lxc-wrapper
 
 
 .PHONY: go-download

install-build-deps.sh

@@ -22,27 +22,58 @@ installdeps_fedora() {
 }
 
 installdeps_ubuntu() {
-    sudo add-apt-repository -y ppa:project-machine/squashfuse
-    sudo apt -yy install \
-            build-essential \
-            cryptsetup-bin \
-            jq \
-            libacl1-dev \
-            libcap-dev \
-            libcryptsetup-dev \
-            libdevmapper-dev \
-            libpam0g-dev \
-            libseccomp-dev \
-            libselinux1-dev \
-            libssl-dev \
-            libzstd-dev \
-            lxc-dev \
-            lxc-utils \
-            parallel \
-            pkg-config \
-            squashfs-tools \
-            squashfuse \
-            libarchive-tools
+    PKGS=(
+        build-essential
+        cryptsetup-bin
+        jq
+        libacl1-dev
+        libcap-dev
+        libcryptsetup-dev
+        libdevmapper-dev
+        liblxc-dev
+        libpam0g-dev
+        libseccomp-dev
+        libselinux1-dev
+        libssl-dev
+        libzstd-dev
+        lxc-dev
+        lxc-utils
+        parallel
+        pkg-config
+        squashfs-tools
+        squashfuse
+        libarchive-tools
+    )
+
+    case "$VERSION_ID" in
+        22.04)
+            sudo add-apt-repository -y ppa:project-machine/squashfuse
+            ;;
+        24.04)
+            # lp:2080069
+            # temporarily add puzzleos/dev to pickup lxc-dev package which
+            # provides static liblxc.a
+            sudo add-apt-repository -y ppa:puzzleos/dev
+
+            # allow array to expand again
+            #shellcheck disable=2206
+            PKGS=( ${PKGS[*]} libsystemd-dev )
+
+            # 24.04 has additional apparmor restrictions, probably doesn't apply
+            # for root in github VM but developers will run into this
+            enable_userns
+            ;;
+    esac
+
+    # allow array to expand
+    #shellcheck disable=2206
+    sudo apt -yy install ${PKGS[*]}
+
+    # Work around an Ubuntu packaging bug. Fixed in 23.04 onward.
+    if [ "$VERSION_ID" != "24.04" ]; then
+        sudo sed -i 's/#define LXC_DEVEL 1/#define LXC_DEVEL 0/' /usr/include/lxc/version.h
+    fi
+
     # skopeo deps
     sudo apt -yy install \
        libgpgme-dev \
@@ -54,8 +85,24 @@ installdeps_ubuntu() {
         sudo apt -yy install golang-go
         go version
     fi
-    # Work around an Ubuntu packaging bug. Fixed in 23.04 onward.
-    sudo sed -i 's/#define LXC_DEVEL 1/#define LXC_DEVEL 0/' /usr/include/lxc/version.h
+}
+
+enable_userns() {
+    SYSCTL_USERNS="/etc/sysctl.d/00-enable-userns.conf"
+    if ! [ -s "${SYSCTL_USERNS}" ]; then
+        echo "Add kernel tunables to enable user namespaces in $SYSCTL_USERNS "
+        cat <<EOF | sudo tee "${SYSCTL_USERNS}"
+kernel.apparmor_restrict_unprivileged_io_uring = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 0
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_userns_complain = 0
+kernel.apparmor_restrict_unprivileged_userns_force = 0
+kernel.unprivileged_bpf_disabled = 2
+kernel.unprivileged_userns_apparmor_policy = 0
+kernel.unprivileged_userns_clone = 1
+EOF
+        sudo sysctl -p /etc/sysctl.d/00-enable-userns.conf
+    fi
 }
 
 installdeps_golang() {
@@ -78,5 +125,13 @@ case $ID_LIKE in
         ;;
 esac
 
+# add container policy (if not already present
+POLICY="/etc/containers/policy.json"
+if ! [ -s "${POLICY}" ]; then
+    sudo mkdir -p "$(dirname $POLICY)"
+    echo "adding default containers policy (insecure):${POLICY}"
+    echo '{"default":[{"type":"insecureAcceptAnything"}]}' | sudo tee "${POLICY}"
+fi
+
 # install golang deps
 installdeps_golang || exit 1

test/whiteout.bats

@@ -27,7 +27,7 @@ EOF
         continue
     }
     bsdtar -tvf oci/blobs/sha256/$f
-    run "bsdtar -tvf oci/blobs/sha256/$f | grep '.wh.sensors.d'"
+    run bsdtar -tvf oci/blobs/sha256/$f | grep '.wh.sensors.d'
     if [ "$status" -eq 0 ]; then
       echo "should not have a sensors.d whiteout!";
       exit 1;