From 3c2349922da39cd913e5cde473ec03dda9fe3fb6 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Wed, 27 May 2015 18:27:25 -0400
Subject: propellor spin

---
 src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/Propellor')

diff --git a/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
index 6108bf1a..ee0adca2 100644
--- a/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
+++ b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
@@ -119,7 +119,7 @@ standardAutoBuilderContainerNspawn arch buildminute timeout = Systemd.container
   where
 	name = arch ++ "-git-annex-builder"
 	bootstrap = Chroot.debootstrapped myos mempty
-	myos = System (Debian Unstable) arch
+	myos = System (Debian Testing) arch
 
 androidAutoBuilderContainer :: (System -> Docker.Image) -> Times -> TimeOut -> Docker.Container
 androidAutoBuilderContainer dockerImage crontimes timeout =
-- 
cgit v1.3-2-g0d8e


From 9ce43e55f8db84ac1111ad29f0c134814f805fed Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Wed, 27 May 2015 21:11:36 -0400
Subject: Improve enter-machine scripts for nspawn containers to unset most
 environment variables.

---
 config-joey.hs                    |  4 ++--
 debian/changelog                  |  2 ++
 src/Propellor/Property/Systemd.hs | 20 ++++++++++++--------
 3 files changed, 16 insertions(+), 10 deletions(-)

(limited to 'src/Propellor')

diff --git a/config-joey.hs b/config-joey.hs
index 013be113..e01af471 100644
--- a/config-joey.hs
+++ b/config-joey.hs
@@ -134,10 +134,10 @@ orca = standardSystem "orca.kitenet.net" Unstable "amd64"
 	! Docker.docked (GitAnnexBuilder.standardAutoBuilderContainer dockerImage "amd64" 15 "2h")
 	! Docker.docked (GitAnnexBuilder.standardAutoBuilderContainer dockerImage "i386" 45 "2h")
 	! Docker.docked (GitAnnexBuilder.androidAutoBuilderContainer dockerImage (Cron.Times "1 1 * * *") "3h")
+	! Docker.docked (GitAnnexBuilder.armelCompanionContainer dockerImage)
+	! Docker.docked (GitAnnexBuilder.armelAutoBuilderContainer dockerImage (Cron.Times "1 3 * * *") "5h")
 	& Docker.garbageCollected -- `period` Daily
 	& Systemd.nspawned (GitAnnexBuilder.standardAutoBuilderContainerNspawn "amd64" 15 "2h")
-	& Docker.docked (GitAnnexBuilder.armelCompanionContainer dockerImage)
-	& Docker.docked (GitAnnexBuilder.armelAutoBuilderContainer dockerImage (Cron.Times "1 3 * * *") "5h")
 	& Apt.buildDep ["git-annex"] `period` Daily
 
 -- This is not a complete description of kite, since it's a
diff --git a/debian/changelog b/debian/changelog
index 96a9f745..5d70582e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,8 @@ propellor (2.5.0) UNRELEASED; urgency=medium
   * Export CommandParam, boolSystem, safeSystem and shellEscape from
     Propellor.Property.Cmd, so they are available for use in constricting
     your own Properties when using propellor as a library.
+  * Improve enter-machine scripts for nspawn containers to unset most
+    environment variables.
 
  -- Joey Hess <id@joeyh.name>  Thu, 07 May 2015 12:08:34 -0400
 
diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs
index 78a99963..b19c08bc 100644
--- a/src/Propellor/Property/Systemd.hs
+++ b/src/Propellor/Property/Systemd.hs
@@ -215,15 +215,19 @@ enterScript c@(Container name _ _) = setup <!> teardown
   where
 	setup = combineProperties ("generated " ++ enterScriptFile c)
 		[ scriptfile `File.hasContent`
-			[ "#!/bin/sh"
+			[ "#!/usr/bin/perl"
 			, "# Generated by propellor"
-			, "pid=\"$(machinectl show " ++ shellEscape name ++ " -p Leader | cut -d= -f2)\" || true"
-			, "if [ -n \"$pid\" ]; then"
-			, "\tnsenter -p -u -n -i -m -t \"$pid\" \"$@\""
-			, "else"
-			, "\techo container not running >&2"
-			, "\texit 1"
-			, "fi"
+			, "my $pid=`machinectl show " ++ shellEscape name ++ " -p Leader | cut -d= -f2`;"
+			, "chomp $pid;"
+			, "if (length $pid) {"
+			, "\tforeach my $var (keys %ENV) {"
+			, "\t\tdelete $var unless $var eq 'PATH' || $var eq 'TERM';"
+			, "\t}"
+			, "\texec('nsenter', '-p', '-u', '-n', '-i', '-m', '-t', $pid, @ARGV);"
+			, "} else {"
+			, "\tdie 'container not running';"
+			, "}"
+			, "exit(1);"
 			]
 		, scriptfile `File.mode` combineModes (readModes ++ executeModes)
 		]
-- 
cgit v1.3-2-g0d8e


From 0c86662b2d98f8f708bb5217e1cedf74b2fbfa04 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Wed, 27 May 2015 21:15:54 -0400
Subject: propellor spin

---
 src/Propellor/Property/Systemd.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/Propellor')

diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs
index b19c08bc..c698f780 100644
--- a/src/Propellor/Property/Systemd.hs
+++ b/src/Propellor/Property/Systemd.hs
@@ -221,7 +221,7 @@ enterScript c@(Container name _ _) = setup <!> teardown
 			, "chomp $pid;"
 			, "if (length $pid) {"
 			, "\tforeach my $var (keys %ENV) {"
-			, "\t\tdelete $var unless $var eq 'PATH' || $var eq 'TERM';"
+			, "\t\tdelete $ENV{$var} unless $var eq 'PATH' || $var eq 'TERM';"
 			, "\t}"
 			, "\texec('nsenter', '-p', '-u', '-n', '-i', '-m', '-t', $pid, @ARGV);"
 			, "} else {"
-- 
cgit v1.3-2-g0d8e


From 2c2247fc2338d1543999cbbe182ea93e052c2d91 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Wed, 27 May 2015 21:24:50 -0400
Subject: propellor spin

---
 config-joey.hs                                     | 14 ++------
 .../Property/SiteSpecific/GitAnnexBuilder.hs       | 40 +++++++---------------
 2 files changed, 15 insertions(+), 39 deletions(-)

(limited to 'src/Propellor')

diff --git a/config-joey.hs b/config-joey.hs
index 76c06bd2..50e712a0 100644
--- a/config-joey.hs
+++ b/config-joey.hs
@@ -75,7 +75,6 @@ darkstar = host "darkstar.kitenet.net"
 
 	& Apt.buildDep ["git-annex"] `period` Daily
 	& Docker.configured
-	! Docker.docked gitAnnexAndroidDev
 
 	& JoeySites.postfixClientRelay (Context "darkstar.kitenet.net")
 	& JoeySites.dkimMilter
@@ -130,9 +129,9 @@ orca = standardSystem "orca.kitenet.net" Unstable "amd64"
 	& Apt.unattendedUpgrades
 	& Postfix.satellite
 	& Systemd.persistentJournal
-	& Systemd.nspawned (GitAnnexBuilder.standardAutoBuilderContainerNspawn "amd64" 15 "2h")
-	& Systemd.nspawned (GitAnnexBuilder.standardAutoBuilderContainerNspawn "i386" 15 "2h")
-	& Apt.buildDep ["git-annex"] `period` Daily
+	& Systemd.nspawned (GitAnnexBuilder.standardAutoBuilderContainer "amd64" 15 "2h")
+	& Systemd.nspawned (GitAnnexBuilder.standardAutoBuilderContainer "i386" 15 "2h")
+	& Systemd.nspawned (GitAnnexBuilder.androidAutoBuilderContainer (Cron.Times "1 1 * * *") "3h")
 
 -- This is not a complete description of kite, since it's a
 -- multiuser system with eg, user passwords that are not deployed
@@ -402,13 +401,6 @@ oldusenetShellBox = standardStableContainer "oldusenet-shellbox"
 	& Docker.publish "4200:4200"
 	& JoeySites.oldUseNetShellBox
 
--- for development of git-annex for android, using my git-annex work tree
-gitAnnexAndroidDev :: Docker.Container
-gitAnnexAndroidDev = GitAnnexBuilder.androidContainer dockerImage "android-git-annex" doNothing gitannexdir
-	& Docker.volume ("/home/joey/src/git-annex:" ++ gitannexdir)
-  where
-	gitannexdir = GitAnnexBuilder.homedir </> "git-annex"
-	
 jerryPlay :: Docker.Container
 jerryPlay = standardContainer "jerryplay" Unstable "amd64"
 	& alias "jerryplay.kitenet.net"
diff --git a/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
index ee0adca2..eb831025 100644
--- a/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
+++ b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
@@ -94,22 +94,9 @@ cabalDeps = flagFile go cabalupdated
 		go = userScriptProperty (User builduser) ["cabal update && cabal install git-annex --only-dependencies || true"]
 		cabalupdated = homedir </> ".cabal" </> "packages" </> "hackage.haskell.org" </> "00-index.cache"
 
-standardAutoBuilderContainer :: (System -> Docker.Image) -> Architecture -> Int -> TimeOut -> Docker.Container
-standardAutoBuilderContainer dockerImage arch buildminute timeout = Docker.container (arch ++ "-git-annex-builder")
-	(dockerImage $ System (Debian Testing) arch)
-	& os (System (Debian Testing) arch)
-	& Apt.stdSourcesList
-	& Apt.installed ["systemd"]
-	& Apt.unattendedUpgrades
-	& User.accountFor (User builduser)
-	& tree arch
-	& buildDepsApt
-	& autobuilder arch (Cron.Times $ show buildminute ++ " * * * *") timeout
-	& Docker.tweaked
-
-standardAutoBuilderContainerNspawn :: Architecture -> Int -> TimeOut -> Systemd.Container
-standardAutoBuilderContainerNspawn arch buildminute timeout = Systemd.container name bootstrap
-	& os myos
+standardAutoBuilderContainer :: Architecture -> Int -> TimeOut -> Systemd.Container
+standardAutoBuilderContainer arch buildminute timeout = Systemd.container name bootstrap
+	& os osver
 	& Apt.stdSourcesList
 	& Apt.unattendedUpgrades
 	& User.accountFor (User builduser)
@@ -118,29 +105,25 @@ standardAutoBuilderContainerNspawn arch buildminute timeout = Systemd.container
 	& autobuilder arch (Cron.Times $ show buildminute ++ " * * * *") timeout
   where
 	name = arch ++ "-git-annex-builder"
-	bootstrap = Chroot.debootstrapped myos mempty
-	myos = System (Debian Testing) arch
+	bootstrap = Chroot.debootstrapped osver mempty
+	osver = System (Debian Testing) arch
 
-androidAutoBuilderContainer :: (System -> Docker.Image) -> Times -> TimeOut -> Docker.Container
-androidAutoBuilderContainer dockerImage crontimes timeout =
-	androidContainer dockerImage "android-git-annex-builder" (tree "android") builddir
+androidAutoBuilderContainer :: Times -> TimeOut -> Systemd.Container
+androidAutoBuilderContainer crontimes timeout =
+	androidContainer "android-git-annex-builder" (tree "android") builddir
 		& Apt.unattendedUpgrades
 		& autobuilder "android" crontimes timeout
 
 -- Android is cross-built in a Debian i386 container, using the Android NDK.
 androidContainer
 	:: (IsProp (Property (CInfo NoInfo i)), (Combines (Property NoInfo) (Property i)))
-	=> (System -> Docker.Image)
-	-> Docker.ContainerName
+	=> Systemd.MachineName
 	-> Property i
 	-> FilePath
-	-> Docker.Container
-androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.container name
-	(dockerImage osver)
+	-> Systemd.Container
+androidContainer name setupgitannexdir gitannexdir = Systemd.container name bootstrap
 	& os osver
 	& Apt.stdSourcesList
-	& Apt.installed ["systemd"]
-	& Docker.tweaked
 	& User.accountFor (User builduser)
 	& File.dirExists gitbuilderdir
 	& File.ownerGroup homedir (User builduser) (Group builduser)
@@ -159,6 +142,7 @@ androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.containe
 		[ "cd " ++ gitannexdir ++ " && ./standalone/android/install-haskell-packages"
 		]
 	osver = System (Debian Testing) "i386"
+	bootstrap = Chroot.debootstrapped osver mempty
 
 -- armel builder has a companion container using amd64 that
 -- runs the build first to get TH splices. They need
-- 
cgit v1.3-2-g0d8e


From 8d98d4351b33c0df716dbaf269f5b5ac9db4a39a Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Thu, 28 May 2015 09:34:47 -0400
Subject: reorder

---
 src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/Propellor')

diff --git a/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
index eb831025..86bf104c 100644
--- a/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
+++ b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
@@ -127,9 +127,9 @@ androidContainer name setupgitannexdir gitannexdir = Systemd.container name boot
 	& User.accountFor (User builduser)
 	& File.dirExists gitbuilderdir
 	& File.ownerGroup homedir (User builduser) (Group builduser)
-	& buildDepsApt
 	& flagFile chrootsetup ("/chrootsetup")
 		`requires` setupgitannexdir
+	& buildDepsApt
 	& flagFile haskellpkgsinstalled ("/haskellpkgsinstalled")
   where
 	-- Use git-annex's android chroot setup script, which will install
-- 
cgit v1.3-2-g0d8e