aurch

The emphasis of aurch is using an nspawn container for AUR 'build isolation' rather than a 'clean chroot'.
Aurch isolates the build environment to mitigate build script errors/malicious intent causing issues on host.
The original aurch script has been split up into two seperate scripts with a dedicated setup script now.


aurch-setup:
Aurch-setup creates and sets up a systemd nspawn container for building AUR packages and sets up a local AUR repo in host. The nspawn container is persistent, and intended for data storage and to be used for all AUR builds.

aurch:
Aurch builds AUR packages in the nspawn container isolated from the host.
After packages are built, they're copied into the host AUR cache and entered into host pacman sync db.
Builds, installs, and keeps all required AUR dependencies in the nspawn container.
Installs any required pgp keys in the nspawn container.
Removes all official repo packages used in the nspawn container build process upon completion, maintaining a minimal footprint of a small, consistent set of base packages.
All the AUR packages and AUR dependencies are saved/backed up within the nspawn container.


Note:
Aurch script isolates the build process from the host, not to be confused with building packages in a 'clean chroot'. Scripts such as devtools were not written to and do not isolate the build process from the host.

References:
Arch wiki: building in a clean chroot
https://www.reddit.com/r/archlinux/comments/q2qwbr/aur_build_in_chroot_to_mitigate_risks/hfn7x0p/
https://www.reddit.com/r/archlinux/comments/qk3rk7/wrote_script_to_setup_an_nspawn_chroot_and_build/hixia0b/

USAGE
	aurch [operation[options]] [package | pgp key]

OPERATIONS
	-B* --build	Build new or update an existing AUR package.
	-G  --git	Git clones an AUR package.
	-C  --compile	Build an AUR package on existing PKGBUILD.(1) 
	-Rh		Remove AUR pkg from host.(2)
	-Rc		Remove AUR pkg from nspawn container.(3)
	-Syu  --update  Update nspawn container packages.(4)
	-Lah* --lsaurh	List AUR sync database contents/status of host.
	-Lac* --lsaurc	List AUR sync database contents/status of nspawn container.
	-Luh* --lsudh	List update info for AUR packages installed in host.
	-Luc* --lsudc	List update info for AUR pkgs/AUR deps in nspawn container.
	      --login   Login to nspawn container for maintenance.
	      --clean	Manually remove unneeded packages from nspawn container.
	      --pgp	Manually import pgp key in nspawn container.
	-h,   --help	Prints help.
	-V,   --version Prints aurch version.

		(1) Useful for implementing changes to PKGBUILD, etc.
		(2) Removes:  /AURREPO/<package>, <package> if installed, and database entry.
		(3) Removes:  /build/<package>,   /${HOME}/<build dir>,   and database entry.
		(4) Runs `pacman -Syu` inside the nspawn container.

OPTIONS *
	-L, List:
		Append 'q' to list operations -L[u,c,h] for quiet mode.
		Example: aurch -Luq
		Do not mix order or attempt to use 'q' other than described.

	-B, Build:
		Append 'i' to build operation -B to install package in host.
		Example: aurch -Bi
		Do not mix order or attempt to use 'i' other than described.

OVERVIEW
		Run aurch-setup before using aurch.
		Run aurch to manage AUR packages.
		Aurch is designed to handle AUR packages individually, one at a time.
		ie: No group updates or multi package per operation capability.
		The aurch nspawn container must be periodically updated via aurch -Syu.
		Update nspawn container before buiding packages.

EXAMPLES
		SETUP FOR AURCH:

		Set up nspawn container:			aurch-setup --setupchroot
		Set up local AUR repo:				aurch-setup --setuphost


		USING AURCH:

		Build an AUR package(+):			aurch -B  <aur-package>
		Build and install AUR package:			aurch -Bi <aur-package>
		Git clone package				aurch -G  <aur-package>
		Build (Compile) AUR pkg on existing PKGBUILD	aurch -C  <aur-package>
		Remove AUR package from host:			aurch -Rh <aur-package>
		Remove AUR package from nspawn container:	aurch -Rc <aur-package>
		List nspawn container AUR sync db contents:	aurch -Lac
		List nspawn container AUR repo updates:		aurch -Luc
		List host AUR sync database contents:		aurch -Lah
		List host AUR repo updates available:		aurch -Luh
		Manually import a pgp key in nspawn container:	aurch --pgp <short/long id>
		Manually remove unneeded pkgs from container:	aurch --clean
		Login to chroot for maintenance:                aurch --login

		(+) Package placed into host AUR repo and entry made in pacman AUR database.
		Install with `pacman -S <aur-package>`

USER VARIABLES
		BASEDIR = path to chroot base dir
		AURREPO = path to host aur repo
		REPONAME =  host aur repo name
		AURFM = AUR file manager,editor (mc = midnight commander)

Screenshot: aurch --setup https://cody-learner.github.io/aurch-setup.html
Screenshot: aurch -B bauerbill https://cody-learner.github.io/aurch-building-bauerbill.html


NEWS, UPDATE, INFO:


INFO For Sep 18, 2024
I've figured out how to easily enable pacman 7.0 sandboxing in the nspawn container used by aurch.
These findings will eventually make their way into aurch-install.
To use pacman sandboxing in an nspawn container there are a few options.

Use '@sandbox' with '--system-call-filter=' on the CLI. ie:

$ sudo systemd-nspawn --system-call-filter=@sandbox    ..... 

Or setup a config file as follows for regularly used containers. See refs below for details.

As root, create a dir '/etc/systemd/nspawn/' and file '/etc/systemd/nspawn/<nspawn-root-dir-name>.nspawn'
using the directory name containing the nspawn root FS or image name, with the following content.
ie: If directory 'chroot-Dz8' contains the root filesystem of an nspawn container.

$ sudo nano /etc/systemd/nspawn/chroot-Dz8.nspawn

[Exec]
SystemCallFilter=@sandbox

Be sure 'DownloadUser' is uncommented and 'DisableSandbox' is commented
in the nspawn container pacman config file '/etc/pacman.conf'.

References:
https://wiki.archlinux.org/title/Systemd-nspawn#Configuration
https://man.archlinux.org/man/systemd.nspawn.5

INFO For Sep 18, 2024
Pacman 7 has added new security related features requiring manual intervention for both Arch and Aurch.
Systems using Aurch need changes to allow pacman user 'alpm' access to the local AUR repo.
The pacman user 'alpm', is a new, minimally permissioned system user:group used to download packages.
The following commands assume the local AUR repo is located in the default location, within $HOME.
The first two commands change $HOME directory group to 'alpm' and the 700 permission to 750.
The last command changes the AUR repo directory group to 'alpm' recursively.

$ chown :alpm "${HOME}"
$ chmod 750 "${HOME}"
$ sudo chown -R :alpm "${HOME}/.cache/aurch/repo"

An edit to pacman.conf in nspawn is also required as Linux 'landlock' is unavailable in the container.
In the AUR nspawn container, /etc/pacman.conf, comment out the following line containing DownloadUser.
Commenting out the 'DownloadUser' line will have pacman fall back to using root to download packages.

# DownloadUser = alpm

Additional Info:
Arch News: https://archlinux.org/news/manual-intervention-for-pacman-700-and-local-repositories-required/
Additional info: $ man pacman.conf search: DownloadUser $ man pacman search: --disable-sandbox
pacman-dev mail list: https://www.mail-archive.com/pacman-dev@lists.archlinux.org/msg01132.html
Keep in mind the Arch News on pacman does not include the mandatory additional steps outlined above.

Opinion Short:
Unfortunately, changes to pacman effecting users has at times seemed tightly held within the pacman development team. Seems the pacman project just doesn't place much emphsis or resources on user level documentation. That said, this is nothing unusual for open source projects. It's almost as if these talented volunteer programmers prefer writing code over writing accurate, thourough user level documentation!
I know, difficult to imagine! There's also source code available for a relaxing, insightful read.

Additional Show Stopping Findings:
If you've implemented the above and still have issues, see the link below for info on ACL permissions.
Search for 'Additional show stopping finding:' located near the bottom the page.
https://bbs.archlinux.org/viewtopic.php?pid=2196652#p2196652

I did have to make the ACL setting changes outlined in the link above on one Arch setup.
Last resort if all else fails in the host system:
(1) Try commenting out 'DownloadUser'.
(2) Lastly, uncomment 'DisableSandbox' in pacman.conf

Disabling the sandbox features in pacman would of course not take advantage of the new security enhancments. Although I'd strongly advise against disabling snadboxing in the host system, there has never been a reported case of a pacman security related exploit from downloading packages as root to my knowledge. AFAIK, there has never been a security exploit of pacman reported since it's introduction ~20 years ago.

UPDATE For Aug 9, 2024
aurch-setup.sh:
Added container shell configs: colored shell prompts, header id's, and alias's.
Corrected script comments and printed comments replacing 'chroot' with 'container'/'nspawn-container'.
Changed 'sleep' times.
Added printed comments for added container configuration.
Cleaned up trailing white space.
README.md:
Updated to report changes.

UPDATE For Aug 3, 2024
Fixed the processing of a printed message to the user.
Added a file of experimental code for aurch to build packages in clean chroot,
rather the aurch nspawn container.
Somewhat Unrelated:
Added an .sh suffix to several of the scripts in here and my other repos/scripts.
The suffix is used in the github-ca.sh script to streamline installing my scripts in a new system.

UPDATE For Aug 1, 2024
aurch:
Worked on elimimating 'sudo timeouts' on long running package builds.
Edited 'cleanup_chroot' function to eliminate sudo timeouts,
works in conjunction with supplied '/etc/sudoers.d/aurch' example.
Edited 'check_host_updates' function to provide accurate results
on installed version if package is downgraded or held back from latest.
Cleaned up script comments.

UPDATE For July 19, 2024
Fixed "Review Files" for AUR dependency review when they are downloaded.
Renamed PAGER variable to AURFM to eliminate potential issues.
Corrected the incorrect/interchangeable usage of the words 'chroot' and 'nspawn container' in README.md
and '--help' sections of scripts.

UPDATE For July 14, 2024
Updated dependencies list in aurch.
Updated --help option and README file to mention PAGER variable.

UPDATE For April 21, 2024
Aurch-setup: Added 'mc' package as checked/installed dependency.

UPDATE For April 17, 2024
Aurch:
Fix info box "Chroot Path" line, to automatically align.
Added '-' to 'opt' variable in '# Optionally install package #' section for
incorrect shellcheck SC2154. # SC2154 opt is assigned in option parsing.

UPDATE For April 14, 2024
Added '-V --version' operation to both aurch and aurch-setup.
Append '-' to 'udb' variable in 'upd_aur_db' function as required by 'set -u'.

NEWS For April 12, 2024
Subject: Debug Packages
Some time back, pacman enabled debug packages by default in '/etc/makepkg.conf'.
This results in a dbug package being build for AUR packages.
If this is unwanted behavior, edit '/container-path/etc/makepkg.conf' appropriately.
See: Notes in makepkg.conf for add info.
To remove any unwanted AUR debug packages from the host and/or AUR sync db,
Install the 'package-debug' with pacman.
Remove it using aurch. ie: aurch -Rh 'package-debug'.

UPDATE For April 12, 2024
Setup virtual environment for testing.
Aurch-Setup:
Pacman's repo-add no longer allows a new, empty repo to be initialized.
Commit: https://gitlab.archlinux.org/pacman/pacman/-/commit/f91fa546f65af9ca7cdbe2b419c181df609969b7
Made changes to accommodate repo-adds new behavior.
Made changes to implement the use of 'set -euo pipefail'.
Aurch:
Discovered a new issue upon initial run caused by adding 'set -euo pipefail.
Script exited on a 'find' command returning an empty result, along with expected non zero exit code.
Set place holder files in AUR repos so find command returns a result, and zero exit code.

UPDATE For April 8, 2024
Fix 'Convert input to all lower case', positional parameter expansion to 'package' variable.
Added error handling for no package input used with '-B' and '-G' operations.
Cleaned up script comments and removed commented out testing code.

UPDATE For April 7, 2024
Although I don't base the quality of bash scripts on the use of the controversial 'set -euo pipefail', I have been curious about what changes would be required to implement it.
Updated the aurch script to implement 'set -euo pipefail'.
Directly from my notes:

'set -u' Will not allow printing vars to file, lines 48-58.	Appending '-' to all vars fixed issue.
'set -u' Will not allow using positional parameters.		Appending '-' to all positional parameters fixed issue.
'set -u' Exits on: "/path/to/script/ line 147: $2: unbound variable"
Line 147, '$2' is part of an awk command inside an "EOF [here doc]" and not a bash positional parameter. (A bash bug?)
Rewrote 'fetch_pkg' function lines ~143-159, to accommodate 'set -u' by removing awk from the here doc.

UPDATE For March 10, 2023
Updated script for compatiblity with interface changes made to aurutils-11.
https://github.com/AladW/aurutils/releases/tag/11
Updated README to reflect changes and clarify info.

UPDATE For Jan 07, 2023
When deleting AUR packages from host, corrected ability to remove "all versions" of pkgs from the host AUR package cache.
Add an if statement to 'check_host_updates' function to properly handle and print message 'No Updates Available'.
Edited message in 'check_host_updates' function when package is newer than the AUR rpc version to:
"VCS Packages newer than AUR rpc version. Run 'aurch -Luc' to check them for updates.".

UPDATE For Feb 11, 2022
Change curl commands to reflect AUR RPC interface update/changes.
Add removal of /var/tmp/aurch/orig-pkgs.log ("${tmph}"/orig-pkgs.log) in chroot so 'orig package list' reflects edits/changes made to .#orig-pkgs.log in base dir.
Add if statement to check build dir/s for .git dir. This allows adding misc dir's (ie: 'testing' toolchain pkgs) under buildusers home.

UPDATE For Jan 21, 2022
Disable 'set -e'.
Testing in virtual hw system revealed failure to build pkg that was not present on test system.

UPDATE For Jan 06, 2022
Implemented 'set -e' in script.
Added code line 162 to enable proper 'set -e'.
Added '-a' opt to systemd-nspawn commands.
Replaced cat with sort in subshell for comm command.
Added 'else' to if statement in upd_aur_db function.

UPDATE For Dec 14, 2021
Added operations:

aurch -Syu     System update in chroot
aurch -Luh     List updates available in host for installed AUR packages
aurch --login  Login to chroot system to perform maintenance

Added check to avoid multiple re-downloading pgp keys.
Added AUR file inspection before building using PAGER with interactive y/n option in script.
Replaced some for loops with while loops when working with files.
Added code to remove operation in chroot to assure all possible conditions are handled.
Began implementation of 'aur build --results' file to replace grepped output for conditional processing.
Added missing aur database entry for rebuilt, overwritten, same version packages.
Removed install workaround in host for missing database entry using pacman -u.

UPDATE For Dec 10, 2021
The predominant focus this time around was implementing some additional flexibility to allow aurch to be usable for more than my personal setup and preferences. Implemented virtual hardware testing as a start towards this objective.
Split the system setup and building packages into separate scripts. To many additional smaller changes to go over here. Future road map includes implementing a built in inspection step of downloaded AUR data and running a check for existing PGP keys to eliminate needless re-downloading.

UPDATE For Nov 29, 2021
Added pacutils as a dependency.
Added ability when overwriting existing packages in host to handle multiple entries from split packages.
Rewrote check_updates function to reduce and simplify code.
Added/changed the following operations/options:

Remove operation:

aurch -Rc	Performs the following on chroot:
			Removes package from local AUR repo, /build.
			Removes build dir /home/builduser/<package>.
			Removes <package> entry in AUR database.

aurch -Rh	Performs the following on host:
			Removes package from local AUR repo, AURREPO.
			Removes <package> (pacman -Rns) if installed.
			Removes <package> entry in AUR database.

Build operation option:

aurch -Bi	[i][install] package in host after build.

List operation options:

aurch -Luq	[q][quiet] lists available aur updates for chroot [packages only].
aurch -Lcq	[q][quiet] lists chroot aur sync database [packages only].
aurch -Lhq	[q][quiet] lists host aur sync database [packages only].

UPDATE For Nov 27, 2021
Rewrote 'here document' usage to extend systemd-nspawn functionality, rather than inserting multiple small scripts into chroot.
Added code and printed comments relating to rebuilding and reinstalling same version of packages.
Reworked 'setup_chroot' function to eliminated the evil 'eval' command.
Integrated /var/tmp directory usage in chroot and added file extensions to ease it's cleanup.

UPDATE For Nov 24, 2021
Added '-L --listup' operation, to lists updates.
The new function runs on the packages in the chroot AUR repo.
It compares local vs remote git HEAD and lists mismatching packages.

UPDATE For Nov 21, 2021
Added function to add packages to hosts AUR repo database.

UPDATE For Nov 20, 2021
Fixed for proper split package handling.

UPDATE For Nov 14, 2021
Rewrote aurch to no longer require AUR dependencies. No AUR helper required on host.
Creates a chroot with aurutils set up, including a local pacman AUR repo, inside the chroot.
Added ability to git clone and build package independently to ease customization.
AUR packages are retained in the chroot for dependency usage.

NEWS FOR Oct 31, 2021
Initial release of the aurch script.
The script is in the testing phase.