Skip to content

feat: add QEMU_ADDITIONAL_PACKAGES environment variable #2266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
antitree merged 10 commits into from
Jan 13, 2026
Merged

feat: add QEMU_ADDITIONAL_PACKAGES environment variable #2266

antitree merged 10 commits into from
Jan 13, 2026

Conversation

@antitree
Copy link
Contributor

@antitree antitree commented Dec 10, 2025
edited
Loading

Summary

This PR adds support for the QEMU_ADDITIONAL_PACKAGES environment variable, which allows users to specify additional packages to include in the initramfs image during QEMU VM initialization. This complements the existing TESTING environment variable feature gate.

Changes

  • Added QEMU_ADDITIONAL_PACKAGES support in pkg/container/qemu_runner.go
  • Packages are added to the initramfs image build specification
  • Accepts comma-separated list of package names (e.g., hello-wolfi,nginx-stable,strace)
  • Packages are baked into the initramfs for immediate availability at boot
  • Input validation prevents injection attacks (regex: ^[a-zA-Z0-9_,.-]+$)
  • Cache invalidation: different package lists create separate cached initramfs files

How It Works

Without QEMU_ADDITIONAL_PACKAGES:

spec := apko_types.ImageConfiguration{
    Contents: apko_types.ImageContents{
        Packages: []string{"microvm-init"},
    },
}

With QEMU_ADDITIONAL_PACKAGES=hello-wolfi,strace:

spec := apko_types.ImageConfiguration{
    Contents: apko_types.ImageContents{
        Packages: []string{"microvm-init", "hello-wolfi", "strace"},
    },
}

Packages are installed into the initramfs during the apko build, so they're available immediately when the VM boots - no runtime apk add needed!

Usage

# Single package
QEMU_ADDITIONAL_PACKAGES=hello-wolfi melange build mypackage.yaml --runner qemu

# Multiple packages
QEMU_ADDITIONAL_PACKAGES=strace,gdb,tcpdump melange build mypackage.yaml --runner qemu

Use Cases

  • Testing/debugging: Install tools like strace, gdb, tcpdump for debugging builds
  • Runtime dependencies: Install packages needed during the build that aren't in the build environment
  • Development: Quick iteration without modifying build configurations\
  • Init.d hooks: Install packages that provide init.d scripts for custom initialization

Security

The implementation validates input to prevent shell injection attacks. Only alphanumeric characters, hyphens, underscores, commas, and dots are allowed in package names. Suspicious input is rejected with a warning.

Test Results

Verified that packages are successfully added to the initramfs:

2025/12/10 12:05:59 INFO qemu: QEMU_ADDITIONAL_PACKAGES env set to hello-wolfi, adding to initramfs
2025/12/10 12:06:00 INFO     packages:     [microvm-init hello-wolfi]
2025/12/10 12:06:02 INFO installing hello-wolfi (2.12.2-r2)

The package is installed in the initramfs and available at boot time ✅

antitree and others added 2 commits December 10, 2025 12:20
@antitree @claude
feat: add QEMU_ADDITIONAL_PACKAGES environment variable
7fb252b 
Add support for QEMU_ADDITIONAL_PACKAGES environment variable that allows
users to specify additional packages to install in the QEMU microVM during
initialization.

The variable accepts a comma-separated list of package names (e.g.,
"hello-wolfi,nginx-stable,strace") and passes them to microvm-init via
the kernel command line as melange.additional_packages=<list>.

Input validation prevents injection attacks by only allowing alphanumeric
characters, hyphens, underscores, commas, and dots. Invalid input is
rejected with a warning.

Usage:
  QEMU_ADDITIONAL_PACKAGES=hello-wolfi,strace melange build mypackage.yaml

Note: This requires a corresponding update to microvm-init package to
read and process the melange.additional_packages kernel parameter.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
@antitree
fix: use strings.SplitSeq for modernization linter
089cafb 
Update to use strings.SplitSeq() instead of strings.Split() for better
efficiency with the iterator pattern in Go 1.24+.

Addresses golangci-lint modernize check.
@antitree antitree requested a review from 89luca89 December 10, 2025 17:27
egibs
egibs reviewed Dec 10, 2025
View reviewed changes
egibs
egibs reviewed Dec 10, 2025
View reviewed changes
antitree and others added 4 commits December 11, 2025 09:03
@antitree @claude
refactor: extract testable functions and add tests for QEMU_ADDITIONA…
b44e324 
…L_PACKAGES

Addresses PR feedback from @egibs and @89luca89:
- Extract getAdditionalPackages() function for parsing env var
- Extract getPackageCacheSuffix() function for cache key generation
- Use SHA256 hash instead of truncation to avoid collisions
- Add comprehensive test coverage for both functions
- Fix variable shadowing issue

Tests verify:
- Package parsing and validation
- Security (injection prevention)
- Cache suffix generation with SHA256
- Hash determinism and collision prevention

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
@antitree
Merge branch 'main' into feat/qemu-additional-packages
8e603b4
@antitree
Merge branch 'main' into feat/qemu-additional-packages
478b1e3
@antitree
Merge branch 'main' into feat/qemu-additional-packages
30ce9bc
@antitree antitree requested a review from egibs January 13, 2026 15:28
egibs
egibs reviewed Jan 13, 2026
View reviewed changes
89luca89
89luca89 requested changes Jan 13, 2026
View reviewed changes
@antitree @egibs
Apply suggestion from @egibs
4847cfc 
Co-authored-by: Evan Gibler <[email protected]>
Signed-off-by: antitree <[email protected]>
antitree
antitree commented Jan 13, 2026
View reviewed changes
Copy link
Contributor Author

@antitree antitree left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

factored in @egibs change

egibs
egibs reviewed Jan 13, 2026
View reviewed changes
89luca89
89luca89 requested changes Jan 13, 2026
View reviewed changes
@antitree
refactoring egibs changes
ea04e49
@antitree
fix: remove duplicate getAdditionalPackages call that shadows parameter
e72d08e 
The merge introduced a bug where additionalPkgs parameter was being
shadowed by a local variable that called getAdditionalPackages again.
This defeats the purpose of passing the parameter and causes the
function to be called twice unnecessarily.

Remove the duplicate call to use the passed parameter correctly.
@antitree antitree enabled auto-merge (squash) January 13, 2026 17:05
@antitree antitree merged commit 8f3b811 into chainguard-dev:main Jan 13, 2026
57 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@89luca89 89luca89 89luca89 approved these changes

@egibs egibs egibs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@antitree @89luca89 @egibs