Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adjust buildroot creation to work inside a user namespace. #234

Merged
merged 5 commits into from
Aug 4, 2019
Merged

Adjust buildroot creation to work inside a user namespace. #234

merged 5 commits into from
Aug 4, 2019

Commits on Aug 2, 2019

  1. Make the mount namespace reliably private 

    The code attempted to do all mock mounts inside a private mount namespace,
by using unshare(CLONE_NEWNS), but it turns out that that isn't effective
if part or all of the original mount tree are marked as 'shared' mounts -
changes to copies of those mounts will still propagate back to the original
mounts. Mark the entire new mount tree as 'private' to avoid such sharing.
    @owtaylor
    owtaylor committed Aug 2, 2019
    Configuration menu
    Copy the full SHA
    ecc24c5 View commit details
    Browse the repository at this point in the history

  2. When installing into the buildroot, ignore /proc and /sys 

    If mock is running in a user namespace, the the /proc and /sys we
mount into the buildroot will be owned by nobody:nobody (the real
host on the root) not root:root. To avoid failures during package
installation set the %_netsharedpath RPM macro to /proc:/sys to skip
these directories. (Suggestion from Panu Matilainen.)

Implement by pointing HOME to a directory with only ~/.rpmmacros.
(This means that /root/.rpmmacros will now be ignored; system
RPM configuration will still be honored.)
    @owtaylor
    owtaylor committed Aug 2, 2019
    Configuration menu
    Copy the full SHA
    985b776 View commit details
    Browse the repository at this point in the history

  3. Use a bind mount for /sys instead of remounting it 

    Mounting a fresh sysfs from within a user namespace is allowed only
in limited cases, so always use a bind mount instead to avoid problems.

This needs to be a recursive bind mount so that any mounts on top
of the parent /sys are preserved in the child (the kernel will
fail a plain bind mount).
    @owtaylor
    owtaylor committed Aug 2, 2019
    Configuration menu
    Copy the full SHA
    adb4783 View commit details
    Browse the repository at this point in the history

  4. Bind mount /dev entries if mknod fails 

    If mock is running inside a user namespace, then mknod will not succeed,
so use bind mounts instead.
    @owtaylor
    owtaylor committed Aug 2, 2019
    Configuration menu
    Copy the full SHA
    3afa384 View commit details
    Browse the repository at this point in the history

  5. Also use a bind mount for /proc 

    If we are in a user namespace, but not in a PID namespace, then a
fresh mount of /proc will be denied, so similar to /sys, simply
always use a bind-mount of /proc from the host.
    @owtaylor
    owtaylor committed Aug 2, 2019
    Configuration menu
    Copy the full SHA
    68f8be4 View commit details
    Browse the repository at this point in the history