* [gentoo-catalyst] [PATCH 1/2] snapshot: do not preserve owner/group @ 2015-10-06 20:32 Mike Frysinger 2015-10-06 20:32 ` [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building Mike Frysinger 2015-10-08 22:09 ` [gentoo-catalyst] [PATCH 1/2] snapshot: do not preserve owner/group Mike Frysinger 0 siblings, 2 replies; 6+ messages in thread From: Mike Frysinger @ 2015-10-06 20:32 UTC (permalink / raw To: gentoo-catalyst There's no need to preserve ownership on the files we sync into the snapshot, so just let rsync create them as it will (current uid/gid). This slightly speeds things up when the files are owned by a non-root user too. --- catalyst/targets/snapshot.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/catalyst/targets/snapshot.py b/catalyst/targets/snapshot.py index 6007aaa..e1ca7b7 100644 --- a/catalyst/targets/snapshot.py +++ b/catalyst/targets/snapshot.py @@ -56,7 +56,7 @@ class snapshot(TargetBase, GenBase): ensure_dirs(mytmp) target_snapshot = self.settings["portdir"] + "/ " + mytmp + "/%s/" % self.settings["repo_name"] - cmd("rsync -a --delete --exclude /packages/ --exclude /distfiles/ " + + cmd("rsync -a --no-o --no-g --delete --exclude /packages/ --exclude /distfiles/ " + "--exclude /local/ --exclude CVS/ --exclude .svn --filter=H_**/files/digest-* " + target_snapshot, "Snapshot failure", env=self.env) -- 2.5.2 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building 2015-10-06 20:32 [gentoo-catalyst] [PATCH 1/2] snapshot: do not preserve owner/group Mike Frysinger @ 2015-10-06 20:32 ` Mike Frysinger 2015-11-10 6:45 ` Brian Dolbec 2015-10-08 22:09 ` [gentoo-catalyst] [PATCH 1/2] snapshot: do not preserve owner/group Mike Frysinger 1 sibling, 1 reply; 6+ messages in thread From: Mike Frysinger @ 2015-10-06 20:32 UTC (permalink / raw To: gentoo-catalyst This helps isolate the catalyst builds from the rest of the system and allows us to build as non-root user in more cases. This might not work everywhere, but it's a start (snapshot generation works). --- catalyst/main.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/catalyst/main.py b/catalyst/main.py index 65e1431..f984653 100644 --- a/catalyst/main.py +++ b/catalyst/main.py @@ -10,6 +10,8 @@ import argparse import os import sys +from snakeoil.process import namespaces + __selfpath__ = os.path.abspath(os.path.dirname(__file__)) from DeComp.definitions import (COMPRESS_DEFINITIONS, DECOMPRESS_DEFINITIONS, @@ -336,6 +338,13 @@ def main(): if "target" not in addlargs: raise CatalystError("Required value \"target\" not specified.") + # Start off by creating unique namespaces to run in. + namespaces.simple_unshare( + mount=True, uts=True, ipc=True, pid=True, net=False, user=True, + hostname='catalyst') + + # We should be root now, either a real root, or in a userns as root. + # If we aren't, then we've failed, and need to abort. if os.getuid() != 0: # catalyst cannot be run as a normal user due to chroots, mounts, etc print "!!! catalyst: This script requires root privileges to operate" -- 2.5.2 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building 2015-10-06 20:32 ` [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building Mike Frysinger @ 2015-11-10 6:45 ` Brian Dolbec 2015-11-10 6:49 ` Mike Frysinger 0 siblings, 1 reply; 6+ messages in thread From: Brian Dolbec @ 2015-11-10 6:45 UTC (permalink / raw To: gentoo-catalyst On Tue, 6 Oct 2015 16:32:53 -0400 Mike Frysinger <vapier@gentoo.org> wrote: > This helps isolate the catalyst builds from the rest of the system > and allows us to build as non-root user in more cases. This might > not work everywhere, but it's a start (snapshot generation works). > --- > catalyst/main.py | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/catalyst/main.py b/catalyst/main.py > index 65e1431..f984653 100644 > --- a/catalyst/main.py > +++ b/catalyst/main.py > @@ -10,6 +10,8 @@ import argparse > import os > import sys > > +from snakeoil.process import namespaces > + > __selfpath__ = os.path.abspath(os.path.dirname(__file__)) > > from DeComp.definitions import (COMPRESS_DEFINITIONS, > DECOMPRESS_DEFINITIONS, @@ -336,6 +338,13 @@ def main(): > if "target" not in addlargs: > raise CatalystError("Required value \"target\" not > specified.") > + # Start off by creating unique namespaces to run in. > + namespaces.simple_unshare( > + mount=True, uts=True, ipc=True, pid=True, net=False, > user=True, > + hostname='catalyst') > + > + # We should be root now, either a real root, or in a userns > as root. > + # If we aren't, then we've failed, and need to abort. > if os.getuid() != 0: > # catalyst cannot be run as a normal user due to > chroots, mounts, etc print "!!! catalyst: This script requires root > privileges to operate" I was hoping to get a release out before merging much more, but, I doubt this will affect stability. looks good -- Brian Dolbec <dolsen> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building 2015-11-10 6:45 ` Brian Dolbec @ 2015-11-10 6:49 ` Mike Frysinger 2015-11-10 6:55 ` Brian Dolbec 0 siblings, 1 reply; 6+ messages in thread From: Mike Frysinger @ 2015-11-10 6:49 UTC (permalink / raw To: gentoo-catalyst [-- Attachment #1: Type: text/plain, Size: 1809 bytes --] On 09 Nov 2015 22:45, Brian Dolbec wrote: > On Tue, 6 Oct 2015 16:32:53 -0400 Mike Frysinger wrote: > > This helps isolate the catalyst builds from the rest of the system > > and allows us to build as non-root user in more cases. This might > > not work everywhere, but it's a start (snapshot generation works). > > --- > > catalyst/main.py | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/catalyst/main.py b/catalyst/main.py > > index 65e1431..f984653 100644 > > --- a/catalyst/main.py > > +++ b/catalyst/main.py > > @@ -10,6 +10,8 @@ import argparse > > import os > > import sys > > > > +from snakeoil.process import namespaces > > + > > __selfpath__ = os.path.abspath(os.path.dirname(__file__)) > > > > from DeComp.definitions import (COMPRESS_DEFINITIONS, > > DECOMPRESS_DEFINITIONS, @@ -336,6 +338,13 @@ def main(): > > if "target" not in addlargs: > > raise CatalystError("Required value \"target\" not > > specified.") > > + # Start off by creating unique namespaces to run in. > > + namespaces.simple_unshare( > > + mount=True, uts=True, ipc=True, pid=True, net=False, > > user=True, > > + hostname='catalyst') > > + > > + # We should be root now, either a real root, or in a userns > > as root. > > + # If we aren't, then we've failed, and need to abort. > > if os.getuid() != 0: > > # catalyst cannot be run as a normal user due to > > chroots, mounts, etc print "!!! catalyst: This script requires root > > privileges to operate" > > I was hoping to get a release out before merging much more, but, I > doubt this will affect stability. it does ;). i haven't fully debugged it yet, but i think the use of pid namespaces messes up signal handling. i'll follow up when i'm happy with its state. -mike [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building 2015-11-10 6:49 ` Mike Frysinger @ 2015-11-10 6:55 ` Brian Dolbec 0 siblings, 0 replies; 6+ messages in thread From: Brian Dolbec @ 2015-11-10 6:55 UTC (permalink / raw To: gentoo-catalyst On Tue, 10 Nov 2015 01:49:07 -0500 Mike Frysinger <vapier@gentoo.org> wrote: > On 09 Nov 2015 22:45, Brian Dolbec wrote: > > On Tue, 6 Oct 2015 16:32:53 -0400 Mike Frysinger wrote: > > > This helps isolate the catalyst builds from the rest of the system > > > and allows us to build as non-root user in more cases. This might > > > not work everywhere, but it's a start (snapshot generation works). > > > --- > > > catalyst/main.py | 9 +++++++++ > > > 1 file changed, 9 insertions(+) > > > > > > diff --git a/catalyst/main.py b/catalyst/main.py > > > index 65e1431..f984653 100644 > > > --- a/catalyst/main.py > > > +++ b/catalyst/main.py > > > @@ -10,6 +10,8 @@ import argparse > > > import os > > > import sys > > > > > > +from snakeoil.process import namespaces > > > + > > > __selfpath__ = os.path.abspath(os.path.dirname(__file__)) > > > > > > from DeComp.definitions import (COMPRESS_DEFINITIONS, > > > DECOMPRESS_DEFINITIONS, @@ -336,6 +338,13 @@ def main(): > > > if "target" not in addlargs: > > > raise CatalystError("Required value \"target\" > > > not specified.") > > > + # Start off by creating unique namespaces to run in. > > > + namespaces.simple_unshare( > > > + mount=True, uts=True, ipc=True, pid=True, > > > net=False, user=True, > > > + hostname='catalyst') > > > + > > > + # We should be root now, either a real root, or in a > > > userns as root. > > > + # If we aren't, then we've failed, and need to abort. > > > if os.getuid() != 0: > > > # catalyst cannot be run as a normal user due to > > > chroots, mounts, etc print "!!! catalyst: This script requires > > > root privileges to operate" > > > > I was hoping to get a release out before merging much more, but, I > > doubt this will affect stability. > > it does ;). i haven't fully debugged it yet, but i think the use of > pid namespaces messes up signal handling. i'll follow up when i'm > happy with its state. > -mike sounds good :) Thanks -- Brian Dolbec <dolsen> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-catalyst] [PATCH 1/2] snapshot: do not preserve owner/group 2015-10-06 20:32 [gentoo-catalyst] [PATCH 1/2] snapshot: do not preserve owner/group Mike Frysinger 2015-10-06 20:32 ` [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building Mike Frysinger @ 2015-10-08 22:09 ` Mike Frysinger 1 sibling, 0 replies; 6+ messages in thread From: Mike Frysinger @ 2015-10-08 22:09 UTC (permalink / raw To: gentoo-catalyst [-- Attachment #1: Type: text/plain, Size: 104 bytes --] i've pushed just the first one here. the namespaces one i'd like more feedback/testing on first. -mike [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-11-10 6:56 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-10-06 20:32 [gentoo-catalyst] [PATCH 1/2] snapshot: do not preserve owner/group Mike Frysinger 2015-10-06 20:32 ` [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building Mike Frysinger 2015-11-10 6:45 ` Brian Dolbec 2015-11-10 6:49 ` Mike Frysinger 2015-11-10 6:55 ` Brian Dolbec 2015-10-08 22:09 ` [gentoo-catalyst] [PATCH 1/2] snapshot: do not preserve owner/group Mike Frysinger
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox