From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 70BF21384B4 for ; Tue, 10 Nov 2015 06:49:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 550A021C004; Tue, 10 Nov 2015 06:49:09 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D5F0B21C004 for ; Tue, 10 Nov 2015 06:49:08 +0000 (UTC) Received: from vapier.lan (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with SMTP id A65453403C1 for ; Tue, 10 Nov 2015 06:49:07 +0000 (UTC) Date: Tue, 10 Nov 2015 01:49:07 -0500 From: Mike Frysinger To: gentoo-catalyst@lists.gentoo.org Subject: Re: [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building Message-ID: <20151110064907.GL5154@vapier.lan> Mail-Followup-To: gentoo-catalyst@lists.gentoo.org References: <1444163573-11337-1-git-send-email-vapier@gentoo.org> <1444163573-11337-2-git-send-email-vapier@gentoo.org> <20151109224517.525709e6.dolsen@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-catalyst@lists.gentoo.org Reply-to: gentoo-catalyst@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="II8oT75hj15qngTC" Content-Disposition: inline In-Reply-To: <20151109224517.525709e6.dolsen@gentoo.org> X-Archives-Salt: 828aa670-a63e-4fd0-af6a-c7e6ab412e67 X-Archives-Hash: 5438bc9e166eb8cf38bccb8b86e710cf --II8oT75hj15qngTC Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 09 Nov 2015 22:45, Brian Dolbec wrote: > On Tue, 6 Oct 2015 16:32:53 -0400 Mike Frysinger wrote: > > This helps isolate the catalyst builds from the rest of the system > > and allows us to build as non-root user in more cases. This might > > not work everywhere, but it's a start (snapshot generation works). > > --- > > catalyst/main.py | 9 +++++++++ > > 1 file changed, 9 insertions(+) > >=20 > > diff --git a/catalyst/main.py b/catalyst/main.py > > index 65e1431..f984653 100644 > > --- a/catalyst/main.py > > +++ b/catalyst/main.py > > @@ -10,6 +10,8 @@ import argparse > > import os > > import sys > > =20 > > +from snakeoil.process import namespaces > > + > > __selfpath__ =3D os.path.abspath(os.path.dirname(__file__)) > > =20 > > from DeComp.definitions import (COMPRESS_DEFINITIONS, > > DECOMPRESS_DEFINITIONS, @@ -336,6 +338,13 @@ def main(): > > if "target" not in addlargs: > > raise CatalystError("Required value \"target\" not > > specified.")=20 > > + # Start off by creating unique namespaces to run in. > > + namespaces.simple_unshare( > > + mount=3DTrue, uts=3DTrue, ipc=3DTrue, pid=3DTrue, net=3DFalse, > > user=3DTrue, > > + hostname=3D'catalyst') > > + > > + # We should be root now, either a real root, or in a userns > > as root. > > + # If we aren't, then we've failed, and need to abort. > > if os.getuid() !=3D 0: > > # catalyst cannot be run as a normal user due to > > chroots, mounts, etc print "!!! catalyst: This script requires root > > privileges to operate" >=20 > I was hoping to get a release out before merging much more, but, I > doubt this will affect stability. it does ;). i haven't fully debugged it yet, but i think the use of pid namespaces messes up signal handling. i'll follow up when i'm happy with its state. -mike --II8oT75hj15qngTC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWQZNjAAoJEEFjO5/oN/WBu2wQALFpNSei575Ak+Gp0J7gowx3 qhHzynNmbhcwjoFTJwnovzDPhSZsJedqNac3kNGkdl0U+kF1V7NXcxOVabU9k9Tm M6FIFe8QuuEsFnN/StfK7C/0c05Oqs9q22GEtY47Y/oWMX8eLBLW5Ah+KLW6IMnr fN96tTpoulvQa19Ag3sDX6mkX4HPTfQOQJi9rTIyPQW/VSw3mDYVaByUlC5h+Dex YpxhmzNwwRKh7HWVCI9ynmzWx7Ixk1AnCxcAvnHsSkcazUqnuRmQi+RROjGKeIs8 zl3gPiXx+uL06sKhZLInk9QKbT4pL0PAHfIfqj6D7spwAa2XTmdNZJpsvrIj4hpU /It6bngl9A7BBZWasNKufY0efu7mK2I9ri3hMZPUFlcUKxpwLrSt7LOTzj/Jwiam Sl7y9ofsu0tOfO9nxprBaCFpWfOJFMSFDBG74KafVl37neVSPwB3KSh8Ow9MRE6q NnsZBIx8i5jfdA6pU43Y4PFRAcKeiofp4+4288PZOsnTr4hRq5BIddmJyR6wTYzD ft4sLQrJ4ONj87soqpIJ6aBJ/XF6G9wGODsyiS7D7tddDnUySuJ0b7+c3unICVYS pzE2JVulbeBrxu7eMJ5ANA4k9y8vfneoSmpl8WHQf8vc3XN4zLZL6g2ieOAdQqrt +Y4ongkPJ4UrEmoMLtmw =R6ED -----END PGP SIGNATURE----- --II8oT75hj15qngTC--