From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-catalyst+bounces-3513-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 637AC139694
	for <garchives@archives.gentoo.org>; Sat, 11 Mar 2017 22:22:47 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id ADBE721C06D;
	Sat, 11 Mar 2017 22:22:46 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 8A16A21C06D
	for <gentoo-catalyst@lists.gentoo.org>; Sat, 11 Mar 2017 22:22:46 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by smtp.gentoo.org (Postfix) with ESMTP id 8756B340FDA
	for <gentoo-catalyst@lists.gentoo.org>; Sat, 11 Mar 2017 22:22:45 +0000 (UTC)
From: Mike Frysinger <vapier@gentoo.org>
To: gentoo-catalyst@lists.gentoo.org
Subject: [gentoo-catalyst] [PATCH] catalyst: create namespaces for building
Date: Sat, 11 Mar 2017 14:22:38 -0800
Message-Id: <20170311222238.24250-1-vapier@gentoo.org>
X-Mailer: git-send-email 2.12.0
Precedence: bulk
List-Post: <mailto:gentoo-catalyst@lists.gentoo.org>
List-Help: <mailto:gentoo-catalyst+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-catalyst+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-catalyst+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-catalyst.gentoo.org>
X-BeenThere: gentoo-catalyst@lists.gentoo.org
Reply-to: gentoo-catalyst@lists.gentoo.org
X-Archives-Salt: 6c9c957c-2adc-4d08-95a4-ed77f044ed9f
X-Archives-Hash: 6a358a0945c06cb16dc66a2ca2637938

This helps isolate the catalyst builds from the rest of the system
and allows us to build as non-root user in more cases.

We don't support pid or user namespaces yet.
---
 catalyst/main.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/catalyst/main.py b/catalyst/main.py
index 51d2b04ab035..b8ae662dc76d 100644
--- a/catalyst/main.py
+++ b/catalyst/main.py
@@ -12,6 +12,7 @@ import os
 import sys
 
 from snakeoil import process
+from snakeoil.process import namespaces
 
 from DeComp.definitions import (COMPRESS_DEFINITIONS, DECOMPRESS_DEFINITIONS,
 	CONTENTS_DEFINITIONS)
@@ -421,6 +422,14 @@ def _main(parser, opts):
 		# catalyst cannot be run as a normal user due to chroots, mounts, etc
 		log.critical('This script requires root privileges to operate')
 
+	# Start off by creating unique namespaces to run in.  Would be nice to
+	# use pid & user namespaces, but snakeoil's namespace module has signal
+	# transfer issues (CTRL+C doesn't propagate), and user namespaces need
+	# more work due to Gentoo build process (uses sudo/root/portage).
+	namespaces.simple_unshare(
+		mount=True, uts=True, ipc=True, pid=False, net=False, user=False,
+		hostname='catalyst')
+
 	# everything is setup, so the build is a go
 	try:
 		success = build_target(addlargs)
-- 
2.12.0