From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3272213835A for ; Thu, 29 Oct 2020 15:47:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 61AE1E0949; Thu, 29 Oct 2020 15:47:42 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4C559E0949 for ; Thu, 29 Oct 2020 15:47:42 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4CC9F340D8E for ; Thu, 29 Oct 2020 15:47:41 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 017423C6 for ; Thu, 29 Oct 2020 15:47:39 +0000 (UTC) From: "Matt Turner" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Matt Turner" Message-ID: <1603985688.1494cb6f62d992f6a3215eaa54607d1b22af888e.mattst88@gentoo> Subject: [gentoo-commits] proj/catalyst:pending/mattst88 commit in: catalyst/base/, catalyst/ X-VCS-Repository: proj/catalyst X-VCS-Files: catalyst/base/stagebase.py catalyst/main.py X-VCS-Directories: catalyst/base/ catalyst/ X-VCS-Committer: mattst88 X-VCS-Committer-Name: Matt Turner X-VCS-Revision: 1494cb6f62d992f6a3215eaa54607d1b22af888e X-VCS-Branch: pending/mattst88 Date: Thu, 29 Oct 2020 15:47:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 7ec531ef-3ab4-4fb6-b60f-6b275301b62a X-Archives-Hash: ea8464b49a79956940134ce378d6ee9d commit: 1494cb6f62d992f6a3215eaa54607d1b22af888e Author: Matt Turner gentoo org> AuthorDate: Thu Oct 29 15:00:42 2020 +0000 Commit: Matt Turner gentoo org> CommitDate: Thu Oct 29 15:34:48 2020 +0000 URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=1494cb6f catalyst: Run the build sequence in new mount namespace Catalyst has a lot of code to unmount the bind mounts it's made, and then more to try harder when something fails. This is important because if bind mounts still exist within the chroot when clean up happens, files outside of the chroot on the host system can inadvertently be deleted. E.g., distfiles and binpkgs. Running the build sequence (the steps that need bind mounts) within a mount namespace and exiting the mount namespace when finished ensures that clean up can never accidentally delete files outside the chroot. Signed-off-by: Matt Turner gentoo.org> catalyst/base/stagebase.py | 8 +++++--- catalyst/main.py | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py index 829bcc93..defe6f27 100644 --- a/catalyst/base/stagebase.py +++ b/catalyst/base/stagebase.py @@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin from DeComp.compress import CompressMap from catalyst import log +from catalyst.context import namespace from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN) from catalyst.support import (CatalystError, file_locate, normpath, cmd, read_makeconf, ismount, file_check, @@ -1405,9 +1406,10 @@ class StageBase(TargetBase, ClearBase, GenBase): if not self.run_sequence(self.prepare_sequence): return False - if not self.run_sequence(self.build_sequence): - self.unbind() - return False + with namespace(mount=True): + if not self.run_sequence(self.build_sequence): + self.unbind() + return False if not self.run_sequence(self.finish_sequence): return False diff --git a/catalyst/main.py b/catalyst/main.py index 93a4a0d3..5536471a 100644 --- a/catalyst/main.py +++ b/catalyst/main.py @@ -355,7 +355,7 @@ def _main(parser, opts): # use pid & user namespaces, but snakeoil's namespace module has signal # transfer issues (CTRL+C doesn't propagate), and user namespaces need # more work due to Gentoo build process (uses sudo/root/portage). - with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'): + with namespace(uts=True, ipc=True, hostname='catalyst'): # everything is setup, so the build is a go try: success = build_target(addlargs)