* [gentoo-commits] proj/catalyst:pending/mattst88 commit in: catalyst/base/, catalyst/
2020-05-16 6:43 [gentoo-commits] proj/catalyst:master commit in: catalyst/, catalyst/base/ Matt Turner
@ 2020-05-15 6:32 ` Matt Turner
0 siblings, 0 replies; 6+ messages in thread
From: Matt Turner @ 2020-05-15 6:32 UTC (permalink / raw
To: gentoo-commits
commit: 111f8243f3261d8cb0871b6f4b2087d7ce5e9b69
Author: Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Fri May 15 06:16:28 2020 +0000
Commit: Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Fri May 15 06:31:34 2020 +0000
URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=111f8243
catalyst: Rename shmfs -> shm
This will allow us to factor out the ['source', 'target'] from each
case.
Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>
catalyst/base/stagebase.py | 4 ++--
catalyst/defaults.py | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
index 68945da8..52f9cd5b 100644
--- a/catalyst/base/stagebase.py
+++ b/catalyst/base/stagebase.py
@@ -864,9 +864,9 @@ class StageBase(TargetBase, ClearBase, GenBase):
target]
elif source == 'tmpfs':
_cmd = ['mount', '-t', 'tmpfs', source, target]
- elif source == 'shmfs':
+ elif source == 'shm':
_cmd = ['mount', '-t', 'tmpfs', '-o', 'noexec,nosuid,nodev',
- 'shm', target]
+ source, target]
else:
_cmd = ['mount', source, target]
diff --git a/catalyst/defaults.py b/catalyst/defaults.py
index 9d5771d5..404f4892 100644
--- a/catalyst/defaults.py
+++ b/catalyst/defaults.py
@@ -99,7 +99,7 @@ MOUNT_DEFAULTS = OrderedDict([
}),
('shm', {
'enable': True,
- 'source': 'shmfs',
+ 'source': 'shm',
'target': '/dev/shm',
}),
('run', {
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/catalyst:pending/mattst88 commit in: catalyst/base/, catalyst/
@ 2020-10-29 14:11 Matt Turner
0 siblings, 0 replies; 6+ messages in thread
From: Matt Turner @ 2020-10-29 14:11 UTC (permalink / raw
To: gentoo-commits
commit: 2c026f92e3c7d7058311453a79bb36eac2e4d57b
Author: Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 28 21:59:17 2020 +0000
Commit: Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Thu Oct 29 14:09:35 2020 +0000
URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=2c026f92
catalyst: Add and use namespace context manager
Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>
catalyst/base/stagebase.py | 6 ++++--
catalyst/context.py | 33 +++++++++++++++++++++++++++++++++
catalyst/main.py | 17 +++++++----------
3 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
index da133bf2..2bbbb987 100644
--- a/catalyst/base/stagebase.py
+++ b/catalyst/base/stagebase.py
@@ -14,6 +14,7 @@ from snakeoil.osutils import pjoin
from DeComp.compress import CompressMap
from catalyst import log
+from catalyst.context import namespace
from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN)
from catalyst.support import (CatalystError, file_locate, normpath,
cmd, read_makeconf, ismount, file_check,
@@ -1392,8 +1393,9 @@ class StageBase(TargetBase, ClearBase, GenBase):
if not self.run_sequence(self.prepare_sequence):
return False
- if not self.run_sequence(self.build_sequence):
- return False
+ with namespace(mount=True):
+ if not self.run_sequence(self.build_sequence):
+ return False
if not self.run_sequence(self.finish_sequence):
return False
diff --git a/catalyst/context.py b/catalyst/context.py
new file mode 100644
index 00000000..f5d240ea
--- /dev/null
+++ b/catalyst/context.py
@@ -0,0 +1,33 @@
+
+import contextlib
+import os
+
+from snakeoil.process.namespaces import setns, simple_unshare
+
+@contextlib.contextmanager
+def namespace(mount=False, uts=False, ipc=False, net=False, pid=False,
+ user=False, hostname=None):
+ namespaces = {
+ (mount, "mnt"): None,
+ (uts, "uts"): None,
+ (ipc, "ipc"): None,
+ (net, "net"): None,
+ (pid, "pid"): None,
+ (user, "user"): None,
+ }
+ pid = os.getpid()
+
+ # Save fds of current namespaces
+ for ns in [ns for ns in namespaces if ns[0]]:
+ fp = open(f"/proc/{pid}/ns/{ns[1]}")
+ namespaces[ns] = fp
+
+ simple_unshare(mount=mount, uts=uts, ipc=ipc, net=net, pid=pid, user=user,
+ hostname=hostname)
+ try:
+ yield None
+ finally:
+ for ns in [ns for ns in namespaces if ns[0]]:
+ fp = namespaces[ns]
+ setns(fp.fileno(), 0)
+ fp.close()
diff --git a/catalyst/main.py b/catalyst/main.py
index 543895c6..93a4a0d3 100644
--- a/catalyst/main.py
+++ b/catalyst/main.py
@@ -7,14 +7,13 @@ import textwrap
import toml
-from snakeoil.process import namespaces
-
from DeComp.definitions import (COMPRESS_DEFINITIONS, DECOMPRESS_DEFINITIONS,
CONTENTS_DEFINITIONS)
from DeComp.contents import ContentsMap
from catalyst import log
import catalyst.config
+from catalyst.context import namespace
from catalyst.defaults import (confdefaults, option_messages,
DEFAULT_CONFIG_FILE, valid_config_file_values)
from catalyst.support import CatalystError
@@ -356,15 +355,13 @@ def _main(parser, opts):
# use pid & user namespaces, but snakeoil's namespace module has signal
# transfer issues (CTRL+C doesn't propagate), and user namespaces need
# more work due to Gentoo build process (uses sudo/root/portage).
- namespaces.simple_unshare(
- mount=True, uts=True, ipc=True, pid=False, net=False, user=False,
- hostname='catalyst')
+ with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'):
+ # everything is setup, so the build is a go
+ try:
+ success = build_target(addlargs)
+ except KeyboardInterrupt:
+ log.critical('Catalyst build aborted due to user interrupt (Ctrl-C)')
- # everything is setup, so the build is a go
- try:
- success = build_target(addlargs)
- except KeyboardInterrupt:
- log.critical('Catalyst build aborted due to user interrupt (Ctrl-C)')
if not success:
sys.exit(2)
sys.exit(0)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/catalyst:pending/mattst88 commit in: catalyst/base/, catalyst/
@ 2020-10-29 15:47 Matt Turner
0 siblings, 0 replies; 6+ messages in thread
From: Matt Turner @ 2020-10-29 15:47 UTC (permalink / raw
To: gentoo-commits
commit: 1494cb6f62d992f6a3215eaa54607d1b22af888e
Author: Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 29 15:00:42 2020 +0000
Commit: Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Thu Oct 29 15:34:48 2020 +0000
URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=1494cb6f
catalyst: Run the build sequence in new mount namespace
Catalyst has a lot of code to unmount the bind mounts it's made, and
then more to try harder when something fails. This is important because
if bind mounts still exist within the chroot when clean up happens,
files outside of the chroot on the host system can inadvertently be
deleted. E.g., distfiles and binpkgs.
Running the build sequence (the steps that need bind mounts) within a
mount namespace and exiting the mount namespace when finished ensures
that clean up can never accidentally delete files outside the chroot.
Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>
catalyst/base/stagebase.py | 8 +++++---
catalyst/main.py | 2 +-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
index 829bcc93..defe6f27 100644
--- a/catalyst/base/stagebase.py
+++ b/catalyst/base/stagebase.py
@@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin
from DeComp.compress import CompressMap
from catalyst import log
+from catalyst.context import namespace
from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN)
from catalyst.support import (CatalystError, file_locate, normpath,
cmd, read_makeconf, ismount, file_check,
@@ -1405,9 +1406,10 @@ class StageBase(TargetBase, ClearBase, GenBase):
if not self.run_sequence(self.prepare_sequence):
return False
- if not self.run_sequence(self.build_sequence):
- self.unbind()
- return False
+ with namespace(mount=True):
+ if not self.run_sequence(self.build_sequence):
+ self.unbind()
+ return False
if not self.run_sequence(self.finish_sequence):
return False
diff --git a/catalyst/main.py b/catalyst/main.py
index 93a4a0d3..5536471a 100644
--- a/catalyst/main.py
+++ b/catalyst/main.py
@@ -355,7 +355,7 @@ def _main(parser, opts):
# use pid & user namespaces, but snakeoil's namespace module has signal
# transfer issues (CTRL+C doesn't propagate), and user namespaces need
# more work due to Gentoo build process (uses sudo/root/portage).
- with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'):
+ with namespace(uts=True, ipc=True, hostname='catalyst'):
# everything is setup, so the build is a go
try:
success = build_target(addlargs)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/catalyst:pending/mattst88 commit in: catalyst/base/, catalyst/
@ 2020-10-29 16:04 Matt Turner
0 siblings, 0 replies; 6+ messages in thread
From: Matt Turner @ 2020-10-29 16:04 UTC (permalink / raw
To: gentoo-commits
commit: 74e9d44879594aefc81d2ea64981ac38c48b61f6
Author: Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 29 15:00:42 2020 +0000
Commit: Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Thu Oct 29 16:03:41 2020 +0000
URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=74e9d448
catalyst: Run the build sequence in new mount namespace
Catalyst has a lot of code to unmount the bind mounts it's made, and
then more to try harder when something fails. This is important because
if bind mounts still exist within the chroot when clean up happens,
files outside of the chroot on the host system can inadvertently be
deleted. E.g., distfiles, binpkgs, kerncache.
Running the build sequence (the steps that need bind mounts) within a
mount namespace and exiting the mount namespace when finished ensures
that clean up can never accidentally delete files outside the chroot.
Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>
catalyst/base/stagebase.py | 8 +++++---
catalyst/main.py | 2 +-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
index c2abf757..27021e31 100644
--- a/catalyst/base/stagebase.py
+++ b/catalyst/base/stagebase.py
@@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin
from DeComp.compress import CompressMap
from catalyst import log
+from catalyst.context import namespace
from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN)
from catalyst.support import (CatalystError, file_locate, normpath,
cmd, read_makeconf, ismount, file_check,
@@ -1405,9 +1406,10 @@ class StageBase(TargetBase, ClearBase, GenBase):
if not self.run_sequence(self.prepare_sequence):
return False
- if not self.run_sequence(self.build_sequence):
- self.unbind()
- return False
+ with namespace(mount=True):
+ if not self.run_sequence(self.build_sequence):
+ self.unbind()
+ return False
if not self.run_sequence(self.finish_sequence):
return False
diff --git a/catalyst/main.py b/catalyst/main.py
index 93a4a0d3..5536471a 100644
--- a/catalyst/main.py
+++ b/catalyst/main.py
@@ -355,7 +355,7 @@ def _main(parser, opts):
# use pid & user namespaces, but snakeoil's namespace module has signal
# transfer issues (CTRL+C doesn't propagate), and user namespaces need
# more work due to Gentoo build process (uses sudo/root/portage).
- with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'):
+ with namespace(uts=True, ipc=True, hostname='catalyst'):
# everything is setup, so the build is a go
try:
success = build_target(addlargs)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/catalyst:pending/mattst88 commit in: catalyst/base/, catalyst/
@ 2020-10-29 16:34 Matt Turner
0 siblings, 0 replies; 6+ messages in thread
From: Matt Turner @ 2020-10-29 16:34 UTC (permalink / raw
To: gentoo-commits
commit: 35c76a3bee1be14e4ee1283e1cc727c55edfc960
Author: Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 29 15:00:42 2020 +0000
Commit: Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Thu Oct 29 16:34:35 2020 +0000
URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=35c76a3b
catalyst: Run the build sequence in new mount namespace
Catalyst has a lot of code to unmount the bind mounts it's made, and
then more to try harder when something fails. This is important because
if bind mounts still exist within the chroot when clean up happens,
files outside of the chroot on the host system can inadvertently be
deleted. E.g., distfiles, binpkgs, kerncache.
Running the build sequence (the steps that need bind mounts) within a
mount namespace and exiting the mount namespace when finished ensures
that clean up can never accidentally delete files outside the chroot.
Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>
catalyst/base/stagebase.py | 7 ++++---
catalyst/main.py | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
index 06ec8727..caec5935 100644
--- a/catalyst/base/stagebase.py
+++ b/catalyst/base/stagebase.py
@@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin
from DeComp.compress import CompressMap
from catalyst import log
+from catalyst.context import namespace
from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN)
from catalyst.support import (CatalystError, file_locate, normpath,
cmd, read_makeconf, ismount, file_check,
@@ -1405,9 +1406,9 @@ class StageBase(TargetBase, ClearBase, GenBase):
if not self.run_sequence(self.prepare_sequence):
return False
- if not self.run_sequence(self.build_sequence):
- self.unbind()
- return False
+ with namespace(mount=True):
+ if not self.run_sequence(self.build_sequence):
+ return False
if not self.run_sequence(self.finish_sequence):
return False
diff --git a/catalyst/main.py b/catalyst/main.py
index 93a4a0d3..5536471a 100644
--- a/catalyst/main.py
+++ b/catalyst/main.py
@@ -355,7 +355,7 @@ def _main(parser, opts):
# use pid & user namespaces, but snakeoil's namespace module has signal
# transfer issues (CTRL+C doesn't propagate), and user namespaces need
# more work due to Gentoo build process (uses sudo/root/portage).
- with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'):
+ with namespace(uts=True, ipc=True, hostname='catalyst'):
# everything is setup, so the build is a go
try:
success = build_target(addlargs)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/catalyst:pending/mattst88 commit in: catalyst/base/, catalyst/
@ 2020-10-29 19:05 Matt Turner
0 siblings, 0 replies; 6+ messages in thread
From: Matt Turner @ 2020-10-29 19:05 UTC (permalink / raw
To: gentoo-commits
commit: b2eb4c91047d9faf76f629819aa488d4ddb84177
Author: Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 29 15:00:42 2020 +0000
Commit: Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Thu Oct 29 19:05:45 2020 +0000
URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=b2eb4c91
catalyst: Run the build sequence in new mount namespace
Catalyst has a lot of code to unmount the bind mounts it's made, and
then more to try harder when something fails. This is important because
if bind mounts still exist within the chroot when clean up happens,
files outside of the chroot on the host system can inadvertently be
deleted. E.g., distfiles, binpkgs, kerncache.
Running the build sequence (the steps that need bind mounts) within a
mount namespace and exiting the mount namespace when finished ensures
that clean up can never accidentally delete files outside the chroot.
Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>
catalyst/base/stagebase.py | 7 ++++---
catalyst/main.py | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
index 06ec8727..caec5935 100644
--- a/catalyst/base/stagebase.py
+++ b/catalyst/base/stagebase.py
@@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin
from DeComp.compress import CompressMap
from catalyst import log
+from catalyst.context import namespace
from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN)
from catalyst.support import (CatalystError, file_locate, normpath,
cmd, read_makeconf, ismount, file_check,
@@ -1405,9 +1406,9 @@ class StageBase(TargetBase, ClearBase, GenBase):
if not self.run_sequence(self.prepare_sequence):
return False
- if not self.run_sequence(self.build_sequence):
- self.unbind()
- return False
+ with namespace(mount=True):
+ if not self.run_sequence(self.build_sequence):
+ return False
if not self.run_sequence(self.finish_sequence):
return False
diff --git a/catalyst/main.py b/catalyst/main.py
index 93a4a0d3..5536471a 100644
--- a/catalyst/main.py
+++ b/catalyst/main.py
@@ -355,7 +355,7 @@ def _main(parser, opts):
# use pid & user namespaces, but snakeoil's namespace module has signal
# transfer issues (CTRL+C doesn't propagate), and user namespaces need
# more work due to Gentoo build process (uses sudo/root/portage).
- with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'):
+ with namespace(uts=True, ipc=True, hostname='catalyst'):
# everything is setup, so the build is a go
try:
success = build_target(addlargs)
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-10-29 19:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-29 16:04 [gentoo-commits] proj/catalyst:pending/mattst88 commit in: catalyst/base/, catalyst/ Matt Turner
-- strict thread matches above, loose matches on Subject: below --
2020-10-29 19:05 Matt Turner
2020-10-29 16:34 Matt Turner
2020-10-29 15:47 Matt Turner
2020-10-29 14:11 Matt Turner
2020-05-16 6:43 [gentoo-commits] proj/catalyst:master commit in: catalyst/, catalyst/base/ Matt Turner
2020-05-15 6:32 ` [gentoo-commits] proj/catalyst:pending/mattst88 commit in: catalyst/base/, catalyst/ Matt Turner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox