From: "Matt Turner" <mattst88@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/catalyst:master commit in: catalyst/base/, catalyst/
Date: Fri, 30 Oct 2020 22:41:06 +0000 (UTC) [thread overview]
Message-ID: <1604097652.488b06bf5dbe1eba68ac11de95f56feeb6cead83.mattst88@gentoo> (raw)
commit: 488b06bf5dbe1eba68ac11de95f56feeb6cead83
Author: Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 29 15:00:42 2020 +0000
Commit: Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Fri Oct 30 22:40:52 2020 +0000
URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=488b06bf
catalyst: Run the build sequence in new mount namespace
Catalyst has a lot of code to unmount the bind mounts it's made, and
then more to try harder when something fails. This is important because
if bind mounts still exist within the chroot when clean up happens,
files outside of the chroot on the host system can inadvertently be
deleted. E.g., distfiles, binpkgs, kerncache.
Running the build sequence (the steps that need bind mounts) within a
mount namespace and exiting the mount namespace when finished ensures
that clean up can never accidentally delete files outside the chroot.
Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>
catalyst/base/stagebase.py | 7 ++++---
catalyst/main.py | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
index 06ec8727..caec5935 100644
--- a/catalyst/base/stagebase.py
+++ b/catalyst/base/stagebase.py
@@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin
from DeComp.compress import CompressMap
from catalyst import log
+from catalyst.context import namespace
from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN)
from catalyst.support import (CatalystError, file_locate, normpath,
cmd, read_makeconf, ismount, file_check,
@@ -1405,9 +1406,9 @@ class StageBase(TargetBase, ClearBase, GenBase):
if not self.run_sequence(self.prepare_sequence):
return False
- if not self.run_sequence(self.build_sequence):
- self.unbind()
- return False
+ with namespace(mount=True):
+ if not self.run_sequence(self.build_sequence):
+ return False
if not self.run_sequence(self.finish_sequence):
return False
diff --git a/catalyst/main.py b/catalyst/main.py
index 93a4a0d3..5536471a 100644
--- a/catalyst/main.py
+++ b/catalyst/main.py
@@ -355,7 +355,7 @@ def _main(parser, opts):
# use pid & user namespaces, but snakeoil's namespace module has signal
# transfer issues (CTRL+C doesn't propagate), and user namespaces need
# more work due to Gentoo build process (uses sudo/root/portage).
- with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'):
+ with namespace(uts=True, ipc=True, hostname='catalyst'):
# everything is setup, so the build is a go
try:
success = build_target(addlargs)
WARNING: multiple messages have this Message-ID (diff)
From: "Matt Turner" <mattst88@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/catalyst:wip/mattst88 commit in: catalyst/base/, catalyst/
Date: Sat, 19 Dec 2020 19:56:01 +0000 (UTC) [thread overview]
Message-ID: <1604097652.488b06bf5dbe1eba68ac11de95f56feeb6cead83.mattst88@gentoo> (raw)
Message-ID: <20201219195601.fAWy6LbNPjy2xYjoKv0kxVP854KKyh1A4xSg_xlscms@z> (raw)
commit: 488b06bf5dbe1eba68ac11de95f56feeb6cead83
Author: Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 29 15:00:42 2020 +0000
Commit: Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Fri Oct 30 22:40:52 2020 +0000
URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=488b06bf
catalyst: Run the build sequence in new mount namespace
Catalyst has a lot of code to unmount the bind mounts it's made, and
then more to try harder when something fails. This is important because
if bind mounts still exist within the chroot when clean up happens,
files outside of the chroot on the host system can inadvertently be
deleted. E.g., distfiles, binpkgs, kerncache.
Running the build sequence (the steps that need bind mounts) within a
mount namespace and exiting the mount namespace when finished ensures
that clean up can never accidentally delete files outside the chroot.
Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>
catalyst/base/stagebase.py | 7 ++++---
catalyst/main.py | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
index 06ec8727..caec5935 100644
--- a/catalyst/base/stagebase.py
+++ b/catalyst/base/stagebase.py
@@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin
from DeComp.compress import CompressMap
from catalyst import log
+from catalyst.context import namespace
from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN)
from catalyst.support import (CatalystError, file_locate, normpath,
cmd, read_makeconf, ismount, file_check,
@@ -1405,9 +1406,9 @@ class StageBase(TargetBase, ClearBase, GenBase):
if not self.run_sequence(self.prepare_sequence):
return False
- if not self.run_sequence(self.build_sequence):
- self.unbind()
- return False
+ with namespace(mount=True):
+ if not self.run_sequence(self.build_sequence):
+ return False
if not self.run_sequence(self.finish_sequence):
return False
diff --git a/catalyst/main.py b/catalyst/main.py
index 93a4a0d3..5536471a 100644
--- a/catalyst/main.py
+++ b/catalyst/main.py
@@ -355,7 +355,7 @@ def _main(parser, opts):
# use pid & user namespaces, but snakeoil's namespace module has signal
# transfer issues (CTRL+C doesn't propagate), and user namespaces need
# more work due to Gentoo build process (uses sudo/root/portage).
- with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'):
+ with namespace(uts=True, ipc=True, hostname='catalyst'):
# everything is setup, so the build is a go
try:
success = build_target(addlargs)
next reply other threads:[~2020-10-30 22:41 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-30 22:41 Matt Turner [this message]
2020-12-19 19:56 ` [gentoo-commits] proj/catalyst:wip/mattst88 commit in: catalyst/base/, catalyst/ Matt Turner
-- strict thread matches above, loose matches on Subject: below --
2023-07-01 19:27 [gentoo-commits] proj/catalyst:master " Andreas K. Hüttel
2021-02-28 14:39 Andreas K. Hüttel
2021-02-20 21:27 Matt Turner
2020-04-17 19:52 Matt Turner
2020-04-13 20:36 Matt Turner
2020-01-27 18:52 Rick Farina
2016-05-22 3:34 Mike Frysinger
2016-03-23 16:38 Brian Dolbec
2016-03-21 5:15 Mike Frysinger
2015-10-08 20:02 Brian Dolbec
2015-09-08 14:14 [gentoo-commits] proj/catalyst:pending " Brian Dolbec
2015-09-08 14:17 ` [gentoo-commits] proj/catalyst:master " Brian Dolbec
2015-01-01 5:59 [gentoo-commits] proj/catalyst:pending " Brian Dolbec
2015-02-26 4:12 ` [gentoo-commits] proj/catalyst:master " Brian Dolbec
2015-01-01 5:59 [gentoo-commits] proj/catalyst:pending " Brian Dolbec
2015-02-26 20:12 ` [gentoo-commits] proj/catalyst:master " Brian Dolbec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1604097652.488b06bf5dbe1eba68ac11de95f56feeb6cead83.mattst88@gentoo \
--to=mattst88@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox