From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8475D138359 for ; Fri, 30 Oct 2020 22:41:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9B0EEE083D; Fri, 30 Oct 2020 22:41:10 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 813D9E0831 for ; Fri, 30 Oct 2020 22:41:10 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7FC3A340A7F for ; Fri, 30 Oct 2020 22:41:09 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D222742E for ; Fri, 30 Oct 2020 22:41:06 +0000 (UTC) From: "Matt Turner" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Matt Turner" Message-ID: <1604097652.488b06bf5dbe1eba68ac11de95f56feeb6cead83.mattst88@gentoo> Subject: [gentoo-commits] proj/catalyst:master commit in: catalyst/base/, catalyst/ X-VCS-Repository: proj/catalyst X-VCS-Files: catalyst/base/stagebase.py catalyst/main.py X-VCS-Directories: catalyst/ catalyst/base/ X-VCS-Committer: mattst88 X-VCS-Committer-Name: Matt Turner X-VCS-Revision: 488b06bf5dbe1eba68ac11de95f56feeb6cead83 X-VCS-Branch: master Date: Fri, 30 Oct 2020 22:41:06 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: a796f23b-bac3-42a0-9288-7a3a74573f09 X-Archives-Hash: 94cd416b25ae41b6d0ab75ab94ea5bad commit: 488b06bf5dbe1eba68ac11de95f56feeb6cead83 Author: Matt Turner gentoo org> AuthorDate: Thu Oct 29 15:00:42 2020 +0000 Commit: Matt Turner gentoo org> CommitDate: Fri Oct 30 22:40:52 2020 +0000 URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=488b06bf catalyst: Run the build sequence in new mount namespace Catalyst has a lot of code to unmount the bind mounts it's made, and then more to try harder when something fails. This is important because if bind mounts still exist within the chroot when clean up happens, files outside of the chroot on the host system can inadvertently be deleted. E.g., distfiles, binpkgs, kerncache. Running the build sequence (the steps that need bind mounts) within a mount namespace and exiting the mount namespace when finished ensures that clean up can never accidentally delete files outside the chroot. Signed-off-by: Matt Turner gentoo.org> catalyst/base/stagebase.py | 7 ++++--- catalyst/main.py | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py index 06ec8727..caec5935 100644 --- a/catalyst/base/stagebase.py +++ b/catalyst/base/stagebase.py @@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin from DeComp.compress import CompressMap from catalyst import log +from catalyst.context import namespace from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN) from catalyst.support import (CatalystError, file_locate, normpath, cmd, read_makeconf, ismount, file_check, @@ -1405,9 +1406,9 @@ class StageBase(TargetBase, ClearBase, GenBase): if not self.run_sequence(self.prepare_sequence): return False - if not self.run_sequence(self.build_sequence): - self.unbind() - return False + with namespace(mount=True): + if not self.run_sequence(self.build_sequence): + return False if not self.run_sequence(self.finish_sequence): return False diff --git a/catalyst/main.py b/catalyst/main.py index 93a4a0d3..5536471a 100644 --- a/catalyst/main.py +++ b/catalyst/main.py @@ -355,7 +355,7 @@ def _main(parser, opts): # use pid & user namespaces, but snakeoil's namespace module has signal # transfer issues (CTRL+C doesn't propagate), and user namespaces need # more work due to Gentoo build process (uses sudo/root/portage). - with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'): + with namespace(uts=True, ipc=True, hostname='catalyst'): # everything is setup, so the build is a go try: success = build_target(addlargs) From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 758C21382C5 for ; Sat, 19 Dec 2020 19:56:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 63ABBE0963; Sat, 19 Dec 2020 19:56:04 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4B17DE0963 for ; Sat, 19 Dec 2020 19:56:04 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 56E0C340F5D for ; Sat, 19 Dec 2020 19:56:03 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id EC3D02CA for ; Sat, 19 Dec 2020 19:56:01 +0000 (UTC) From: "Matt Turner" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Matt Turner" Message-ID: <1604097652.488b06bf5dbe1eba68ac11de95f56feeb6cead83.mattst88@gentoo> Subject: [gentoo-commits] proj/catalyst:wip/mattst88 commit in: catalyst/base/, catalyst/ X-VCS-Repository: proj/catalyst X-VCS-Files: catalyst/base/stagebase.py catalyst/main.py X-VCS-Directories: catalyst/base/ catalyst/ X-VCS-Committer: mattst88 X-VCS-Committer-Name: Matt Turner X-VCS-Revision: 488b06bf5dbe1eba68ac11de95f56feeb6cead83 X-VCS-Branch: wip/mattst88 Date: Sat, 19 Dec 2020 19:56:01 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 6520786f-7b76-4123-b9e2-8ea62ece0bfe X-Archives-Hash: 49629855ab9c569dbbd81d1b2c195d0b Message-ID: <20201219195601.fAWy6LbNPjy2xYjoKv0kxVP854KKyh1A4xSg_xlscms@z> commit: 488b06bf5dbe1eba68ac11de95f56feeb6cead83 Author: Matt Turner gentoo org> AuthorDate: Thu Oct 29 15:00:42 2020 +0000 Commit: Matt Turner gentoo org> CommitDate: Fri Oct 30 22:40:52 2020 +0000 URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=488b06bf catalyst: Run the build sequence in new mount namespace Catalyst has a lot of code to unmount the bind mounts it's made, and then more to try harder when something fails. This is important because if bind mounts still exist within the chroot when clean up happens, files outside of the chroot on the host system can inadvertently be deleted. E.g., distfiles, binpkgs, kerncache. Running the build sequence (the steps that need bind mounts) within a mount namespace and exiting the mount namespace when finished ensures that clean up can never accidentally delete files outside the chroot. Signed-off-by: Matt Turner gentoo.org> catalyst/base/stagebase.py | 7 ++++--- catalyst/main.py | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py index 06ec8727..caec5935 100644 --- a/catalyst/base/stagebase.py +++ b/catalyst/base/stagebase.py @@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin from DeComp.compress import CompressMap from catalyst import log +from catalyst.context import namespace from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN) from catalyst.support import (CatalystError, file_locate, normpath, cmd, read_makeconf, ismount, file_check, @@ -1405,9 +1406,9 @@ class StageBase(TargetBase, ClearBase, GenBase): if not self.run_sequence(self.prepare_sequence): return False - if not self.run_sequence(self.build_sequence): - self.unbind() - return False + with namespace(mount=True): + if not self.run_sequence(self.build_sequence): + return False if not self.run_sequence(self.finish_sequence): return False diff --git a/catalyst/main.py b/catalyst/main.py index 93a4a0d3..5536471a 100644 --- a/catalyst/main.py +++ b/catalyst/main.py @@ -355,7 +355,7 @@ def _main(parser, opts): # use pid & user namespaces, but snakeoil's namespace module has signal # transfer issues (CTRL+C doesn't propagate), and user namespaces need # more work due to Gentoo build process (uses sudo/root/portage). - with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'): + with namespace(uts=True, ipc=True, hostname='catalyst'): # everything is setup, so the build is a go try: success = build_target(addlargs)