From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8B6321384B4 for ; Tue, 10 Nov 2015 06:46:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 27CDC21C004; Tue, 10 Nov 2015 06:46:14 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9699C21C004 for ; Tue, 10 Nov 2015 06:46:13 +0000 (UTC) Received: from professor-x (S010634bdfa9ecf80.vc.shawcable.net [96.49.31.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: dolsen) by smtp.gentoo.org (Postfix) with ESMTPSA id EAB583403C1 for ; Tue, 10 Nov 2015 06:46:12 +0000 (UTC) Date: Mon, 9 Nov 2015 22:45:17 -0800 From: Brian Dolbec To: gentoo-catalyst@lists.gentoo.org Subject: Re: [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building Message-ID: <20151109224517.525709e6.dolsen@gentoo.org> In-Reply-To: <1444163573-11337-2-git-send-email-vapier@gentoo.org> References: <1444163573-11337-1-git-send-email-vapier@gentoo.org> <1444163573-11337-2-git-send-email-vapier@gentoo.org> Organization: Gentoo Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-catalyst@lists.gentoo.org Reply-to: gentoo-catalyst@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: c920c775-d730-4040-b2ee-d386c37f0529 X-Archives-Hash: 4c29cf289c320d93709c351812cbc05e On Tue, 6 Oct 2015 16:32:53 -0400 Mike Frysinger wrote: > This helps isolate the catalyst builds from the rest of the system > and allows us to build as non-root user in more cases. This might > not work everywhere, but it's a start (snapshot generation works). > --- > catalyst/main.py | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/catalyst/main.py b/catalyst/main.py > index 65e1431..f984653 100644 > --- a/catalyst/main.py > +++ b/catalyst/main.py > @@ -10,6 +10,8 @@ import argparse > import os > import sys > > +from snakeoil.process import namespaces > + > __selfpath__ = os.path.abspath(os.path.dirname(__file__)) > > from DeComp.definitions import (COMPRESS_DEFINITIONS, > DECOMPRESS_DEFINITIONS, @@ -336,6 +338,13 @@ def main(): > if "target" not in addlargs: > raise CatalystError("Required value \"target\" not > specified.") > + # Start off by creating unique namespaces to run in. > + namespaces.simple_unshare( > + mount=True, uts=True, ipc=True, pid=True, net=False, > user=True, > + hostname='catalyst') > + > + # We should be root now, either a real root, or in a userns > as root. > + # If we aren't, then we've failed, and need to abort. > if os.getuid() != 0: > # catalyst cannot be run as a normal user due to > chroots, mounts, etc print "!!! catalyst: This script requires root > privileges to operate" I was hoping to get a release out before merging much more, but, I doubt this will affect stability. looks good -- Brian Dolbec