From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DBF2A1388C4 for ; Tue, 10 Nov 2015 06:56:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DAD7D21C004; Tue, 10 Nov 2015 06:56:08 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CA2AC21C004 for ; Tue, 10 Nov 2015 06:56:07 +0000 (UTC) Received: from professor-x (S010634bdfa9ecf80.vc.shawcable.net [96.49.31.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: dolsen) by smtp.gentoo.org (Postfix) with ESMTPSA id 209573405C3 for ; Tue, 10 Nov 2015 06:56:07 +0000 (UTC) Date: Mon, 9 Nov 2015 22:55:14 -0800 From: Brian Dolbec To: gentoo-catalyst@lists.gentoo.org Subject: Re: [gentoo-catalyst] [PATCH 2/2] catalyst: create namespaces for building Message-ID: <20151109225514.5152edf2.dolsen@gentoo.org> In-Reply-To: <20151110064907.GL5154@vapier.lan> References: <1444163573-11337-1-git-send-email-vapier@gentoo.org> <1444163573-11337-2-git-send-email-vapier@gentoo.org> <20151109224517.525709e6.dolsen@gentoo.org> <20151110064907.GL5154@vapier.lan> Organization: Gentoo Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-catalyst@lists.gentoo.org Reply-to: gentoo-catalyst@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 59daf733-7dfb-4df1-ae81-0271bf4a6fa3 X-Archives-Hash: f2383ce1620aada45abe62a80aae4148 On Tue, 10 Nov 2015 01:49:07 -0500 Mike Frysinger wrote: > On 09 Nov 2015 22:45, Brian Dolbec wrote: > > On Tue, 6 Oct 2015 16:32:53 -0400 Mike Frysinger wrote: > > > This helps isolate the catalyst builds from the rest of the system > > > and allows us to build as non-root user in more cases. This might > > > not work everywhere, but it's a start (snapshot generation works). > > > --- > > > catalyst/main.py | 9 +++++++++ > > > 1 file changed, 9 insertions(+) > > > > > > diff --git a/catalyst/main.py b/catalyst/main.py > > > index 65e1431..f984653 100644 > > > --- a/catalyst/main.py > > > +++ b/catalyst/main.py > > > @@ -10,6 +10,8 @@ import argparse > > > import os > > > import sys > > > > > > +from snakeoil.process import namespaces > > > + > > > __selfpath__ = os.path.abspath(os.path.dirname(__file__)) > > > > > > from DeComp.definitions import (COMPRESS_DEFINITIONS, > > > DECOMPRESS_DEFINITIONS, @@ -336,6 +338,13 @@ def main(): > > > if "target" not in addlargs: > > > raise CatalystError("Required value \"target\" > > > not specified.") > > > + # Start off by creating unique namespaces to run in. > > > + namespaces.simple_unshare( > > > + mount=True, uts=True, ipc=True, pid=True, > > > net=False, user=True, > > > + hostname='catalyst') > > > + > > > + # We should be root now, either a real root, or in a > > > userns as root. > > > + # If we aren't, then we've failed, and need to abort. > > > if os.getuid() != 0: > > > # catalyst cannot be run as a normal user due to > > > chroots, mounts, etc print "!!! catalyst: This script requires > > > root privileges to operate" > > > > I was hoping to get a release out before merging much more, but, I > > doubt this will affect stability. > > it does ;). i haven't fully debugged it yet, but i think the use of > pid namespaces messes up signal handling. i'll follow up when i'm > happy with its state. > -mike sounds good :) Thanks -- Brian Dolbec