From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 326E7138359 for ; Thu, 29 Oct 2020 16:16:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7DD37E09B7; Thu, 29 Oct 2020 16:16:52 +0000 (UTC) Received: from mail-qk1-f195.google.com (mail-qk1-f195.google.com [209.85.222.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 77E20E09B7 for ; Thu, 29 Oct 2020 16:16:52 +0000 (UTC) Received: by mail-qk1-f195.google.com with SMTP id x20so2430251qkn.1 for ; Thu, 29 Oct 2020 09:16:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=nAT68Xgr86nm4k5xvOWEUwhCbdj60rTbjF6z0/Egqtk=; b=i2gro48XqPKGNrUBKXEHL1lr3oBhoDYTZizlUmcUx0tDNOh4/4Dz/dIgunnECqTOQk rjTTgYgD3nlL0AbMsKetFCwvVHeH5ihAwF2WKxhnJPmNxqTcz8vjAp4jIoVH365lj2DZ q8T1FwGV9/i3C3fPiBDrahrbo9KNFxM+G4tnL/begaw9PVPZnaBIdXpiBUAGUGpB5J6J F1IEiKoL48by9/PgbrCYfL8lXVbTFVe/nMH6rN5CuNTmYYQ4ILpOOKDXXKP4I8pWpVb/ AzN+JVvb5+w9BvdqZKZp8wbweeX6V82iZm4JvD9wEpTxvXXdwIpxfjFYL+71aT1klheR gM7g== X-Gm-Message-State: AOAM5332p7XJ3u2yMAXbt8i5KSJod3IjZyYOt850nywEY0QykD1Aji/O 6hU2Kmb0zakCIJdhYfqRC5YukZe2g04= X-Google-Smtp-Source: ABdhPJxfN755EVzCPXioTl6KFJx3NQvFTGqmBI7UakE8ojc4vyRjQlARgaJTy47GSRfk9s0LcqisBg== X-Received: by 2002:a37:7e87:: with SMTP id z129mr2515934qkc.156.1603988211455; Thu, 29 Oct 2020 09:16:51 -0700 (PDT) Received: from localhost (2606-a000-131c-10bb-0000-0000-0000-1fc3.inf6.spectrum.com. [2606:a000:131c:10bb::1fc3]) by smtp.gmail.com with ESMTPSA id m33sm1324443qtb.65.2020.10.29.09.16.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Oct 2020 09:16:50 -0700 (PDT) From: Matt Turner To: gentoo-catalyst@lists.gentoo.org Cc: Matt Turner Subject: [gentoo-catalyst] [PATCH 09/12] catalyst: Run the build sequence in new mount namespace Date: Thu, 29 Oct 2020 12:16:29 -0400 Message-Id: <20201029161632.146732-9-mattst88@gentoo.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201029161632.146732-1-mattst88@gentoo.org> References: <20201029161632.146732-1-mattst88@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-catalyst@lists.gentoo.org Reply-to: gentoo-catalyst@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 27556788-76fd-44f5-adc7-a0b7bd1c5477 X-Archives-Hash: fd9f576769d5a7ffbb6bb4694306ef62 Catalyst has a lot of code to unmount the bind mounts it's made, and then more to try harder when something fails. This is important because if bind mounts still exist within the chroot when clean up happens, files outside of the chroot on the host system can inadvertently be deleted. E.g., distfiles, binpkgs, kerncache. Running the build sequence (the steps that need bind mounts) within a mount namespace and exiting the mount namespace when finished ensures that clean up can never accidentally delete files outside the chroot. Signed-off-by: Matt Turner --- catalyst/base/stagebase.py | 8 +++++--- catalyst/main.py | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py index 06ec8727..ec9a8f06 100644 --- a/catalyst/base/stagebase.py +++ b/catalyst/base/stagebase.py @@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin from DeComp.compress import CompressMap from catalyst import log +from catalyst.context import namespace from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN) from catalyst.support import (CatalystError, file_locate, normpath, cmd, read_makeconf, ismount, file_check, @@ -1405,9 +1406,10 @@ class StageBase(TargetBase, ClearBase, GenBase): if not self.run_sequence(self.prepare_sequence): return False - if not self.run_sequence(self.build_sequence): - self.unbind() - return False + with namespace(mount=True): + if not self.run_sequence(self.build_sequence): + self.unbind() + return False if not self.run_sequence(self.finish_sequence): return False diff --git a/catalyst/main.py b/catalyst/main.py index 93a4a0d3..5536471a 100644 --- a/catalyst/main.py +++ b/catalyst/main.py @@ -355,7 +355,7 @@ def _main(parser, opts): # use pid & user namespaces, but snakeoil's namespace module has signal # transfer issues (CTRL+C doesn't propagate), and user namespaces need # more work due to Gentoo build process (uses sudo/root/portage). - with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'): + with namespace(uts=True, ipc=True, hostname='catalyst'): # everything is setup, so the build is a go try: success = build_target(addlargs) -- 2.26.2