1 |
On 09 Nov 2015 22:45, Brian Dolbec wrote: |
2 |
> On Tue, 6 Oct 2015 16:32:53 -0400 Mike Frysinger wrote: |
3 |
> > This helps isolate the catalyst builds from the rest of the system |
4 |
> > and allows us to build as non-root user in more cases. This might |
5 |
> > not work everywhere, but it's a start (snapshot generation works). |
6 |
> > --- |
7 |
> > catalyst/main.py | 9 +++++++++ |
8 |
> > 1 file changed, 9 insertions(+) |
9 |
> > |
10 |
> > diff --git a/catalyst/main.py b/catalyst/main.py |
11 |
> > index 65e1431..f984653 100644 |
12 |
> > --- a/catalyst/main.py |
13 |
> > +++ b/catalyst/main.py |
14 |
> > @@ -10,6 +10,8 @@ import argparse |
15 |
> > import os |
16 |
> > import sys |
17 |
> > |
18 |
> > +from snakeoil.process import namespaces |
19 |
> > + |
20 |
> > __selfpath__ = os.path.abspath(os.path.dirname(__file__)) |
21 |
> > |
22 |
> > from DeComp.definitions import (COMPRESS_DEFINITIONS, |
23 |
> > DECOMPRESS_DEFINITIONS, @@ -336,6 +338,13 @@ def main(): |
24 |
> > if "target" not in addlargs: |
25 |
> > raise CatalystError("Required value \"target\" not |
26 |
> > specified.") |
27 |
> > + # Start off by creating unique namespaces to run in. |
28 |
> > + namespaces.simple_unshare( |
29 |
> > + mount=True, uts=True, ipc=True, pid=True, net=False, |
30 |
> > user=True, |
31 |
> > + hostname='catalyst') |
32 |
> > + |
33 |
> > + # We should be root now, either a real root, or in a userns |
34 |
> > as root. |
35 |
> > + # If we aren't, then we've failed, and need to abort. |
36 |
> > if os.getuid() != 0: |
37 |
> > # catalyst cannot be run as a normal user due to |
38 |
> > chroots, mounts, etc print "!!! catalyst: This script requires root |
39 |
> > privileges to operate" |
40 |
> |
41 |
> I was hoping to get a release out before merging much more, but, I |
42 |
> doubt this will affect stability. |
43 |
|
44 |
it does ;). i haven't fully debugged it yet, but i think the use of pid |
45 |
namespaces messes up signal handling. i'll follow up when i'm happy with |
46 |
its state. |
47 |
-mike |