[gentoo-catalyst] [PATCH 09/12] catalyst: Run the build sequence in new mount namespace - gentoo-catalyst

From:	Matt Turner <mattst88@g.o>
To:	gentoo-catalyst@l.g.o
Cc:	Matt Turner <mattst88@g.o>
Subject:	[gentoo-catalyst] [PATCH 09/12] catalyst: Run the build sequence in new mount namespace
Date:	Thu, 29 Oct 2020 16:16:53
Message-Id:	`20201029161632.146732-9-mattst88@gentoo.org`
In Reply to:	[gentoo-catalyst] [PATCH 01/12] catalyst: Replace pathcompare() by Matt Turner

1

Catalyst has a lot of code to unmount the bind mounts it's made, and

2

then more to try harder when something fails. This is important because

3

if bind mounts still exist within the chroot when clean up happens,

4

files outside of the chroot on the host system can inadvertently be

5

deleted. E.g., distfiles, binpkgs, kerncache.

6

7

Running the build sequence (the steps that need bind mounts) within a

8

mount namespace and exiting the mount namespace when finished ensures

9

that clean up can never accidentally delete files outside the chroot.

10

11

Signed-off-by: Matt Turner <mattst88@g.o>

12

---

13

 catalyst/base/stagebase.py | 8 +++++---

14

 catalyst/main.py           | 2 +-

15

 2 files changed, 6 insertions(+), 4 deletions(-)

16

17

diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py

18

index 06ec8727..ec9a8f06 100644

19

--- a/catalyst/base/stagebase.py

20

+++ b/catalyst/base/stagebase.py

21

@@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin

22

 from DeComp.compress import CompressMap

23

24

 from catalyst import log

25

+from catalyst.context import namespace

26

 from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN)

27

 from catalyst.support import (CatalystError, file_locate, normpath,

28

                               cmd, read_makeconf, ismount, file_check,

29

@@ -1405,9 +1406,10 @@ class StageBase(TargetBase, ClearBase, GenBase):

30

         if not self.run_sequence(self.prepare_sequence):

31

             return False

32

33

-        if not self.run_sequence(self.build_sequence):

34

-            self.unbind()

35

-            return False

36

+        with namespace(mount=True):

37

+            if not self.run_sequence(self.build_sequence):

38

+                self.unbind()

39

+                return False

40

41

         if not self.run_sequence(self.finish_sequence):

42

             return False

43

diff --git a/catalyst/main.py b/catalyst/main.py

44

index 93a4a0d3..5536471a 100644

45

--- a/catalyst/main.py

46

+++ b/catalyst/main.py

47

@@ -355,7 +355,7 @@ def _main(parser, opts):

48

     # use pid & user namespaces, but snakeoil's namespace module has signal

49

     # transfer issues (CTRL+C doesn't propagate), and user namespaces need

50

     # more work due to Gentoo build process (uses sudo/root/portage).

51

-    with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'):

52

+    with namespace(uts=True, ipc=True, hostname='catalyst'):

53

         # everything is setup, so the build is a go

54

         try:

55

             success = build_target(addlargs)

56

--

57

2.26.2

1	Catalyst has a lot of code to unmount the bind mounts it's made, and
2	then more to try harder when something fails. This is important because
3	if bind mounts still exist within the chroot when clean up happens,
4	files outside of the chroot on the host system can inadvertently be
5	deleted. E.g., distfiles, binpkgs, kerncache.
6
7	Running the build sequence (the steps that need bind mounts) within a
8	mount namespace and exiting the mount namespace when finished ensures
9	that clean up can never accidentally delete files outside the chroot.
10
11	Signed-off-by: Matt Turner <mattst88@g.o>
12	---
13	catalyst/base/stagebase.py \| 8 +++++---
14	catalyst/main.py \| 2 +-
15	2 files changed, 6 insertions(+), 4 deletions(-)
16
17	diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
18	index 06ec8727..ec9a8f06 100644
19	--- a/catalyst/base/stagebase.py
20	+++ b/catalyst/base/stagebase.py
21	@@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin
22	from DeComp.compress import CompressMap
23
24	from catalyst import log
25	+from catalyst.context import namespace
26	from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN)
27	from catalyst.support import (CatalystError, file_locate, normpath,
28	cmd, read_makeconf, ismount, file_check,
29	@@ -1405,9 +1406,10 @@ class StageBase(TargetBase, ClearBase, GenBase):
30	if not self.run_sequence(self.prepare_sequence):
31	return False
32
33	- if not self.run_sequence(self.build_sequence):
34	- self.unbind()
35	- return False
36	+ with namespace(mount=True):
37	+ if not self.run_sequence(self.build_sequence):
38	+ self.unbind()
39	+ return False
40
41	if not self.run_sequence(self.finish_sequence):
42	return False
43	diff --git a/catalyst/main.py b/catalyst/main.py
44	index 93a4a0d3..5536471a 100644
45	--- a/catalyst/main.py
46	+++ b/catalyst/main.py
47	@@ -355,7 +355,7 @@ def _main(parser, opts):
48	# use pid & user namespaces, but snakeoil's namespace module has signal
49	# transfer issues (CTRL+C doesn't propagate), and user namespaces need
50	# more work due to Gentoo build process (uses sudo/root/portage).
51	- with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'):
52	+ with namespace(uts=True, ipc=True, hostname='catalyst'):
53	# everything is setup, so the build is a go
54	try:
55	success = build_target(addlargs)
56	--
57	2.26.2

Gentoo Archives: gentoo-catalyst