From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6519532471426482176 X-Received: by 10.223.184.42 with SMTP id h39mr335850wrf.4.1518182948526; Fri, 09 Feb 2018 05:29:08 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 10.28.208.199 with SMTP id h190ls1556792wmg.6.canary-gmail; Fri, 09 Feb 2018 05:29:08 -0800 (PST) X-Google-Smtp-Source: AH8x225i1bWntAkqXYi/+O9rh16L/Yuxm8k21Eynf2QAU3K905ACiZuPvJV8mp/qvj0iaenkdI57 X-Received: by 10.28.156.12 with SMTP id f12mr272592wme.4.1518182948080; Fri, 09 Feb 2018 05:29:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518182948; cv=none; d=google.com; s=arc-20160816; b=C6MKO27iY/etT7L5pY+1JUi0qxKe7LtqkIbfnoy91i2H3ukxK5SfJ48JJOxptQWnRr lBzIB2XlH6emYrcHGou1rmG9AM5IN9cgWJpsbEmhS+7qFhAuFPv+yunQdWkiEVkYp0js 19jNSxhueCafqVdKg6Iw3DXu6KcFJoMQrUGKCnptKFzMfze6HgUVLdACQJy9LyHNvs2r 04rkVF4b4UXdl0/83tMX314voZbZAFNeMkUIlbyPIQfL9lywGhTRDEsA6p7uZhSb8gAD uzOR6fP2vWi0Aav1cZ24mGXeam0msi1lm/Fp8K8GvMewFYQ5710ZqYx4iNT2JWEzDoS9 UjBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:arc-authentication-results; bh=3f9o23G6Z83QErTYhYdGfrBqjMw2ZxdIEtnxOcG2zik=; b=TyBcnOVskfJj+IenKBJaS5czJNCE/hxs7DjTwiRTS/iGajdYjYxcxlEmiPI4ZDSYXp EYYLU3zbzdu5NfpbXB8M/3aQ8lp7Oz2LnShQViABDP/GHz3H4u7WeA6c05z4/rVeSjEb us7HJOKRI3NRo26YSlyvv4MCifypZA+Rmu6VQDBC1QK2pwwFNqECw2lhnNat89BVPg2O anmmhkJH6oMYDDQYc/3greQYvv8Mc5T+l7YoO+MrUe23WgPgLu/l4k/xZgzGNKgAurV0 ersTMGsW0J4BVaJ+sLLsF0s117RE4LmSlLu/MUwCXyUOvsjOCvxr+9btR3VenNXu1sym zRTA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28]) by gmr-mx.google.com with ESMTPS id t4si143085edt.2.2018.02.09.05.29.07 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Feb 2018 05:29:08 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.11]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id w19DT7Ga018739 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 9 Feb 2018 14:29:07 +0100 Received: from mmd1pvb1c.ad001.siemens.net (md1pvb1c.ad001.siemens.net [139.25.68.40] (may be forged)) by mail2.siemens.de (8.15.2/8.15.2) with ESMTP id w19DT7RD030792; Fri, 9 Feb 2018 14:29:07 +0100 Date: Fri, 9 Feb 2018 14:29:06 +0100 From: Henning Schild To: Jan Kiszka Cc: Alexander Smirnov , Subject: Re: [PATCH] isar: Clean mount point on bitbake exit Message-ID: <20180209142906.7b4c3305@mmd1pvb1c.ad001.siemens.net> In-Reply-To: References: <20180206195516.32153-1-asmirnov@ilbers.de> <20180209133340.681c00b5@mmd1pvb1c.ad001.siemens.net> <0fe2f7a9-4a02-9abd-7a97-44605f4f865b@siemens.com> <20180209134013.022008e2@mmd1pvb1c.ad001.siemens.net> <9e6f99ef-ba9f-d92a-2a09-cf99126b1f6b@siemens.com> <20180209141446.3d82eafa@mmd1pvb1c.ad001.siemens.net> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: p/BbXBHYuO6R Am Fri, 9 Feb 2018 14:19:26 +0100 schrieb Jan Kiszka : > On 2018-02-09 14:14, Henning Schild wrote: > > Am Fri, 9 Feb 2018 13:41:23 +0100 > > schrieb Jan Kiszka : > > > >> On 2018-02-09 13:40, Henning Schild wrote: > >>> Am Fri, 9 Feb 2018 13:35:15 +0100 > >>> schrieb Jan Kiszka : > >>> > >>>> On 2018-02-09 13:33, [ext] Henning Schild wrote: > >>>>> Hi, > >>>>> > >>>>> this patch is causing problems when building in a docker > >>>>> container, because sysfs can only be mounted ro. (Subject: > >>>>> current next bash in buildchroot problem) > >>>>> Now we could discuss whether we should relax the security of our > >>>>> containers even more, or whether Isar should care about that > >>>>> use-case. > >>>>> > >>>>> But this patch actually does several things at a time, it > >>>>> changes the way we mount and adds three new mounts. I would > >>>>> suggest to split it up so we can discuss the issues with dev > >>>>> and sys while already merging the rest. > >>>> > >>>> I think (didn't check if there was an update of next this > >>>> morning) it works for me - in Docker. How are you starting the > >>>> container? > >>> > >>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN > >>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy > >>> stuff ... > >> > >> Try adding --privileged - that's needed for binfmt anyway. > > > > Mhh i could, But. I am doing an amd64 build on an amd64 host, so i > > do not use binfmt. And i did build arm images with binfmt and > > without privileged before. > > That was working by chance, because you had the right settings already > applied on the host system (binfmt is not container-ready, is not > working per-namespace). Ok, but if i did not care about arm i would be ok without privileged ... whatever that means in detail. > > So i would like to understand what has changed before dropping all > > defense-lines in docker ... that where ok before. > > The answer to isolation remains "us a VM" for now (can also be "use > the container insider a VM"). Docker itself is no sufficient isolation > technology for us at this point. True from a theoretical point of view, in practice we all use that on our productive machines directly. I do not care about the 101st sudo in that container, as long as i do not have to disable all security around that. I have already lost the "hostname" of my laptop a few times, i do not want to see that happen to the rootfs ... Henning > Jan