* [PATCH] isar: Clean mount point on bitbake exit
@ 2018-02-06 19:55 Alexander Smirnov
2018-02-06 20:31 ` Jan Kiszka
` (2 more replies)
0 siblings, 3 replies; 19+ messages in thread
From: Alexander Smirnov @ 2018-02-06 19:55 UTC (permalink / raw)
To: isar-users; +Cc: Alexander Smirnov
8<--
That's it! Branch 'asmirnov/devel', please test and enjoy :-)
8<--
Now each multiconfig has registered handler for BuildCompleted event (see
class 'isar-event.bbclass'). Moreover, the '/proc/mounts' file contains
all the active mounts. In addition, from event handler we could derive
all the variables like ${TMPDIR}, ${DISTRO} etc. So it's possible to
find all the active mounts for current multiconfig and clean them.
NOTE: if build is interrupted by double ^C, some mount points could stay
uncleaned. This is caused by remaining processes started by bitbake, for
example:
- 'chroot build.sh ...'
- 'multistrap ...'
So please be careful when interrupting build.
Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de>
---
meta-isar/recipes-core/images/isar-image-base.bb | 11 ++++------
meta/classes/dpkg-base.bbclass | 12 ++++-------
meta/classes/isar-events.bbclass | 15 +++++++++++---
meta/recipes-devtools/buildchroot/buildchroot.bb | 24 +++++++++-------------
.../buildchroot/files/configscript.sh | 4 ----
.../buildchroot/files/download_dev-random | 13 ------------
6 files changed, 30 insertions(+), 49 deletions(-)
delete mode 100644 meta/recipes-devtools/buildchroot/files/download_dev-random
diff --git a/meta-isar/recipes-core/images/isar-image-base.bb b/meta-isar/recipes-core/images/isar-image-base.bb
index e359ac3..8ddbabb 100644
--- a/meta-isar/recipes-core/images/isar-image-base.bb
+++ b/meta-isar/recipes-core/images/isar-image-base.bb
@@ -55,14 +55,10 @@ do_rootfs() {
-e 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \
"${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf"
+ # Do not use bitbake flag [dirs] here because this folder should have
+ # specific ownership.
[ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g 0 -m 555 ${IMAGE_ROOTFS}/proc
sudo mount -t proc none ${IMAGE_ROOTFS}/proc
- _do_rootfs_cleanup() {
- ret=$?
- sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true
- (exit $ret) || bb_exit_handler
- }
- trap '_do_rootfs_cleanup' EXIT
# Create root filesystem. We must use sudo -E here to preserve the environment
# because of proxy settings
@@ -72,5 +68,6 @@ do_rootfs() {
sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} ${MACHINE_SERIAL} ${BAUDRATE_TTY} \
${ROOTFS_DEV}
sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}"
- _do_rootfs_cleanup
+
+ sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true
}
diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass
index 5d5a924..a34c21f 100644
--- a/meta/classes/dpkg-base.bbclass
+++ b/meta/classes/dpkg-base.bbclass
@@ -20,15 +20,11 @@ dpkg_runbuild() {
do_build() {
mkdir -p ${BUILDROOT}
sudo mount --bind ${WORKDIR} ${BUILDROOT}
- _do_build_cleanup() {
- ret=$?
- sudo umount ${BUILDROOT} 2>/dev/null || true
- sudo rmdir ${BUILDROOT} 2>/dev/null || true
- (exit $ret) || bb_exit_handler
- }
- trap '_do_build_cleanup' EXIT
+
dpkg_runbuild
- _do_build_cleanup
+
+ sudo umount ${BUILDROOT} 2>/dev/null || true
+ sudo rmdir ${BUILDROOT} 2>/dev/null || true
}
# Install package to Isar-apt
diff --git a/meta/classes/isar-events.bbclass b/meta/classes/isar-events.bbclass
index 55fc106..ae0f791 100644
--- a/meta/classes/isar-events.bbclass
+++ b/meta/classes/isar-events.bbclass
@@ -11,10 +11,19 @@ python isar_handler () {
devnull = open(os.devnull, 'w')
if isinstance(e, bb.event.BuildCompleted):
- bchroot = d.getVar('BUILDCHROOT_DIR', True)
+ tmpdir = d.getVar('TMPDIR', True)
+ distro = d.getVar('DISTRO', True)
+ arch = d.getVar('DISTRO_ARCH', True)
- # Clean up buildchroot
- subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot + '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, shell=True)
+ w = tmpdir + '/work/' + distro + '-' + arch
+
+ # '/proc/mounts' contains all the active mounts, so knowing 'w' we
+ # could get the list of mounts for the specific multiconfig and
+ # clean them.
+ with open('/proc/mounts', 'rU') as f:
+ for line in f:
+ if w in line:
+ subprocess.call('sudo umount -f ' + line.split()[1], stdout=devnull, stderr=devnull, shell=True)
devnull.close()
}
diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb b/meta/recipes-devtools/buildchroot/buildchroot.bb
index 304c67e..df9df19 100644
--- a/meta/recipes-devtools/buildchroot/buildchroot.bb
+++ b/meta/recipes-devtools/buildchroot/buildchroot.bb
@@ -12,7 +12,6 @@ FILESPATH =. "${LAYERDIR_core}/recipes-devtools/buildchroot/files:"
SRC_URI = "file://multistrap.conf.in \
file://configscript.sh \
file://setup.sh \
- file://download_dev-random \
file://build.sh"
PV = "1.0"
@@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \
WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}"
-do_build[dirs] = "${WORKDIR}/hooks_multistrap \
- ${BUILDCHROOT_DIR}/isar-apt"
+do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \
+ ${BUILDCHROOT_DIR}/dev \
+ ${BUILDCHROOT_DIR}/proc \
+ ${BUILDCHROOT_DIR}/sys"
do_build[depends] = "isar-apt:do_cache_config"
do_build() {
@@ -41,7 +42,6 @@ do_build() {
chmod +x "${WORKDIR}/setup.sh"
chmod +x "${WORKDIR}/configscript.sh"
- install -m 755 "${WORKDIR}/download_dev-random" "${WORKDIR}/hooks_multistrap/"
# Multistrap accepts only relative path in configuration files, so get it:
cd ${TOPDIR}
@@ -60,15 +60,6 @@ do_build() {
-e 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \
"${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf"
- [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 ${BUILDCHROOT_DIR}/proc
- sudo mount -t proc none ${BUILDCHROOT_DIR}/proc
- _do_build_cleanup() {
- ret=$?
- sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true
- (exit $ret) || bb_exit_handler
- }
- trap '_do_build_cleanup' EXIT
-
do_setup_mounts
# Create root filesystem
@@ -79,7 +70,6 @@ do_build() {
# Configure root filesystem
sudo chroot ${BUILDCHROOT_DIR} /configscript.sh
- _do_build_cleanup
do_cleanup_mounts
}
@@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}"
do_setup_mounts() {
sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} ${BUILDCHROOT_DIR}/isar-apt
+ sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev
+ sudo mount -t proc none ${BUILDCHROOT_DIR}/proc
+ sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys
}
addtask setup_mounts after do_build
do_cleanup_mounts() {
sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || true
+ sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true
+ sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true
+ sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true
}
diff --git a/meta/recipes-devtools/buildchroot/files/configscript.sh b/meta/recipes-devtools/buildchroot/files/configscript.sh
index 9813c9a..524e50c 100644
--- a/meta/recipes-devtools/buildchroot/files/configscript.sh
+++ b/meta/recipes-devtools/buildchroot/files/configscript.sh
@@ -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C
#run pre installation script
/var/lib/dpkg/info/dash.preinst install
-# apt-get http method, gpg require /dev/null
-mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev
-
#configuring packages
dpkg --configure -a
apt-get update
-umount /dev
diff --git a/meta/recipes-devtools/buildchroot/files/download_dev-random b/meta/recipes-devtools/buildchroot/files/download_dev-random
deleted file mode 100644
index 5b5b96b..0000000
--- a/meta/recipes-devtools/buildchroot/files/download_dev-random
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-
-set -e
-
-readonly ROOTFS="$1"
-
-mknod "${ROOTFS}/dev/random" c 1 8
-chmod 640 "${ROOTFS}/dev/random"
-chown 0:0 "${ROOTFS}/dev/random"
-
-mknod "${ROOTFS}/dev/urandom" c 1 9
-chmod 640 "${ROOTFS}/dev/urandom"
-chown 0:0 "${ROOTFS}/dev/urandom"
--
2.1.4
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-06 19:55 [PATCH] isar: Clean mount point on bitbake exit Alexander Smirnov @ 2018-02-06 20:31 ` Jan Kiszka 2018-02-06 20:45 ` Alexander Smirnov 2018-02-09 9:56 ` Alexander Smirnov 2018-02-09 12:33 ` Henning Schild 2 siblings, 1 reply; 19+ messages in thread From: Jan Kiszka @ 2018-02-06 20:31 UTC (permalink / raw) To: Alexander Smirnov, isar-users On 2018-02-06 20:55, Alexander Smirnov wrote: > 8<-- > > That's it! Branch 'asmirnov/devel', please test and enjoy :-) > > 8<-- > > Now each multiconfig has registered handler for BuildCompleted event (see > class 'isar-event.bbclass'). Moreover, the '/proc/mounts' file contains > all the active mounts. In addition, from event handler we could derive > all the variables like ${TMPDIR}, ${DISTRO} etc. So it's possible to > find all the active mounts for current multiconfig and clean them. > > NOTE: if build is interrupted by double ^C, some mount points could stay > uncleaned. This is caused by remaining processes started by bitbake, for > example: > - 'chroot build.sh ...' > - 'multistrap ...' Can you explain what the race condition is exactly? It seems to work for me so far, no forgotten mounts. Jan > > So please be careful when interrupting build. > > Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> > --- > meta-isar/recipes-core/images/isar-image-base.bb | 11 ++++------ > meta/classes/dpkg-base.bbclass | 12 ++++------- > meta/classes/isar-events.bbclass | 15 +++++++++++--- > meta/recipes-devtools/buildchroot/buildchroot.bb | 24 +++++++++------------- > .../buildchroot/files/configscript.sh | 4 ---- > .../buildchroot/files/download_dev-random | 13 ------------ > 6 files changed, 30 insertions(+), 49 deletions(-) > delete mode 100644 meta/recipes-devtools/buildchroot/files/download_dev-random > > diff --git a/meta-isar/recipes-core/images/isar-image-base.bb b/meta-isar/recipes-core/images/isar-image-base.bb > index e359ac3..8ddbabb 100644 > --- a/meta-isar/recipes-core/images/isar-image-base.bb > +++ b/meta-isar/recipes-core/images/isar-image-base.bb > @@ -55,14 +55,10 @@ do_rootfs() { > -e 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ > "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > > + # Do not use bitbake flag [dirs] here because this folder should have > + # specific ownership. > [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g 0 -m 555 ${IMAGE_ROOTFS}/proc > sudo mount -t proc none ${IMAGE_ROOTFS}/proc > - _do_rootfs_cleanup() { > - ret=$? > - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > - (exit $ret) || bb_exit_handler > - } > - trap '_do_rootfs_cleanup' EXIT > > # Create root filesystem. We must use sudo -E here to preserve the environment > # because of proxy settings > @@ -72,5 +68,6 @@ do_rootfs() { > sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ > ${ROOTFS_DEV} > sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" > - _do_rootfs_cleanup > + > + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > } > diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass > index 5d5a924..a34c21f 100644 > --- a/meta/classes/dpkg-base.bbclass > +++ b/meta/classes/dpkg-base.bbclass > @@ -20,15 +20,11 @@ dpkg_runbuild() { > do_build() { > mkdir -p ${BUILDROOT} > sudo mount --bind ${WORKDIR} ${BUILDROOT} > - _do_build_cleanup() { > - ret=$? > - sudo umount ${BUILDROOT} 2>/dev/null || true > - sudo rmdir ${BUILDROOT} 2>/dev/null || true > - (exit $ret) || bb_exit_handler > - } > - trap '_do_build_cleanup' EXIT > + > dpkg_runbuild > - _do_build_cleanup > + > + sudo umount ${BUILDROOT} 2>/dev/null || true > + sudo rmdir ${BUILDROOT} 2>/dev/null || true > } > > # Install package to Isar-apt > diff --git a/meta/classes/isar-events.bbclass b/meta/classes/isar-events.bbclass > index 55fc106..ae0f791 100644 > --- a/meta/classes/isar-events.bbclass > +++ b/meta/classes/isar-events.bbclass > @@ -11,10 +11,19 @@ python isar_handler () { > devnull = open(os.devnull, 'w') > > if isinstance(e, bb.event.BuildCompleted): > - bchroot = d.getVar('BUILDCHROOT_DIR', True) > + tmpdir = d.getVar('TMPDIR', True) > + distro = d.getVar('DISTRO', True) > + arch = d.getVar('DISTRO_ARCH', True) > > - # Clean up buildchroot > - subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot + '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, shell=True) > + w = tmpdir + '/work/' + distro + '-' + arch > + > + # '/proc/mounts' contains all the active mounts, so knowing 'w' we > + # could get the list of mounts for the specific multiconfig and > + # clean them. > + with open('/proc/mounts', 'rU') as f: > + for line in f: > + if w in line: > + subprocess.call('sudo umount -f ' + line.split()[1], stdout=devnull, stderr=devnull, shell=True) > > devnull.close() > } > diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb b/meta/recipes-devtools/buildchroot/buildchroot.bb > index 304c67e..df9df19 100644 > --- a/meta/recipes-devtools/buildchroot/buildchroot.bb > +++ b/meta/recipes-devtools/buildchroot/buildchroot.bb > @@ -12,7 +12,6 @@ FILESPATH =. "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" > SRC_URI = "file://multistrap.conf.in \ > file://configscript.sh \ > file://setup.sh \ > - file://download_dev-random \ > file://build.sh" > PV = "1.0" > > @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ > WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > > do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" > -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ > - ${BUILDCHROOT_DIR}/isar-apt" > +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ > + ${BUILDCHROOT_DIR}/dev \ > + ${BUILDCHROOT_DIR}/proc \ > + ${BUILDCHROOT_DIR}/sys" > do_build[depends] = "isar-apt:do_cache_config" > > do_build() { > @@ -41,7 +42,6 @@ do_build() { > > chmod +x "${WORKDIR}/setup.sh" > chmod +x "${WORKDIR}/configscript.sh" > - install -m 755 "${WORKDIR}/download_dev-random" "${WORKDIR}/hooks_multistrap/" > > # Multistrap accepts only relative path in configuration files, so get it: > cd ${TOPDIR} > @@ -60,15 +60,6 @@ do_build() { > -e 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ > "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > > - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 ${BUILDCHROOT_DIR}/proc > - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > - _do_build_cleanup() { > - ret=$? > - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > - (exit $ret) || bb_exit_handler > - } > - trap '_do_build_cleanup' EXIT > - > do_setup_mounts > > # Create root filesystem > @@ -79,7 +70,6 @@ do_build() { > > # Configure root filesystem > sudo chroot ${BUILDCHROOT_DIR} /configscript.sh > - _do_build_cleanup > > do_cleanup_mounts > } > @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" > > do_setup_mounts() { > sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} ${BUILDCHROOT_DIR}/isar-apt > + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev > + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys > } > > addtask setup_mounts after do_build > > do_cleanup_mounts() { > sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || true > + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true > + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true > } > diff --git a/meta/recipes-devtools/buildchroot/files/configscript.sh b/meta/recipes-devtools/buildchroot/files/configscript.sh > index 9813c9a..524e50c 100644 > --- a/meta/recipes-devtools/buildchroot/files/configscript.sh > +++ b/meta/recipes-devtools/buildchroot/files/configscript.sh > @@ -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C > #run pre installation script > /var/lib/dpkg/info/dash.preinst install > > -# apt-get http method, gpg require /dev/null > -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev > - > #configuring packages > dpkg --configure -a > apt-get update > -umount /dev > diff --git a/meta/recipes-devtools/buildchroot/files/download_dev-random b/meta/recipes-devtools/buildchroot/files/download_dev-random > deleted file mode 100644 > index 5b5b96b..0000000 > --- a/meta/recipes-devtools/buildchroot/files/download_dev-random > +++ /dev/null > @@ -1,13 +0,0 @@ > -#!/bin/sh > - > -set -e > - > -readonly ROOTFS="$1" > - > -mknod "${ROOTFS}/dev/random" c 1 8 > -chmod 640 "${ROOTFS}/dev/random" > -chown 0:0 "${ROOTFS}/dev/random" > - > -mknod "${ROOTFS}/dev/urandom" c 1 9 > -chmod 640 "${ROOTFS}/dev/urandom" > -chown 0:0 "${ROOTFS}/dev/urandom" > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-06 20:31 ` Jan Kiszka @ 2018-02-06 20:45 ` Alexander Smirnov 2018-02-06 20:56 ` Jan Kiszka 0 siblings, 1 reply; 19+ messages in thread From: Alexander Smirnov @ 2018-02-06 20:45 UTC (permalink / raw) To: Jan Kiszka, isar-users On 02/06/2018 11:31 PM, Jan Kiszka wrote: > On 2018-02-06 20:55, Alexander Smirnov wrote: >> 8<-- >> >> That's it! Branch 'asmirnov/devel', please test and enjoy :-) >> >> 8<-- >> >> Now each multiconfig has registered handler for BuildCompleted event (see >> class 'isar-event.bbclass'). Moreover, the '/proc/mounts' file contains >> all the active mounts. In addition, from event handler we could derive >> all the variables like ${TMPDIR}, ${DISTRO} etc. So it's possible to >> find all the active mounts for current multiconfig and clean them. >> >> NOTE: if build is interrupted by double ^C, some mount points could stay >> uncleaned. This is caused by remaining processes started by bitbake, for >> example: >> - 'chroot build.sh ...' >> - 'multistrap ...' > > Can you explain what the race condition is exactly? It seems to work for > me so far, no forgotten mounts. Sometimes after double ^C I see several mounted artifacts in buildchroot. But I've also noticed, that there are running processes like 'multistrap' and 'build.sh' running *exactly* in this buildchroot. So, simple test, if you press double ^C and run 'ps ax' after, you will likely see running processes. IIRC the same bitbake behavior I saw with Yocto, interrupting bitbake doesn't mean to kill the process with current task. Alex > > Jan > >> >> So please be careful when interrupting build. >> >> Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> >> --- >> meta-isar/recipes-core/images/isar-image-base.bb | 11 ++++------ >> meta/classes/dpkg-base.bbclass | 12 ++++------- >> meta/classes/isar-events.bbclass | 15 +++++++++++--- >> meta/recipes-devtools/buildchroot/buildchroot.bb | 24 +++++++++------------- >> .../buildchroot/files/configscript.sh | 4 ---- >> .../buildchroot/files/download_dev-random | 13 ------------ >> 6 files changed, 30 insertions(+), 49 deletions(-) >> delete mode 100644 meta/recipes-devtools/buildchroot/files/download_dev-random >> >> diff --git a/meta-isar/recipes-core/images/isar-image-base.bb b/meta-isar/recipes-core/images/isar-image-base.bb >> index e359ac3..8ddbabb 100644 >> --- a/meta-isar/recipes-core/images/isar-image-base.bb >> +++ b/meta-isar/recipes-core/images/isar-image-base.bb >> @@ -55,14 +55,10 @@ do_rootfs() { >> -e 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ >> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" >> >> + # Do not use bitbake flag [dirs] here because this folder should have >> + # specific ownership. >> [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g 0 -m 555 ${IMAGE_ROOTFS}/proc >> sudo mount -t proc none ${IMAGE_ROOTFS}/proc >> - _do_rootfs_cleanup() { >> - ret=$? >> - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true >> - (exit $ret) || bb_exit_handler >> - } >> - trap '_do_rootfs_cleanup' EXIT >> >> # Create root filesystem. We must use sudo -E here to preserve the environment >> # because of proxy settings >> @@ -72,5 +68,6 @@ do_rootfs() { >> sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ >> ${ROOTFS_DEV} >> sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" >> - _do_rootfs_cleanup >> + >> + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true >> } >> diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass >> index 5d5a924..a34c21f 100644 >> --- a/meta/classes/dpkg-base.bbclass >> +++ b/meta/classes/dpkg-base.bbclass >> @@ -20,15 +20,11 @@ dpkg_runbuild() { >> do_build() { >> mkdir -p ${BUILDROOT} >> sudo mount --bind ${WORKDIR} ${BUILDROOT} >> - _do_build_cleanup() { >> - ret=$? >> - sudo umount ${BUILDROOT} 2>/dev/null || true >> - sudo rmdir ${BUILDROOT} 2>/dev/null || true >> - (exit $ret) || bb_exit_handler >> - } >> - trap '_do_build_cleanup' EXIT >> + >> dpkg_runbuild >> - _do_build_cleanup >> + >> + sudo umount ${BUILDROOT} 2>/dev/null || true >> + sudo rmdir ${BUILDROOT} 2>/dev/null || true >> } >> >> # Install package to Isar-apt >> diff --git a/meta/classes/isar-events.bbclass b/meta/classes/isar-events.bbclass >> index 55fc106..ae0f791 100644 >> --- a/meta/classes/isar-events.bbclass >> +++ b/meta/classes/isar-events.bbclass >> @@ -11,10 +11,19 @@ python isar_handler () { >> devnull = open(os.devnull, 'w') >> >> if isinstance(e, bb.event.BuildCompleted): >> - bchroot = d.getVar('BUILDCHROOT_DIR', True) >> + tmpdir = d.getVar('TMPDIR', True) >> + distro = d.getVar('DISTRO', True) >> + arch = d.getVar('DISTRO_ARCH', True) >> >> - # Clean up buildchroot >> - subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot + '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, shell=True) >> + w = tmpdir + '/work/' + distro + '-' + arch >> + >> + # '/proc/mounts' contains all the active mounts, so knowing 'w' we >> + # could get the list of mounts for the specific multiconfig and >> + # clean them. >> + with open('/proc/mounts', 'rU') as f: >> + for line in f: >> + if w in line: >> + subprocess.call('sudo umount -f ' + line.split()[1], stdout=devnull, stderr=devnull, shell=True) >> >> devnull.close() >> } >> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb b/meta/recipes-devtools/buildchroot/buildchroot.bb >> index 304c67e..df9df19 100644 >> --- a/meta/recipes-devtools/buildchroot/buildchroot.bb >> +++ b/meta/recipes-devtools/buildchroot/buildchroot.bb >> @@ -12,7 +12,6 @@ FILESPATH =. "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" >> SRC_URI = "file://multistrap.conf.in \ >> file://configscript.sh \ >> file://setup.sh \ >> - file://download_dev-random \ >> file://build.sh" >> PV = "1.0" >> >> @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ >> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" >> >> do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" >> -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ >> - ${BUILDCHROOT_DIR}/isar-apt" >> +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ >> + ${BUILDCHROOT_DIR}/dev \ >> + ${BUILDCHROOT_DIR}/proc \ >> + ${BUILDCHROOT_DIR}/sys" >> do_build[depends] = "isar-apt:do_cache_config" >> >> do_build() { >> @@ -41,7 +42,6 @@ do_build() { >> >> chmod +x "${WORKDIR}/setup.sh" >> chmod +x "${WORKDIR}/configscript.sh" >> - install -m 755 "${WORKDIR}/download_dev-random" "${WORKDIR}/hooks_multistrap/" >> >> # Multistrap accepts only relative path in configuration files, so get it: >> cd ${TOPDIR} >> @@ -60,15 +60,6 @@ do_build() { >> -e 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ >> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" >> >> - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 ${BUILDCHROOT_DIR}/proc >> - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >> - _do_build_cleanup() { >> - ret=$? >> - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true >> - (exit $ret) || bb_exit_handler >> - } >> - trap '_do_build_cleanup' EXIT >> - >> do_setup_mounts >> >> # Create root filesystem >> @@ -79,7 +70,6 @@ do_build() { >> >> # Configure root filesystem >> sudo chroot ${BUILDCHROOT_DIR} /configscript.sh >> - _do_build_cleanup >> >> do_cleanup_mounts >> } >> @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" >> >> do_setup_mounts() { >> sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} ${BUILDCHROOT_DIR}/isar-apt >> + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev >> + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >> + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys >> } >> >> addtask setup_mounts after do_build >> >> do_cleanup_mounts() { >> sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || true >> + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true >> + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true >> + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true >> } >> diff --git a/meta/recipes-devtools/buildchroot/files/configscript.sh b/meta/recipes-devtools/buildchroot/files/configscript.sh >> index 9813c9a..524e50c 100644 >> --- a/meta/recipes-devtools/buildchroot/files/configscript.sh >> +++ b/meta/recipes-devtools/buildchroot/files/configscript.sh >> @@ -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C >> #run pre installation script >> /var/lib/dpkg/info/dash.preinst install >> >> -# apt-get http method, gpg require /dev/null >> -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev >> - >> #configuring packages >> dpkg --configure -a >> apt-get update >> -umount /dev >> diff --git a/meta/recipes-devtools/buildchroot/files/download_dev-random b/meta/recipes-devtools/buildchroot/files/download_dev-random >> deleted file mode 100644 >> index 5b5b96b..0000000 >> --- a/meta/recipes-devtools/buildchroot/files/download_dev-random >> +++ /dev/null >> @@ -1,13 +0,0 @@ >> -#!/bin/sh >> - >> -set -e >> - >> -readonly ROOTFS="$1" >> - >> -mknod "${ROOTFS}/dev/random" c 1 8 >> -chmod 640 "${ROOTFS}/dev/random" >> -chown 0:0 "${ROOTFS}/dev/random" >> - >> -mknod "${ROOTFS}/dev/urandom" c 1 9 >> -chmod 640 "${ROOTFS}/dev/urandom" >> -chown 0:0 "${ROOTFS}/dev/urandom" >> > -- With best regards, Alexander Smirnov ilbers GmbH Baierbrunner Str. 28c D-81379 Munich +49 (89) 122 67 24-0 http://ilbers.de/ Commercial register Munich, HRB 214197 General manager: Baurzhan Ismagulov ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-06 20:45 ` Alexander Smirnov @ 2018-02-06 20:56 ` Jan Kiszka 2018-02-06 21:10 ` Alexander Smirnov 0 siblings, 1 reply; 19+ messages in thread From: Jan Kiszka @ 2018-02-06 20:56 UTC (permalink / raw) To: Alexander Smirnov, isar-users On 2018-02-06 21:45, Alexander Smirnov wrote: > On 02/06/2018 11:31 PM, Jan Kiszka wrote: >> On 2018-02-06 20:55, Alexander Smirnov wrote: >>> 8<-- >>> >>> That's it! Branch 'asmirnov/devel', please test and enjoy :-) >>> >>> 8<-- >>> >>> Now each multiconfig has registered handler for BuildCompleted event >>> (see >>> class 'isar-event.bbclass'). Moreover, the '/proc/mounts' file contains >>> all the active mounts. In addition, from event handler we could derive >>> all the variables like ${TMPDIR}, ${DISTRO} etc. So it's possible to >>> find all the active mounts for current multiconfig and clean them. >>> >>> NOTE: if build is interrupted by double ^C, some mount points could stay >>> uncleaned. This is caused by remaining processes started by bitbake, for >>> example: >>> - 'chroot build.sh ...' >>> - 'multistrap ...' >> >> Can you explain what the race condition is exactly? It seems to work for >> me so far, no forgotten mounts. > > Sometimes after double ^C I see several mounted artifacts in > buildchroot. But I've also noticed, that there are running processes > like 'multistrap' and 'build.sh' running *exactly* in this buildchroot. > > So, simple test, if you press double ^C and run 'ps ax' after, you will > likely see running processes. IIRC the same bitbake behavior I saw with > Yocto, interrupting bitbake doesn't mean to kill the process with > current task. Yes, there is a settling phase, but everything is dead and gone after a couple of seconds, at least here. Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-06 20:56 ` Jan Kiszka @ 2018-02-06 21:10 ` Alexander Smirnov 0 siblings, 0 replies; 19+ messages in thread From: Alexander Smirnov @ 2018-02-06 21:10 UTC (permalink / raw) To: Jan Kiszka, isar-users On 02/06/2018 11:56 PM, Jan Kiszka wrote: > On 2018-02-06 21:45, Alexander Smirnov wrote: >> On 02/06/2018 11:31 PM, Jan Kiszka wrote: >>> On 2018-02-06 20:55, Alexander Smirnov wrote: >>>> 8<-- >>>> >>>> That's it! Branch 'asmirnov/devel', please test and enjoy :-) >>>> >>>> 8<-- >>>> >>>> Now each multiconfig has registered handler for BuildCompleted event >>>> (see >>>> class 'isar-event.bbclass'). Moreover, the '/proc/mounts' file contains >>>> all the active mounts. In addition, from event handler we could derive >>>> all the variables like ${TMPDIR}, ${DISTRO} etc. So it's possible to >>>> find all the active mounts for current multiconfig and clean them. >>>> >>>> NOTE: if build is interrupted by double ^C, some mount points could stay >>>> uncleaned. This is caused by remaining processes started by bitbake, for >>>> example: >>>> - 'chroot build.sh ...' >>>> - 'multistrap ...' >>> >>> Can you explain what the race condition is exactly? It seems to work for >>> me so far, no forgotten mounts. >> >> Sometimes after double ^C I see several mounted artifacts in >> buildchroot. But I've also noticed, that there are running processes >> like 'multistrap' and 'build.sh' running *exactly* in this buildchroot. >> >> So, simple test, if you press double ^C and run 'ps ax' after, you will >> likely see running processes. IIRC the same bitbake behavior I saw with >> Yocto, interrupting bitbake doesn't mean to kill the process with >> current task. > > Yes, there is a settling phase, but everything is dead and gone after a > couple of seconds, at least here. My multistrap process stays for a few minutes after, but it happens once per about 10 times. Probably you are lucky and interrupt the build in suitable place. For sure I press double ^C quickly without delay in between. In general I'm not sure if we can handle this, it sounds like bitbake should do this. The correct way to stop the build is to press single ^C, this should work without any issues, but you have to wait until current task is finished. Anyway please let me know if the patch is ok and solves your issue with '/dev/null', so I can apply it. Alex ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-06 19:55 [PATCH] isar: Clean mount point on bitbake exit Alexander Smirnov 2018-02-06 20:31 ` Jan Kiszka @ 2018-02-09 9:56 ` Alexander Smirnov 2018-02-09 12:33 ` Henning Schild 2 siblings, 0 replies; 19+ messages in thread From: Alexander Smirnov @ 2018-02-09 9:56 UTC (permalink / raw) To: isar-users On 02/06/2018 10:55 PM, Alexander Smirnov wrote: > 8<-- > > That's it! Branch 'asmirnov/devel', please test and enjoy :-) > > 8<-- > > Now each multiconfig has registered handler for BuildCompleted event (see > class 'isar-event.bbclass'). Moreover, the '/proc/mounts' file contains > all the active mounts. In addition, from event handler we could derive > all the variables like ${TMPDIR}, ${DISTRO} etc. So it's possible to > find all the active mounts for current multiconfig and clean them. > > NOTE: if build is interrupted by double ^C, some mount points could stay > uncleaned. This is caused by remaining processes started by bitbake, for > example: > - 'chroot build.sh ...' > - 'multistrap ...' > > So please be careful when interrupting build. > > Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> > --- > meta-isar/recipes-core/images/isar-image-base.bb | 11 ++++------ > meta/classes/dpkg-base.bbclass | 12 ++++------- > meta/classes/isar-events.bbclass | 15 +++++++++++--- > meta/recipes-devtools/buildchroot/buildchroot.bb | 24 +++++++++------------- > .../buildchroot/files/configscript.sh | 4 ---- > .../buildchroot/files/download_dev-random | 13 ------------ > 6 files changed, 30 insertions(+), 49 deletions(-) > delete mode 100644 meta/recipes-devtools/buildchroot/files/download_dev-random > > diff --git a/meta-isar/recipes-core/images/isar-image-base.bb b/meta-isar/recipes-core/images/isar-image-base.bb > index e359ac3..8ddbabb 100644 > --- a/meta-isar/recipes-core/images/isar-image-base.bb > +++ b/meta-isar/recipes-core/images/isar-image-base.bb > @@ -55,14 +55,10 @@ do_rootfs() { > -e 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ > "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > > + # Do not use bitbake flag [dirs] here because this folder should have > + # specific ownership. > [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g 0 -m 555 ${IMAGE_ROOTFS}/proc > sudo mount -t proc none ${IMAGE_ROOTFS}/proc > - _do_rootfs_cleanup() { > - ret=$? > - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > - (exit $ret) || bb_exit_handler > - } > - trap '_do_rootfs_cleanup' EXIT > > # Create root filesystem. We must use sudo -E here to preserve the environment > # because of proxy settings > @@ -72,5 +68,6 @@ do_rootfs() { > sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ > ${ROOTFS_DEV} > sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" > - _do_rootfs_cleanup > + > + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > } > diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass > index 5d5a924..a34c21f 100644 > --- a/meta/classes/dpkg-base.bbclass > +++ b/meta/classes/dpkg-base.bbclass > @@ -20,15 +20,11 @@ dpkg_runbuild() { > do_build() { > mkdir -p ${BUILDROOT} > sudo mount --bind ${WORKDIR} ${BUILDROOT} > - _do_build_cleanup() { > - ret=$? > - sudo umount ${BUILDROOT} 2>/dev/null || true > - sudo rmdir ${BUILDROOT} 2>/dev/null || true > - (exit $ret) || bb_exit_handler > - } > - trap '_do_build_cleanup' EXIT > + > dpkg_runbuild > - _do_build_cleanup > + > + sudo umount ${BUILDROOT} 2>/dev/null || true > + sudo rmdir ${BUILDROOT} 2>/dev/null || true > } > > # Install package to Isar-apt > diff --git a/meta/classes/isar-events.bbclass b/meta/classes/isar-events.bbclass > index 55fc106..ae0f791 100644 > --- a/meta/classes/isar-events.bbclass > +++ b/meta/classes/isar-events.bbclass > @@ -11,10 +11,19 @@ python isar_handler () { > devnull = open(os.devnull, 'w') > > if isinstance(e, bb.event.BuildCompleted): > - bchroot = d.getVar('BUILDCHROOT_DIR', True) > + tmpdir = d.getVar('TMPDIR', True) > + distro = d.getVar('DISTRO', True) > + arch = d.getVar('DISTRO_ARCH', True) > > - # Clean up buildchroot > - subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot + '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, shell=True) > + w = tmpdir + '/work/' + distro + '-' + arch > + > + # '/proc/mounts' contains all the active mounts, so knowing 'w' we > + # could get the list of mounts for the specific multiconfig and > + # clean them. > + with open('/proc/mounts', 'rU') as f: > + for line in f: > + if w in line: > + subprocess.call('sudo umount -f ' + line.split()[1], stdout=devnull, stderr=devnull, shell=True) > > devnull.close() > } > diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb b/meta/recipes-devtools/buildchroot/buildchroot.bb > index 304c67e..df9df19 100644 > --- a/meta/recipes-devtools/buildchroot/buildchroot.bb > +++ b/meta/recipes-devtools/buildchroot/buildchroot.bb > @@ -12,7 +12,6 @@ FILESPATH =. "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" > SRC_URI = "file://multistrap.conf.in \ > file://configscript.sh \ > file://setup.sh \ > - file://download_dev-random \ > file://build.sh" > PV = "1.0" > > @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ > WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > > do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" > -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ > - ${BUILDCHROOT_DIR}/isar-apt" > +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ > + ${BUILDCHROOT_DIR}/dev \ > + ${BUILDCHROOT_DIR}/proc \ > + ${BUILDCHROOT_DIR}/sys" > do_build[depends] = "isar-apt:do_cache_config" > > do_build() { > @@ -41,7 +42,6 @@ do_build() { > > chmod +x "${WORKDIR}/setup.sh" > chmod +x "${WORKDIR}/configscript.sh" > - install -m 755 "${WORKDIR}/download_dev-random" "${WORKDIR}/hooks_multistrap/" > > # Multistrap accepts only relative path in configuration files, so get it: > cd ${TOPDIR} > @@ -60,15 +60,6 @@ do_build() { > -e 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ > "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > > - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 ${BUILDCHROOT_DIR}/proc > - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > - _do_build_cleanup() { > - ret=$? > - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > - (exit $ret) || bb_exit_handler > - } > - trap '_do_build_cleanup' EXIT > - > do_setup_mounts > > # Create root filesystem > @@ -79,7 +70,6 @@ do_build() { > > # Configure root filesystem > sudo chroot ${BUILDCHROOT_DIR} /configscript.sh > - _do_build_cleanup > > do_cleanup_mounts > } > @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" > > do_setup_mounts() { > sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} ${BUILDCHROOT_DIR}/isar-apt > + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev Replaced this line by: (like it was before in configurescript.sh): 8<-- sudo mount -t devtmpfs -o mode=0755,nosuid devtmpfs ${BUILDCHROOT_DIR}/dev 8<-- Otherwise debian-wheezy-arm:buildchroot fails on CI server with strange error (while it works on local machine): 8<-- Setting up initscripts (2.88dsf-41+deb7u1) ... /bin/rm: cannot remove `/dev/shm': Device or resource busy dpkg: error processing initscripts (--configure): 8<-- After brief debugging of initscripts/postinst, seems it incorrectly identifies guest environment in chroot and tries to create new /dev/shm entry. Alex > + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys > } > > addtask setup_mounts after do_build > > do_cleanup_mounts() { > sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || true > + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true > + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true > } > diff --git a/meta/recipes-devtools/buildchroot/files/configscript.sh b/meta/recipes-devtools/buildchroot/files/configscript.sh > index 9813c9a..524e50c 100644 > --- a/meta/recipes-devtools/buildchroot/files/configscript.sh > +++ b/meta/recipes-devtools/buildchroot/files/configscript.sh > @@ -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C > #run pre installation script > /var/lib/dpkg/info/dash.preinst install > > -# apt-get http method, gpg require /dev/null > -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev > - > #configuring packages > dpkg --configure -a > apt-get update > -umount /dev > diff --git a/meta/recipes-devtools/buildchroot/files/download_dev-random b/meta/recipes-devtools/buildchroot/files/download_dev-random > deleted file mode 100644 > index 5b5b96b..0000000 > --- a/meta/recipes-devtools/buildchroot/files/download_dev-random > +++ /dev/null > @@ -1,13 +0,0 @@ > -#!/bin/sh > - > -set -e > - > -readonly ROOTFS="$1" > - > -mknod "${ROOTFS}/dev/random" c 1 8 > -chmod 640 "${ROOTFS}/dev/random" > -chown 0:0 "${ROOTFS}/dev/random" > - > -mknod "${ROOTFS}/dev/urandom" c 1 9 > -chmod 640 "${ROOTFS}/dev/urandom" > -chown 0:0 "${ROOTFS}/dev/urandom" > -- With best regards, Alexander Smirnov ilbers GmbH Baierbrunner Str. 28c D-81379 Munich +49 (89) 122 67 24-0 http://ilbers.de/ Commercial register Munich, HRB 214197 General manager: Baurzhan Ismagulov ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-06 19:55 [PATCH] isar: Clean mount point on bitbake exit Alexander Smirnov 2018-02-06 20:31 ` Jan Kiszka 2018-02-09 9:56 ` Alexander Smirnov @ 2018-02-09 12:33 ` Henning Schild 2018-02-09 12:35 ` Jan Kiszka 2 siblings, 1 reply; 19+ messages in thread From: Henning Schild @ 2018-02-09 12:33 UTC (permalink / raw) To: Alexander Smirnov; +Cc: isar-users Hi, this patch is causing problems when building in a docker container, because sysfs can only be mounted ro. (Subject: current next bash in buildchroot problem) Now we could discuss whether we should relax the security of our containers even more, or whether Isar should care about that use-case. But this patch actually does several things at a time, it changes the way we mount and adds three new mounts. I would suggest to split it up so we can discuss the issues with dev and sys while already merging the rest. Henning Am Tue, 6 Feb 2018 22:55:16 +0300 schrieb Alexander Smirnov <asmirnov@ilbers.de>: > 8<-- > > That's it! Branch 'asmirnov/devel', please test and enjoy :-) > > 8<-- > > Now each multiconfig has registered handler for BuildCompleted event > (see class 'isar-event.bbclass'). Moreover, the '/proc/mounts' file > contains all the active mounts. In addition, from event handler we > could derive all the variables like ${TMPDIR}, ${DISTRO} etc. So it's > possible to find all the active mounts for current multiconfig and > clean them. > > NOTE: if build is interrupted by double ^C, some mount points could > stay uncleaned. This is caused by remaining processes started by > bitbake, for example: > - 'chroot build.sh ...' > - 'multistrap ...' > > So please be careful when interrupting build. > > Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> > --- > meta-isar/recipes-core/images/isar-image-base.bb | 11 ++++------ > meta/classes/dpkg-base.bbclass | 12 ++++------- > meta/classes/isar-events.bbclass | 15 > +++++++++++--- meta/recipes-devtools/buildchroot/buildchroot.bb | > 24 > +++++++++------------- .../buildchroot/files/configscript.sh > | 4 ---- .../buildchroot/files/download_dev-random | 13 > ------------ 6 files changed, 30 insertions(+), 49 deletions(-) > delete mode 100644 > meta/recipes-devtools/buildchroot/files/download_dev-random > > diff --git a/meta-isar/recipes-core/images/isar-image-base.bb > b/meta-isar/recipes-core/images/isar-image-base.bb index > e359ac3..8ddbabb 100644 --- > a/meta-isar/recipes-core/images/isar-image-base.bb +++ > b/meta-isar/recipes-core/images/isar-image-base.bb @@ -55,14 +55,10 > @@ do_rootfs() { -e 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ > "${WORKDIR}/multistrap.conf.in" > > "${WORKDIR}/multistrap.conf" > + # Do not use bitbake flag [dirs] here because this folder should > have > + # specific ownership. > [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g 0 -m > 555 ${IMAGE_ROOTFS}/proc sudo mount -t proc none ${IMAGE_ROOTFS}/proc > - _do_rootfs_cleanup() { > - ret=$? > - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > - (exit $ret) || bb_exit_handler > - } > - trap '_do_rootfs_cleanup' EXIT > > # Create root filesystem. We must use sudo -E here to preserve > the environment # because of proxy settings > @@ -72,5 +68,6 @@ do_rootfs() { > sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} > ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ ${ROOTFS_DEV} > sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" > - _do_rootfs_cleanup > + > + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > } > diff --git a/meta/classes/dpkg-base.bbclass > b/meta/classes/dpkg-base.bbclass index 5d5a924..a34c21f 100644 > --- a/meta/classes/dpkg-base.bbclass > +++ b/meta/classes/dpkg-base.bbclass > @@ -20,15 +20,11 @@ dpkg_runbuild() { > do_build() { > mkdir -p ${BUILDROOT} > sudo mount --bind ${WORKDIR} ${BUILDROOT} > - _do_build_cleanup() { > - ret=$? > - sudo umount ${BUILDROOT} 2>/dev/null || true > - sudo rmdir ${BUILDROOT} 2>/dev/null || true > - (exit $ret) || bb_exit_handler > - } > - trap '_do_build_cleanup' EXIT > + > dpkg_runbuild > - _do_build_cleanup > + > + sudo umount ${BUILDROOT} 2>/dev/null || true > + sudo rmdir ${BUILDROOT} 2>/dev/null || true > } > > # Install package to Isar-apt > diff --git a/meta/classes/isar-events.bbclass > b/meta/classes/isar-events.bbclass index 55fc106..ae0f791 100644 > --- a/meta/classes/isar-events.bbclass > +++ b/meta/classes/isar-events.bbclass > @@ -11,10 +11,19 @@ python isar_handler () { > devnull = open(os.devnull, 'w') > > if isinstance(e, bb.event.BuildCompleted): > - bchroot = d.getVar('BUILDCHROOT_DIR', True) > + tmpdir = d.getVar('TMPDIR', True) > + distro = d.getVar('DISTRO', True) > + arch = d.getVar('DISTRO_ARCH', True) > > - # Clean up buildchroot > - subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot + > '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, shell=True) > + w = tmpdir + '/work/' + distro + '-' + arch > + > + # '/proc/mounts' contains all the active mounts, so knowing > 'w' we > + # could get the list of mounts for the specific multiconfig > and > + # clean them. > + with open('/proc/mounts', 'rU') as f: > + for line in f: > + if w in line: > + subprocess.call('sudo umount -f ' + > line.split()[1], stdout=devnull, stderr=devnull, shell=True) > devnull.close() > } > diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb > b/meta/recipes-devtools/buildchroot/buildchroot.bb index > 304c67e..df9df19 100644 --- > a/meta/recipes-devtools/buildchroot/buildchroot.bb +++ > b/meta/recipes-devtools/buildchroot/buildchroot.bb @@ -12,7 +12,6 @@ > FILESPATH =. "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" > SRC_URI = "file://multistrap.conf.in \ file://configscript.sh \ > file://setup.sh \ > - file://download_dev-random \ > file://build.sh" > PV = "1.0" > > @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ > WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > > do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" > -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ > - ${BUILDCHROOT_DIR}/isar-apt" > +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ > + ${BUILDCHROOT_DIR}/dev \ > + ${BUILDCHROOT_DIR}/proc \ > + ${BUILDCHROOT_DIR}/sys" > do_build[depends] = "isar-apt:do_cache_config" > > do_build() { > @@ -41,7 +42,6 @@ do_build() { > > chmod +x "${WORKDIR}/setup.sh" > chmod +x "${WORKDIR}/configscript.sh" > - install -m 755 "${WORKDIR}/download_dev-random" > "${WORKDIR}/hooks_multistrap/" > # Multistrap accepts only relative path in configuration files, > so get it: cd ${TOPDIR} > @@ -60,15 +60,6 @@ do_build() { > -e 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ > "${WORKDIR}/multistrap.conf.in" > > "${WORKDIR}/multistrap.conf" > - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 > ${BUILDCHROOT_DIR}/proc > - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > - _do_build_cleanup() { > - ret=$? > - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > - (exit $ret) || bb_exit_handler > - } > - trap '_do_build_cleanup' EXIT > - > do_setup_mounts > > # Create root filesystem > @@ -79,7 +70,6 @@ do_build() { > > # Configure root filesystem > sudo chroot ${BUILDCHROOT_DIR} /configscript.sh > - _do_build_cleanup > > do_cleanup_mounts > } > @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = > "${DISTRO}-${DISTRO_ARCH}" > do_setup_mounts() { > sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} > ${BUILDCHROOT_DIR}/isar-apt > + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev > + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys > } > > addtask setup_mounts after do_build > > do_cleanup_mounts() { > sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || true > + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true > + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true > } > diff --git a/meta/recipes-devtools/buildchroot/files/configscript.sh > b/meta/recipes-devtools/buildchroot/files/configscript.sh index > 9813c9a..524e50c 100644 --- > a/meta/recipes-devtools/buildchroot/files/configscript.sh +++ > b/meta/recipes-devtools/buildchroot/files/configscript.sh @@ -39,10 > +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C #run pre installation > script /var/lib/dpkg/info/dash.preinst install > > -# apt-get http method, gpg require /dev/null > -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev > - > #configuring packages > dpkg --configure -a > apt-get update > -umount /dev > diff --git > a/meta/recipes-devtools/buildchroot/files/download_dev-random > b/meta/recipes-devtools/buildchroot/files/download_dev-random deleted > file mode 100644 index 5b5b96b..0000000 --- > a/meta/recipes-devtools/buildchroot/files/download_dev-random > +++ /dev/null @@ -1,13 +0,0 @@ > -#!/bin/sh > - > -set -e > - > -readonly ROOTFS="$1" > - > -mknod "${ROOTFS}/dev/random" c 1 8 > -chmod 640 "${ROOTFS}/dev/random" > -chown 0:0 "${ROOTFS}/dev/random" > - > -mknod "${ROOTFS}/dev/urandom" c 1 9 > -chmod 640 "${ROOTFS}/dev/urandom" > -chown 0:0 "${ROOTFS}/dev/urandom" ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 12:33 ` Henning Schild @ 2018-02-09 12:35 ` Jan Kiszka 2018-02-09 12:40 ` Henning Schild 0 siblings, 1 reply; 19+ messages in thread From: Jan Kiszka @ 2018-02-09 12:35 UTC (permalink / raw) To: [ext] Henning Schild, Alexander Smirnov; +Cc: isar-users On 2018-02-09 13:33, [ext] Henning Schild wrote: > Hi, > > this patch is causing problems when building in a docker container, > because sysfs can only be mounted ro. (Subject: current next bash in > buildchroot problem) > Now we could discuss whether we should relax the security of our > containers even more, or whether Isar should care about that use-case. > > But this patch actually does several things at a time, it changes the > way we mount and adds three new mounts. I would suggest to split it up > so we can discuss the issues with dev and sys while already merging the > rest. I think (didn't check if there was an update of next this morning) it works for me - in Docker. How are you starting the container? Jan > > Henning > > Am Tue, 6 Feb 2018 22:55:16 +0300 > schrieb Alexander Smirnov <asmirnov@ilbers.de>: > >> 8<-- >> >> That's it! Branch 'asmirnov/devel', please test and enjoy :-) >> >> 8<-- >> >> Now each multiconfig has registered handler for BuildCompleted event >> (see class 'isar-event.bbclass'). Moreover, the '/proc/mounts' file >> contains all the active mounts. In addition, from event handler we >> could derive all the variables like ${TMPDIR}, ${DISTRO} etc. So it's >> possible to find all the active mounts for current multiconfig and >> clean them. >> >> NOTE: if build is interrupted by double ^C, some mount points could >> stay uncleaned. This is caused by remaining processes started by >> bitbake, for example: >> - 'chroot build.sh ...' >> - 'multistrap ...' >> >> So please be careful when interrupting build. >> >> Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> >> --- >> meta-isar/recipes-core/images/isar-image-base.bb | 11 ++++------ >> meta/classes/dpkg-base.bbclass | 12 ++++------- >> meta/classes/isar-events.bbclass | 15 >> +++++++++++--- meta/recipes-devtools/buildchroot/buildchroot.bb | >> 24 >> +++++++++------------- .../buildchroot/files/configscript.sh >> | 4 ---- .../buildchroot/files/download_dev-random | 13 >> ------------ 6 files changed, 30 insertions(+), 49 deletions(-) >> delete mode 100644 >> meta/recipes-devtools/buildchroot/files/download_dev-random >> >> diff --git a/meta-isar/recipes-core/images/isar-image-base.bb >> b/meta-isar/recipes-core/images/isar-image-base.bb index >> e359ac3..8ddbabb 100644 --- >> a/meta-isar/recipes-core/images/isar-image-base.bb +++ >> b/meta-isar/recipes-core/images/isar-image-base.bb @@ -55,14 +55,10 >> @@ do_rootfs() { -e 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ >> "${WORKDIR}/multistrap.conf.in" > >> "${WORKDIR}/multistrap.conf" >> + # Do not use bitbake flag [dirs] here because this folder should >> have >> + # specific ownership. >> [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g 0 -m >> 555 ${IMAGE_ROOTFS}/proc sudo mount -t proc none ${IMAGE_ROOTFS}/proc >> - _do_rootfs_cleanup() { >> - ret=$? >> - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true >> - (exit $ret) || bb_exit_handler >> - } >> - trap '_do_rootfs_cleanup' EXIT >> >> # Create root filesystem. We must use sudo -E here to preserve >> the environment # because of proxy settings >> @@ -72,5 +68,6 @@ do_rootfs() { >> sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} >> ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ ${ROOTFS_DEV} >> sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" >> - _do_rootfs_cleanup >> + >> + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true >> } >> diff --git a/meta/classes/dpkg-base.bbclass >> b/meta/classes/dpkg-base.bbclass index 5d5a924..a34c21f 100644 >> --- a/meta/classes/dpkg-base.bbclass >> +++ b/meta/classes/dpkg-base.bbclass >> @@ -20,15 +20,11 @@ dpkg_runbuild() { >> do_build() { >> mkdir -p ${BUILDROOT} >> sudo mount --bind ${WORKDIR} ${BUILDROOT} >> - _do_build_cleanup() { >> - ret=$? >> - sudo umount ${BUILDROOT} 2>/dev/null || true >> - sudo rmdir ${BUILDROOT} 2>/dev/null || true >> - (exit $ret) || bb_exit_handler >> - } >> - trap '_do_build_cleanup' EXIT >> + >> dpkg_runbuild >> - _do_build_cleanup >> + >> + sudo umount ${BUILDROOT} 2>/dev/null || true >> + sudo rmdir ${BUILDROOT} 2>/dev/null || true >> } >> >> # Install package to Isar-apt >> diff --git a/meta/classes/isar-events.bbclass >> b/meta/classes/isar-events.bbclass index 55fc106..ae0f791 100644 >> --- a/meta/classes/isar-events.bbclass >> +++ b/meta/classes/isar-events.bbclass >> @@ -11,10 +11,19 @@ python isar_handler () { >> devnull = open(os.devnull, 'w') >> >> if isinstance(e, bb.event.BuildCompleted): >> - bchroot = d.getVar('BUILDCHROOT_DIR', True) >> + tmpdir = d.getVar('TMPDIR', True) >> + distro = d.getVar('DISTRO', True) >> + arch = d.getVar('DISTRO_ARCH', True) >> >> - # Clean up buildchroot >> - subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot + >> '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, shell=True) >> + w = tmpdir + '/work/' + distro + '-' + arch >> + >> + # '/proc/mounts' contains all the active mounts, so knowing >> 'w' we >> + # could get the list of mounts for the specific multiconfig >> and >> + # clean them. >> + with open('/proc/mounts', 'rU') as f: >> + for line in f: >> + if w in line: >> + subprocess.call('sudo umount -f ' + >> line.split()[1], stdout=devnull, stderr=devnull, shell=True) >> devnull.close() >> } >> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb >> b/meta/recipes-devtools/buildchroot/buildchroot.bb index >> 304c67e..df9df19 100644 --- >> a/meta/recipes-devtools/buildchroot/buildchroot.bb +++ >> b/meta/recipes-devtools/buildchroot/buildchroot.bb @@ -12,7 +12,6 @@ >> FILESPATH =. "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" >> SRC_URI = "file://multistrap.conf.in \ file://configscript.sh \ >> file://setup.sh \ >> - file://download_dev-random \ >> file://build.sh" >> PV = "1.0" >> >> @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ >> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" >> >> do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" >> -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ >> - ${BUILDCHROOT_DIR}/isar-apt" >> +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ >> + ${BUILDCHROOT_DIR}/dev \ >> + ${BUILDCHROOT_DIR}/proc \ >> + ${BUILDCHROOT_DIR}/sys" >> do_build[depends] = "isar-apt:do_cache_config" >> >> do_build() { >> @@ -41,7 +42,6 @@ do_build() { >> >> chmod +x "${WORKDIR}/setup.sh" >> chmod +x "${WORKDIR}/configscript.sh" >> - install -m 755 "${WORKDIR}/download_dev-random" >> "${WORKDIR}/hooks_multistrap/" >> # Multistrap accepts only relative path in configuration files, >> so get it: cd ${TOPDIR} >> @@ -60,15 +60,6 @@ do_build() { >> -e 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ >> "${WORKDIR}/multistrap.conf.in" > >> "${WORKDIR}/multistrap.conf" >> - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 >> ${BUILDCHROOT_DIR}/proc >> - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >> - _do_build_cleanup() { >> - ret=$? >> - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true >> - (exit $ret) || bb_exit_handler >> - } >> - trap '_do_build_cleanup' EXIT >> - >> do_setup_mounts >> >> # Create root filesystem >> @@ -79,7 +70,6 @@ do_build() { >> >> # Configure root filesystem >> sudo chroot ${BUILDCHROOT_DIR} /configscript.sh >> - _do_build_cleanup >> >> do_cleanup_mounts >> } >> @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = >> "${DISTRO}-${DISTRO_ARCH}" >> do_setup_mounts() { >> sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} >> ${BUILDCHROOT_DIR}/isar-apt >> + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev >> + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >> + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys >> } >> >> addtask setup_mounts after do_build >> >> do_cleanup_mounts() { >> sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || true >> + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true >> + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true >> + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true >> } >> diff --git a/meta/recipes-devtools/buildchroot/files/configscript.sh >> b/meta/recipes-devtools/buildchroot/files/configscript.sh index >> 9813c9a..524e50c 100644 --- >> a/meta/recipes-devtools/buildchroot/files/configscript.sh +++ >> b/meta/recipes-devtools/buildchroot/files/configscript.sh @@ -39,10 >> +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C #run pre installation >> script /var/lib/dpkg/info/dash.preinst install >> >> -# apt-get http method, gpg require /dev/null >> -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev >> - >> #configuring packages >> dpkg --configure -a >> apt-get update >> -umount /dev >> diff --git >> a/meta/recipes-devtools/buildchroot/files/download_dev-random >> b/meta/recipes-devtools/buildchroot/files/download_dev-random deleted >> file mode 100644 index 5b5b96b..0000000 --- >> a/meta/recipes-devtools/buildchroot/files/download_dev-random >> +++ /dev/null @@ -1,13 +0,0 @@ >> -#!/bin/sh >> - >> -set -e >> - >> -readonly ROOTFS="$1" >> - >> -mknod "${ROOTFS}/dev/random" c 1 8 >> -chmod 640 "${ROOTFS}/dev/random" >> -chown 0:0 "${ROOTFS}/dev/random" >> - >> -mknod "${ROOTFS}/dev/urandom" c 1 9 >> -chmod 640 "${ROOTFS}/dev/urandom" >> -chown 0:0 "${ROOTFS}/dev/urandom" > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 12:35 ` Jan Kiszka @ 2018-02-09 12:40 ` Henning Schild 2018-02-09 12:41 ` Jan Kiszka 0 siblings, 1 reply; 19+ messages in thread From: Henning Schild @ 2018-02-09 12:40 UTC (permalink / raw) To: Jan Kiszka; +Cc: Alexander Smirnov, isar-users Am Fri, 9 Feb 2018 13:35:15 +0100 schrieb Jan Kiszka <jan.kiszka@siemens.com>: > On 2018-02-09 13:33, [ext] Henning Schild wrote: > > Hi, > > > > this patch is causing problems when building in a docker container, > > because sysfs can only be mounted ro. (Subject: current next bash in > > buildchroot problem) > > Now we could discuss whether we should relax the security of our > > containers even more, or whether Isar should care about that > > use-case. > > > > But this patch actually does several things at a time, it changes > > the way we mount and adds three new mounts. I would suggest to > > split it up so we can discuss the issues with dev and sys while > > already merging the rest. > > I think (didn't check if there was an update of next this morning) it > works for me - in Docker. How are you starting the container? docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... inside my sysfs is ro, a bind-mount of sysfs is ro and a "mount -t sysfs ..." will be ro. Maybe i could add a "-o rw" to the mount but for now i just reverted the two patches that deal with mounting. Might also be a difference in our host systems. Henning > Jan > > > > > Henning > > > > Am Tue, 6 Feb 2018 22:55:16 +0300 > > schrieb Alexander Smirnov <asmirnov@ilbers.de>: > > > >> 8<-- > >> > >> That's it! Branch 'asmirnov/devel', please test and enjoy :-) > >> > >> 8<-- > >> > >> Now each multiconfig has registered handler for BuildCompleted > >> event (see class 'isar-event.bbclass'). Moreover, the > >> '/proc/mounts' file contains all the active mounts. In addition, > >> from event handler we could derive all the variables like > >> ${TMPDIR}, ${DISTRO} etc. So it's possible to find all the active > >> mounts for current multiconfig and clean them. > >> > >> NOTE: if build is interrupted by double ^C, some mount points could > >> stay uncleaned. This is caused by remaining processes started by > >> bitbake, for example: > >> - 'chroot build.sh ...' > >> - 'multistrap ...' > >> > >> So please be careful when interrupting build. > >> > >> Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> > >> --- > >> meta-isar/recipes-core/images/isar-image-base.bb | 11 ++++------ > >> meta/classes/dpkg-base.bbclass | 12 > >> ++++------- meta/classes/isar-events.bbclass | 15 > >> +++++++++++--- meta/recipes-devtools/buildchroot/buildchroot.bb | > >> 24 > >> +++++++++------------- .../buildchroot/files/configscript.sh > >> | 4 ---- .../buildchroot/files/download_dev-random | 13 > >> ------------ 6 files changed, 30 insertions(+), 49 deletions(-) > >> delete mode 100644 > >> meta/recipes-devtools/buildchroot/files/download_dev-random > >> > >> diff --git a/meta-isar/recipes-core/images/isar-image-base.bb > >> b/meta-isar/recipes-core/images/isar-image-base.bb index > >> e359ac3..8ddbabb 100644 --- > >> a/meta-isar/recipes-core/images/isar-image-base.bb +++ > >> b/meta-isar/recipes-core/images/isar-image-base.bb @@ -55,14 +55,10 > >> @@ do_rootfs() { -e 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ > >> "${WORKDIR}/multistrap.conf.in" > > >> "${WORKDIR}/multistrap.conf" > >> + # Do not use bitbake flag [dirs] here because this folder > >> should have > >> + # specific ownership. > >> [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g 0 -m > >> 555 ${IMAGE_ROOTFS}/proc sudo mount -t proc none > >> ${IMAGE_ROOTFS}/proc > >> - _do_rootfs_cleanup() { > >> - ret=$? > >> - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > >> - (exit $ret) || bb_exit_handler > >> - } > >> - trap '_do_rootfs_cleanup' EXIT > >> > >> # Create root filesystem. We must use sudo -E here to preserve > >> the environment # because of proxy settings > >> @@ -72,5 +68,6 @@ do_rootfs() { > >> sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} > >> ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ ${ROOTFS_DEV} > >> sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" > >> - _do_rootfs_cleanup > >> + > >> + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > >> } > >> diff --git a/meta/classes/dpkg-base.bbclass > >> b/meta/classes/dpkg-base.bbclass index 5d5a924..a34c21f 100644 > >> --- a/meta/classes/dpkg-base.bbclass > >> +++ b/meta/classes/dpkg-base.bbclass > >> @@ -20,15 +20,11 @@ dpkg_runbuild() { > >> do_build() { > >> mkdir -p ${BUILDROOT} > >> sudo mount --bind ${WORKDIR} ${BUILDROOT} > >> - _do_build_cleanup() { > >> - ret=$? > >> - sudo umount ${BUILDROOT} 2>/dev/null || true > >> - sudo rmdir ${BUILDROOT} 2>/dev/null || true > >> - (exit $ret) || bb_exit_handler > >> - } > >> - trap '_do_build_cleanup' EXIT > >> + > >> dpkg_runbuild > >> - _do_build_cleanup > >> + > >> + sudo umount ${BUILDROOT} 2>/dev/null || true > >> + sudo rmdir ${BUILDROOT} 2>/dev/null || true > >> } > >> > >> # Install package to Isar-apt > >> diff --git a/meta/classes/isar-events.bbclass > >> b/meta/classes/isar-events.bbclass index 55fc106..ae0f791 100644 > >> --- a/meta/classes/isar-events.bbclass > >> +++ b/meta/classes/isar-events.bbclass > >> @@ -11,10 +11,19 @@ python isar_handler () { > >> devnull = open(os.devnull, 'w') > >> > >> if isinstance(e, bb.event.BuildCompleted): > >> - bchroot = d.getVar('BUILDCHROOT_DIR', True) > >> + tmpdir = d.getVar('TMPDIR', True) > >> + distro = d.getVar('DISTRO', True) > >> + arch = d.getVar('DISTRO_ARCH', True) > >> > >> - # Clean up buildchroot > >> - subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot + > >> '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, > >> shell=True) > >> + w = tmpdir + '/work/' + distro + '-' + arch > >> + > >> + # '/proc/mounts' contains all the active mounts, so > >> knowing 'w' we > >> + # could get the list of mounts for the specific > >> multiconfig and > >> + # clean them. > >> + with open('/proc/mounts', 'rU') as f: > >> + for line in f: > >> + if w in line: > >> + subprocess.call('sudo umount -f ' + > >> line.split()[1], stdout=devnull, stderr=devnull, shell=True) > >> devnull.close() > >> } > >> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb > >> b/meta/recipes-devtools/buildchroot/buildchroot.bb index > >> 304c67e..df9df19 100644 --- > >> a/meta/recipes-devtools/buildchroot/buildchroot.bb +++ > >> b/meta/recipes-devtools/buildchroot/buildchroot.bb @@ -12,7 +12,6 > >> @@ FILESPATH =. > >> "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" SRC_URI = > >> "file://multistrap.conf.in \ file://configscript.sh \ > >> file://setup.sh \ > >> - file://download_dev-random \ > >> file://build.sh" > >> PV = "1.0" > >> > >> @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ > >> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > >> > >> do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" > >> -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ > >> - ${BUILDCHROOT_DIR}/isar-apt" > >> +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ > >> + ${BUILDCHROOT_DIR}/dev \ > >> + ${BUILDCHROOT_DIR}/proc \ > >> + ${BUILDCHROOT_DIR}/sys" > >> do_build[depends] = "isar-apt:do_cache_config" > >> > >> do_build() { > >> @@ -41,7 +42,6 @@ do_build() { > >> > >> chmod +x "${WORKDIR}/setup.sh" > >> chmod +x "${WORKDIR}/configscript.sh" > >> - install -m 755 "${WORKDIR}/download_dev-random" > >> "${WORKDIR}/hooks_multistrap/" > >> # Multistrap accepts only relative path in configuration > >> files, so get it: cd ${TOPDIR} > >> @@ -60,15 +60,6 @@ do_build() { > >> -e > >> 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ > >> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > >> - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 > >> ${BUILDCHROOT_DIR}/proc > >> - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > >> - _do_build_cleanup() { > >> - ret=$? > >> - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > >> - (exit $ret) || bb_exit_handler > >> - } > >> - trap '_do_build_cleanup' EXIT > >> - > >> do_setup_mounts > >> > >> # Create root filesystem > >> @@ -79,7 +70,6 @@ do_build() { > >> > >> # Configure root filesystem > >> sudo chroot ${BUILDCHROOT_DIR} /configscript.sh > >> - _do_build_cleanup > >> > >> do_cleanup_mounts > >> } > >> @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = > >> "${DISTRO}-${DISTRO_ARCH}" > >> do_setup_mounts() { > >> sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} > >> ${BUILDCHROOT_DIR}/isar-apt > >> + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev > >> + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > >> + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys > >> } > >> > >> addtask setup_mounts after do_build > >> > >> do_cleanup_mounts() { > >> sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || true > >> + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true > >> + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > >> + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true > >> } > >> diff --git > >> a/meta/recipes-devtools/buildchroot/files/configscript.sh > >> b/meta/recipes-devtools/buildchroot/files/configscript.sh index > >> 9813c9a..524e50c 100644 --- > >> a/meta/recipes-devtools/buildchroot/files/configscript.sh +++ > >> b/meta/recipes-devtools/buildchroot/files/configscript.sh @@ > >> -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C #run pre > >> installation script /var/lib/dpkg/info/dash.preinst install > >> -# apt-get http method, gpg require /dev/null > >> -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev > >> - > >> #configuring packages > >> dpkg --configure -a > >> apt-get update > >> -umount /dev > >> diff --git > >> a/meta/recipes-devtools/buildchroot/files/download_dev-random > >> b/meta/recipes-devtools/buildchroot/files/download_dev-random > >> deleted file mode 100644 index 5b5b96b..0000000 --- > >> a/meta/recipes-devtools/buildchroot/files/download_dev-random > >> +++ /dev/null @@ -1,13 +0,0 @@ > >> -#!/bin/sh > >> - > >> -set -e > >> - > >> -readonly ROOTFS="$1" > >> - > >> -mknod "${ROOTFS}/dev/random" c 1 8 > >> -chmod 640 "${ROOTFS}/dev/random" > >> -chown 0:0 "${ROOTFS}/dev/random" > >> - > >> -mknod "${ROOTFS}/dev/urandom" c 1 9 > >> -chmod 640 "${ROOTFS}/dev/urandom" > >> -chown 0:0 "${ROOTFS}/dev/urandom" > > > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 12:40 ` Henning Schild @ 2018-02-09 12:41 ` Jan Kiszka 2018-02-09 13:08 ` Alexander Smirnov 2018-02-09 13:14 ` Henning Schild 0 siblings, 2 replies; 19+ messages in thread From: Jan Kiszka @ 2018-02-09 12:41 UTC (permalink / raw) To: Henning Schild; +Cc: Alexander Smirnov, isar-users On 2018-02-09 13:40, Henning Schild wrote: > Am Fri, 9 Feb 2018 13:35:15 +0100 > schrieb Jan Kiszka <jan.kiszka@siemens.com>: > >> On 2018-02-09 13:33, [ext] Henning Schild wrote: >>> Hi, >>> >>> this patch is causing problems when building in a docker container, >>> because sysfs can only be mounted ro. (Subject: current next bash in >>> buildchroot problem) >>> Now we could discuss whether we should relax the security of our >>> containers even more, or whether Isar should care about that >>> use-case. >>> >>> But this patch actually does several things at a time, it changes >>> the way we mount and adds three new mounts. I would suggest to >>> split it up so we can discuss the issues with dev and sys while >>> already merging the rest. >> >> I think (didn't check if there was an update of next this morning) it >> works for me - in Docker. How are you starting the container? > > docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN > --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... > Try adding --privileged - that's needed for binfmt anyway. Jan > inside my sysfs is ro, a bind-mount of sysfs is ro and a "mount -t > sysfs ..." will be ro. Maybe i could add a "-o rw" to the mount but for > now i just reverted the two patches that deal with mounting. > > Might also be a difference in our host systems. > > Henning > >> Jan >> >>> >>> Henning >>> >>> Am Tue, 6 Feb 2018 22:55:16 +0300 >>> schrieb Alexander Smirnov <asmirnov@ilbers.de>: >>> >>>> 8<-- >>>> >>>> That's it! Branch 'asmirnov/devel', please test and enjoy :-) >>>> >>>> 8<-- >>>> >>>> Now each multiconfig has registered handler for BuildCompleted >>>> event (see class 'isar-event.bbclass'). Moreover, the >>>> '/proc/mounts' file contains all the active mounts. In addition, >>>> from event handler we could derive all the variables like >>>> ${TMPDIR}, ${DISTRO} etc. So it's possible to find all the active >>>> mounts for current multiconfig and clean them. >>>> >>>> NOTE: if build is interrupted by double ^C, some mount points could >>>> stay uncleaned. This is caused by remaining processes started by >>>> bitbake, for example: >>>> - 'chroot build.sh ...' >>>> - 'multistrap ...' >>>> >>>> So please be careful when interrupting build. >>>> >>>> Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> >>>> --- >>>> meta-isar/recipes-core/images/isar-image-base.bb | 11 ++++------ >>>> meta/classes/dpkg-base.bbclass | 12 >>>> ++++------- meta/classes/isar-events.bbclass | 15 >>>> +++++++++++--- meta/recipes-devtools/buildchroot/buildchroot.bb | >>>> 24 >>>> +++++++++------------- .../buildchroot/files/configscript.sh >>>> | 4 ---- .../buildchroot/files/download_dev-random | 13 >>>> ------------ 6 files changed, 30 insertions(+), 49 deletions(-) >>>> delete mode 100644 >>>> meta/recipes-devtools/buildchroot/files/download_dev-random >>>> >>>> diff --git a/meta-isar/recipes-core/images/isar-image-base.bb >>>> b/meta-isar/recipes-core/images/isar-image-base.bb index >>>> e359ac3..8ddbabb 100644 --- >>>> a/meta-isar/recipes-core/images/isar-image-base.bb +++ >>>> b/meta-isar/recipes-core/images/isar-image-base.bb @@ -55,14 +55,10 >>>> @@ do_rootfs() { -e 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ >>>> "${WORKDIR}/multistrap.conf.in" > >>>> "${WORKDIR}/multistrap.conf" >>>> + # Do not use bitbake flag [dirs] here because this folder >>>> should have >>>> + # specific ownership. >>>> [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g 0 -m >>>> 555 ${IMAGE_ROOTFS}/proc sudo mount -t proc none >>>> ${IMAGE_ROOTFS}/proc >>>> - _do_rootfs_cleanup() { >>>> - ret=$? >>>> - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true >>>> - (exit $ret) || bb_exit_handler >>>> - } >>>> - trap '_do_rootfs_cleanup' EXIT >>>> >>>> # Create root filesystem. We must use sudo -E here to preserve >>>> the environment # because of proxy settings >>>> @@ -72,5 +68,6 @@ do_rootfs() { >>>> sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} >>>> ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ ${ROOTFS_DEV} >>>> sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" >>>> - _do_rootfs_cleanup >>>> + >>>> + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true >>>> } >>>> diff --git a/meta/classes/dpkg-base.bbclass >>>> b/meta/classes/dpkg-base.bbclass index 5d5a924..a34c21f 100644 >>>> --- a/meta/classes/dpkg-base.bbclass >>>> +++ b/meta/classes/dpkg-base.bbclass >>>> @@ -20,15 +20,11 @@ dpkg_runbuild() { >>>> do_build() { >>>> mkdir -p ${BUILDROOT} >>>> sudo mount --bind ${WORKDIR} ${BUILDROOT} >>>> - _do_build_cleanup() { >>>> - ret=$? >>>> - sudo umount ${BUILDROOT} 2>/dev/null || true >>>> - sudo rmdir ${BUILDROOT} 2>/dev/null || true >>>> - (exit $ret) || bb_exit_handler >>>> - } >>>> - trap '_do_build_cleanup' EXIT >>>> + >>>> dpkg_runbuild >>>> - _do_build_cleanup >>>> + >>>> + sudo umount ${BUILDROOT} 2>/dev/null || true >>>> + sudo rmdir ${BUILDROOT} 2>/dev/null || true >>>> } >>>> >>>> # Install package to Isar-apt >>>> diff --git a/meta/classes/isar-events.bbclass >>>> b/meta/classes/isar-events.bbclass index 55fc106..ae0f791 100644 >>>> --- a/meta/classes/isar-events.bbclass >>>> +++ b/meta/classes/isar-events.bbclass >>>> @@ -11,10 +11,19 @@ python isar_handler () { >>>> devnull = open(os.devnull, 'w') >>>> >>>> if isinstance(e, bb.event.BuildCompleted): >>>> - bchroot = d.getVar('BUILDCHROOT_DIR', True) >>>> + tmpdir = d.getVar('TMPDIR', True) >>>> + distro = d.getVar('DISTRO', True) >>>> + arch = d.getVar('DISTRO_ARCH', True) >>>> >>>> - # Clean up buildchroot >>>> - subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot + >>>> '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, >>>> shell=True) >>>> + w = tmpdir + '/work/' + distro + '-' + arch >>>> + >>>> + # '/proc/mounts' contains all the active mounts, so >>>> knowing 'w' we >>>> + # could get the list of mounts for the specific >>>> multiconfig and >>>> + # clean them. >>>> + with open('/proc/mounts', 'rU') as f: >>>> + for line in f: >>>> + if w in line: >>>> + subprocess.call('sudo umount -f ' + >>>> line.split()[1], stdout=devnull, stderr=devnull, shell=True) >>>> devnull.close() >>>> } >>>> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb >>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb index >>>> 304c67e..df9df19 100644 --- >>>> a/meta/recipes-devtools/buildchroot/buildchroot.bb +++ >>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb @@ -12,7 +12,6 >>>> @@ FILESPATH =. >>>> "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" SRC_URI = >>>> "file://multistrap.conf.in \ file://configscript.sh \ >>>> file://setup.sh \ >>>> - file://download_dev-random \ >>>> file://build.sh" >>>> PV = "1.0" >>>> >>>> @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ >>>> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" >>>> >>>> do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" >>>> -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ >>>> - ${BUILDCHROOT_DIR}/isar-apt" >>>> +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ >>>> + ${BUILDCHROOT_DIR}/dev \ >>>> + ${BUILDCHROOT_DIR}/proc \ >>>> + ${BUILDCHROOT_DIR}/sys" >>>> do_build[depends] = "isar-apt:do_cache_config" >>>> >>>> do_build() { >>>> @@ -41,7 +42,6 @@ do_build() { >>>> >>>> chmod +x "${WORKDIR}/setup.sh" >>>> chmod +x "${WORKDIR}/configscript.sh" >>>> - install -m 755 "${WORKDIR}/download_dev-random" >>>> "${WORKDIR}/hooks_multistrap/" >>>> # Multistrap accepts only relative path in configuration >>>> files, so get it: cd ${TOPDIR} >>>> @@ -60,15 +60,6 @@ do_build() { >>>> -e >>>> 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ >>>> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" >>>> - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 >>>> ${BUILDCHROOT_DIR}/proc >>>> - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >>>> - _do_build_cleanup() { >>>> - ret=$? >>>> - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true >>>> - (exit $ret) || bb_exit_handler >>>> - } >>>> - trap '_do_build_cleanup' EXIT >>>> - >>>> do_setup_mounts >>>> >>>> # Create root filesystem >>>> @@ -79,7 +70,6 @@ do_build() { >>>> >>>> # Configure root filesystem >>>> sudo chroot ${BUILDCHROOT_DIR} /configscript.sh >>>> - _do_build_cleanup >>>> >>>> do_cleanup_mounts >>>> } >>>> @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = >>>> "${DISTRO}-${DISTRO_ARCH}" >>>> do_setup_mounts() { >>>> sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} >>>> ${BUILDCHROOT_DIR}/isar-apt >>>> + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev >>>> + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >>>> + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys >>>> } >>>> >>>> addtask setup_mounts after do_build >>>> >>>> do_cleanup_mounts() { >>>> sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || true >>>> + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true >>>> + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true >>>> + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true >>>> } >>>> diff --git >>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh >>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh index >>>> 9813c9a..524e50c 100644 --- >>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh +++ >>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh @@ >>>> -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C #run pre >>>> installation script /var/lib/dpkg/info/dash.preinst install >>>> -# apt-get http method, gpg require /dev/null >>>> -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev >>>> - >>>> #configuring packages >>>> dpkg --configure -a >>>> apt-get update >>>> -umount /dev >>>> diff --git >>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random >>>> b/meta/recipes-devtools/buildchroot/files/download_dev-random >>>> deleted file mode 100644 index 5b5b96b..0000000 --- >>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random >>>> +++ /dev/null @@ -1,13 +0,0 @@ >>>> -#!/bin/sh >>>> - >>>> -set -e >>>> - >>>> -readonly ROOTFS="$1" >>>> - >>>> -mknod "${ROOTFS}/dev/random" c 1 8 >>>> -chmod 640 "${ROOTFS}/dev/random" >>>> -chown 0:0 "${ROOTFS}/dev/random" >>>> - >>>> -mknod "${ROOTFS}/dev/urandom" c 1 9 >>>> -chmod 640 "${ROOTFS}/dev/urandom" >>>> -chown 0:0 "${ROOTFS}/dev/urandom" >>> >> > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 12:41 ` Jan Kiszka @ 2018-02-09 13:08 ` Alexander Smirnov 2018-02-09 13:14 ` Jan Kiszka 2018-02-09 13:19 ` Henning Schild 2018-02-09 13:14 ` Henning Schild 1 sibling, 2 replies; 19+ messages in thread From: Alexander Smirnov @ 2018-02-09 13:08 UTC (permalink / raw) To: Jan Kiszka, Henning Schild; +Cc: isar-users On 02/09/2018 03:41 PM, Jan Kiszka wrote: > On 2018-02-09 13:40, Henning Schild wrote: >> Am Fri, 9 Feb 2018 13:35:15 +0100 >> schrieb Jan Kiszka <jan.kiszka@siemens.com>: >> >>> On 2018-02-09 13:33, [ext] Henning Schild wrote: >>>> Hi, >>>> >>>> this patch is causing problems when building in a docker container, >>>> because sysfs can only be mounted ro. (Subject: current next bash in >>>> buildchroot problem) >>>> Now we could discuss whether we should relax the security of our >>>> containers even more, or whether Isar should care about that >>>> use-case. >>>> >>>> But this patch actually does several things at a time, it changes >>>> the way we mount and adds three new mounts. I would suggest to Actually not. It adds the only one new mount for sysfs. /proc was mounted inside do_build, /dev was mounted inside configscript.sh, so this is a kind of consolidation of these calls in one place. I have no case for sysfs, so probably we could drop it for now. Please let me know ASAP because I'm going to release v0.4. >>>> split it up so we can discuss the issues with dev and sys while >>>> already merging the rest. There is no official Docker support in Isar, so until there will be a document which specifies the container configuration, it really would be inefficient to block contributions. We can't support everything everywhere. >>> >>> I think (didn't check if there was an update of next this morning) it >>> works for me - in Docker. How are you starting the container? >> >> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN >> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... >> Do you have instructions how to build Isar in container, so at least I could be able to reproduce the issue? Alex > Try adding --privileged - that's needed for binfmt anyway. > > Jan > >> inside my sysfs is ro, a bind-mount of sysfs is ro and a "mount -t >> sysfs ..." will be ro. Maybe i could add a "-o rw" to the mount but for >> now i just reverted the two patches that deal with mounting. >> >> Might also be a difference in our host systems. >> >> Henning >> >>> Jan >>> >>>> >>>> Henning >>>> >>>> Am Tue, 6 Feb 2018 22:55:16 +0300 >>>> schrieb Alexander Smirnov <asmirnov@ilbers.de>: >>>> >>>>> 8<-- >>>>> >>>>> That's it! Branch 'asmirnov/devel', please test and enjoy :-) >>>>> >>>>> 8<-- >>>>> >>>>> Now each multiconfig has registered handler for BuildCompleted >>>>> event (see class 'isar-event.bbclass'). Moreover, the >>>>> '/proc/mounts' file contains all the active mounts. In addition, >>>>> from event handler we could derive all the variables like >>>>> ${TMPDIR}, ${DISTRO} etc. So it's possible to find all the active >>>>> mounts for current multiconfig and clean them. >>>>> >>>>> NOTE: if build is interrupted by double ^C, some mount points could >>>>> stay uncleaned. This is caused by remaining processes started by >>>>> bitbake, for example: >>>>> - 'chroot build.sh ...' >>>>> - 'multistrap ...' >>>>> >>>>> So please be careful when interrupting build. >>>>> >>>>> Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> >>>>> --- >>>>> meta-isar/recipes-core/images/isar-image-base.bb | 11 ++++------ >>>>> meta/classes/dpkg-base.bbclass | 12 >>>>> ++++------- meta/classes/isar-events.bbclass | 15 >>>>> +++++++++++--- meta/recipes-devtools/buildchroot/buildchroot.bb | >>>>> 24 >>>>> +++++++++------------- .../buildchroot/files/configscript.sh >>>>> | 4 ---- .../buildchroot/files/download_dev-random | 13 >>>>> ------------ 6 files changed, 30 insertions(+), 49 deletions(-) >>>>> delete mode 100644 >>>>> meta/recipes-devtools/buildchroot/files/download_dev-random >>>>> >>>>> diff --git a/meta-isar/recipes-core/images/isar-image-base.bb >>>>> b/meta-isar/recipes-core/images/isar-image-base.bb index >>>>> e359ac3..8ddbabb 100644 --- >>>>> a/meta-isar/recipes-core/images/isar-image-base.bb +++ >>>>> b/meta-isar/recipes-core/images/isar-image-base.bb @@ -55,14 +55,10 >>>>> @@ do_rootfs() { -e 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ >>>>> "${WORKDIR}/multistrap.conf.in" > >>>>> "${WORKDIR}/multistrap.conf" >>>>> + # Do not use bitbake flag [dirs] here because this folder >>>>> should have >>>>> + # specific ownership. >>>>> [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g 0 -m >>>>> 555 ${IMAGE_ROOTFS}/proc sudo mount -t proc none >>>>> ${IMAGE_ROOTFS}/proc >>>>> - _do_rootfs_cleanup() { >>>>> - ret=$? >>>>> - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true >>>>> - (exit $ret) || bb_exit_handler >>>>> - } >>>>> - trap '_do_rootfs_cleanup' EXIT >>>>> >>>>> # Create root filesystem. We must use sudo -E here to preserve >>>>> the environment # because of proxy settings >>>>> @@ -72,5 +68,6 @@ do_rootfs() { >>>>> sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} >>>>> ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ ${ROOTFS_DEV} >>>>> sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" >>>>> - _do_rootfs_cleanup >>>>> + >>>>> + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true >>>>> } >>>>> diff --git a/meta/classes/dpkg-base.bbclass >>>>> b/meta/classes/dpkg-base.bbclass index 5d5a924..a34c21f 100644 >>>>> --- a/meta/classes/dpkg-base.bbclass >>>>> +++ b/meta/classes/dpkg-base.bbclass >>>>> @@ -20,15 +20,11 @@ dpkg_runbuild() { >>>>> do_build() { >>>>> mkdir -p ${BUILDROOT} >>>>> sudo mount --bind ${WORKDIR} ${BUILDROOT} >>>>> - _do_build_cleanup() { >>>>> - ret=$? >>>>> - sudo umount ${BUILDROOT} 2>/dev/null || true >>>>> - sudo rmdir ${BUILDROOT} 2>/dev/null || true >>>>> - (exit $ret) || bb_exit_handler >>>>> - } >>>>> - trap '_do_build_cleanup' EXIT >>>>> + >>>>> dpkg_runbuild >>>>> - _do_build_cleanup >>>>> + >>>>> + sudo umount ${BUILDROOT} 2>/dev/null || true >>>>> + sudo rmdir ${BUILDROOT} 2>/dev/null || true >>>>> } >>>>> >>>>> # Install package to Isar-apt >>>>> diff --git a/meta/classes/isar-events.bbclass >>>>> b/meta/classes/isar-events.bbclass index 55fc106..ae0f791 100644 >>>>> --- a/meta/classes/isar-events.bbclass >>>>> +++ b/meta/classes/isar-events.bbclass >>>>> @@ -11,10 +11,19 @@ python isar_handler () { >>>>> devnull = open(os.devnull, 'w') >>>>> >>>>> if isinstance(e, bb.event.BuildCompleted): >>>>> - bchroot = d.getVar('BUILDCHROOT_DIR', True) >>>>> + tmpdir = d.getVar('TMPDIR', True) >>>>> + distro = d.getVar('DISTRO', True) >>>>> + arch = d.getVar('DISTRO_ARCH', True) >>>>> >>>>> - # Clean up buildchroot >>>>> - subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot + >>>>> '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, >>>>> shell=True) >>>>> + w = tmpdir + '/work/' + distro + '-' + arch >>>>> + >>>>> + # '/proc/mounts' contains all the active mounts, so >>>>> knowing 'w' we >>>>> + # could get the list of mounts for the specific >>>>> multiconfig and >>>>> + # clean them. >>>>> + with open('/proc/mounts', 'rU') as f: >>>>> + for line in f: >>>>> + if w in line: >>>>> + subprocess.call('sudo umount -f ' + >>>>> line.split()[1], stdout=devnull, stderr=devnull, shell=True) >>>>> devnull.close() >>>>> } >>>>> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb >>>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb index >>>>> 304c67e..df9df19 100644 --- >>>>> a/meta/recipes-devtools/buildchroot/buildchroot.bb +++ >>>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb @@ -12,7 +12,6 >>>>> @@ FILESPATH =. >>>>> "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" SRC_URI = >>>>> "file://multistrap.conf.in \ file://configscript.sh \ >>>>> file://setup.sh \ >>>>> - file://download_dev-random \ >>>>> file://build.sh" >>>>> PV = "1.0" >>>>> >>>>> @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ >>>>> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" >>>>> >>>>> do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" >>>>> -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ >>>>> - ${BUILDCHROOT_DIR}/isar-apt" >>>>> +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ >>>>> + ${BUILDCHROOT_DIR}/dev \ >>>>> + ${BUILDCHROOT_DIR}/proc \ >>>>> + ${BUILDCHROOT_DIR}/sys" >>>>> do_build[depends] = "isar-apt:do_cache_config" >>>>> >>>>> do_build() { >>>>> @@ -41,7 +42,6 @@ do_build() { >>>>> >>>>> chmod +x "${WORKDIR}/setup.sh" >>>>> chmod +x "${WORKDIR}/configscript.sh" >>>>> - install -m 755 "${WORKDIR}/download_dev-random" >>>>> "${WORKDIR}/hooks_multistrap/" >>>>> # Multistrap accepts only relative path in configuration >>>>> files, so get it: cd ${TOPDIR} >>>>> @@ -60,15 +60,6 @@ do_build() { >>>>> -e >>>>> 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ >>>>> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" >>>>> - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 >>>>> ${BUILDCHROOT_DIR}/proc >>>>> - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >>>>> - _do_build_cleanup() { >>>>> - ret=$? >>>>> - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true >>>>> - (exit $ret) || bb_exit_handler >>>>> - } >>>>> - trap '_do_build_cleanup' EXIT >>>>> - >>>>> do_setup_mounts >>>>> >>>>> # Create root filesystem >>>>> @@ -79,7 +70,6 @@ do_build() { >>>>> >>>>> # Configure root filesystem >>>>> sudo chroot ${BUILDCHROOT_DIR} /configscript.sh >>>>> - _do_build_cleanup >>>>> >>>>> do_cleanup_mounts >>>>> } >>>>> @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = >>>>> "${DISTRO}-${DISTRO_ARCH}" >>>>> do_setup_mounts() { >>>>> sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} >>>>> ${BUILDCHROOT_DIR}/isar-apt >>>>> + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev >>>>> + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >>>>> + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys >>>>> } >>>>> >>>>> addtask setup_mounts after do_build >>>>> >>>>> do_cleanup_mounts() { >>>>> sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || true >>>>> + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true >>>>> + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true >>>>> + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true >>>>> } >>>>> diff --git >>>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh >>>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh index >>>>> 9813c9a..524e50c 100644 --- >>>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh +++ >>>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh @@ >>>>> -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C #run pre >>>>> installation script /var/lib/dpkg/info/dash.preinst install >>>>> -# apt-get http method, gpg require /dev/null >>>>> -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev >>>>> - >>>>> #configuring packages >>>>> dpkg --configure -a >>>>> apt-get update >>>>> -umount /dev >>>>> diff --git >>>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random >>>>> b/meta/recipes-devtools/buildchroot/files/download_dev-random >>>>> deleted file mode 100644 index 5b5b96b..0000000 --- >>>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random >>>>> +++ /dev/null @@ -1,13 +0,0 @@ >>>>> -#!/bin/sh >>>>> - >>>>> -set -e >>>>> - >>>>> -readonly ROOTFS="$1" >>>>> - >>>>> -mknod "${ROOTFS}/dev/random" c 1 8 >>>>> -chmod 640 "${ROOTFS}/dev/random" >>>>> -chown 0:0 "${ROOTFS}/dev/random" >>>>> - >>>>> -mknod "${ROOTFS}/dev/urandom" c 1 9 >>>>> -chmod 640 "${ROOTFS}/dev/urandom" >>>>> -chown 0:0 "${ROOTFS}/dev/urandom" >>>> >>> >> > -- With best regards, Alexander Smirnov ilbers GmbH Baierbrunner Str. 28c D-81379 Munich +49 (89) 122 67 24-0 http://ilbers.de/ Commercial register Munich, HRB 214197 General manager: Baurzhan Ismagulov ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 13:08 ` Alexander Smirnov @ 2018-02-09 13:14 ` Jan Kiszka 2018-02-09 13:39 ` Alexander Smirnov 2018-02-09 13:19 ` Henning Schild 1 sibling, 1 reply; 19+ messages in thread From: Jan Kiszka @ 2018-02-09 13:14 UTC (permalink / raw) To: Alexander Smirnov, Henning Schild; +Cc: isar-users On 2018-02-09 14:08, Alexander Smirnov wrote: > On 02/09/2018 03:41 PM, Jan Kiszka wrote: >> On 2018-02-09 13:40, Henning Schild wrote: >>> Am Fri, 9 Feb 2018 13:35:15 +0100 >>> schrieb Jan Kiszka <jan.kiszka@siemens.com>: >>> >>>> On 2018-02-09 13:33, [ext] Henning Schild wrote: >>>>> Hi, >>>>> >>>>> this patch is causing problems when building in a docker container, >>>>> because sysfs can only be mounted ro. (Subject: current next bash in >>>>> buildchroot problem) >>>>> Now we could discuss whether we should relax the security of our >>>>> containers even more, or whether Isar should care about that >>>>> use-case. >>>>> >>>>> But this patch actually does several things at a time, it changes >>>>> >>>> the way we mount and adds three new mounts. I would suggest to > > Actually not. It adds the only one new mount for sysfs. /proc was > mounted inside do_build, /dev was mounted inside configscript.sh, so > this is a kind of consolidation of these calls in one place. > > I have no case for sysfs, so probably we could drop it for now. Please > let me know ASAP because I'm going to release v0.4. > >>>>> split it up so we can discuss the issues with dev and sys while >>>>> already merging the rest. > > There is no official Docker support in Isar, so until there will be a > document which specifies the container configuration, it really would be > inefficient to block contributions. We can't support everything everywhere. There is official Docker support for Isar (via kasproject/kas-isar), and we are heavily relying on it. Our CI will also be based on it. But I think this issue is really just related to a missing switch when launching the container. > >>>> >>>> I think (didn't check if there was an update of next this morning) it >>>> works for me - in Docker. How are you starting the container? >>> >>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN >>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... >>> > > Do you have instructions how to build Isar in container, so at least I > could be able to reproduce the issue? I will publish my repo later that does a full amd64 image build inside docker (for a Jailhouse demo). In a nutshell, it works like this: #!/bin/sh mkdir -p out docker run -v $(pwd):/isar-jailhouse:ro -v $(pwd)/out:/out:rw \ -e USER_ID=$(id -u) --rm -t -i \ --cap-add=SYS_ADMIN --cap-add=MKNOD --privileged \ --device $(/sbin/losetup -f) \ -e http_proxy=$http_proxy -e https_proxy=$https_proxy \ -e no_proxy=$no_proxy \ kasproject/kas-isar sh -c " cd /out; kas build /isar-jailhouse/kas.yml" Jan ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 13:14 ` Jan Kiszka @ 2018-02-09 13:39 ` Alexander Smirnov 0 siblings, 0 replies; 19+ messages in thread From: Alexander Smirnov @ 2018-02-09 13:39 UTC (permalink / raw) To: Jan Kiszka, Henning Schild; +Cc: isar-users On 02/09/2018 04:14 PM, Jan Kiszka wrote: > On 2018-02-09 14:08, Alexander Smirnov wrote: >> On 02/09/2018 03:41 PM, Jan Kiszka wrote: >>> On 2018-02-09 13:40, Henning Schild wrote: >>>> Am Fri, 9 Feb 2018 13:35:15 +0100 >>>> schrieb Jan Kiszka <jan.kiszka@siemens.com>: >>>> >>>>> On 2018-02-09 13:33, [ext] Henning Schild wrote: >>>>>> Hi, >>>>>> >>>>>> this patch is causing problems when building in a docker container, >>>>>> because sysfs can only be mounted ro. (Subject: current next bash in >>>>>> buildchroot problem) >>>>>> Now we could discuss whether we should relax the security of our >>>>>> containers even more, or whether Isar should care about that >>>>>> use-case. >>>>>> >>>>>> But this patch actually does several things at a time, it changes >>>>>>>>>> the way we mount and adds three new mounts. I would suggest to >> >> Actually not. It adds the only one new mount for sysfs. /proc was >> mounted inside do_build, /dev was mounted inside configscript.sh, so >> this is a kind of consolidation of these calls in one place. >> >> I have no case for sysfs, so probably we could drop it for now. Please >> let me know ASAP because I'm going to release v0.4. >> >>>>>> split it up so we can discuss the issues with dev and sys while >>>>>> already merging the rest. >> >> There is no official Docker support in Isar, so until there will be a >> document which specifies the container configuration, it really would be >> inefficient to block contributions. We can't support everything everywhere. > > There is official Docker support for Isar (via kasproject/kas-isar), and > we are heavily relying on it. Our CI will also be based on it. I only mean that I want this document in master before claiming Docker support. So I'll be able to test that this feature works with each update. :-) Otherwise I can't guarantee that custom user's environment will work. So the action item here is to publish the document and add CI test case. > > But I think this issue is really just related to a missing switch when > launching the container. That's exactly what I mean. One option could make the whole contribution red... Alex > >> >>>>> >>>>> I think (didn't check if there was an update of next this morning) it >>>>> works for me - in Docker. How are you starting the container? >>>> >>>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN >>>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... >>>> >> >> Do you have instructions how to build Isar in container, so at least I >> could be able to reproduce the issue? > > I will publish my repo later that does a full amd64 image build inside > docker (for a Jailhouse demo). In a nutshell, it works like this: > > #!/bin/sh > mkdir -p out > docker run -v $(pwd):/isar-jailhouse:ro -v $(pwd)/out:/out:rw \ > -e USER_ID=$(id -u) --rm -t -i \ > --cap-add=SYS_ADMIN --cap-add=MKNOD --privileged \ > --device $(/sbin/losetup -f) \ > -e http_proxy=$http_proxy -e https_proxy=$https_proxy \ > -e no_proxy=$no_proxy \ > kasproject/kas-isar sh -c " > cd /out; > kas build /isar-jailhouse/kas.yml" > > Jan > -- With best regards, Alexander Smirnov ilbers GmbH Baierbrunner Str. 28c D-81379 Munich +49 (89) 122 67 24-0 http://ilbers.de/ Commercial register Munich, HRB 214197 General manager: Baurzhan Ismagulov ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 13:08 ` Alexander Smirnov 2018-02-09 13:14 ` Jan Kiszka @ 2018-02-09 13:19 ` Henning Schild 2018-02-09 15:04 ` Henning Schild 1 sibling, 1 reply; 19+ messages in thread From: Henning Schild @ 2018-02-09 13:19 UTC (permalink / raw) To: Alexander Smirnov; +Cc: Jan Kiszka, isar-users Am Fri, 9 Feb 2018 16:08:01 +0300 schrieb Alexander Smirnov <asmirnov@ilbers.de>: > On 02/09/2018 03:41 PM, Jan Kiszka wrote: > > On 2018-02-09 13:40, Henning Schild wrote: > >> Am Fri, 9 Feb 2018 13:35:15 +0100 > >> schrieb Jan Kiszka <jan.kiszka@siemens.com>: > >> > >>> On 2018-02-09 13:33, [ext] Henning Schild wrote: > >>>> Hi, > >>>> > >>>> this patch is causing problems when building in a docker > >>>> container, because sysfs can only be mounted ro. (Subject: > >>>> current next bash in buildchroot problem) > >>>> Now we could discuss whether we should relax the security of our > >>>> containers even more, or whether Isar should care about that > >>>> use-case. > >>>> > >>>> But this patch actually does several things at a time, it > >>>> changes >>>> the way we mount and adds three new mounts. I would > >>>> suggest to > > Actually not. It adds the only one new mount for sysfs. /proc was > mounted inside do_build, /dev was mounted inside configscript.sh, so > this is a kind of consolidation of these calls in one place. Ok, in that case sys should be in a separate patch. > I have no case for sysfs, so probably we could drop it for now. > Please let me know ASAP because I'm going to release v0.4. I brought up sysfs as part of a "complete" chroot. If we do not have a real case for it yet, and it hurts us in some docker-corner-case ... leave it out for now. As a general advice for the release. Most Isar-users probably consume git anyways. And turning next directly into a release sounds like a bad idea. I would first update master and wait some time until you get bug-reports for your new master. But hey, it is just a tag for people that like tarballs, might as well leave some bugs in there ;). > >>>> split it up so we can discuss the issues with dev and sys while > >>>> already merging the rest. > > There is no official Docker support in Isar, so until there will be a > document which specifies the container configuration, it really would > be inefficient to block contributions. We can't support everything > everywhere. Fair enough, but i can assure you that a lot of people build Isar images in docker. I could even name the container for that etc. And until that becomes an official feature we can still try and make sure we do not break it. Henning > >>> > >>> I think (didn't check if there was an update of next this > >>> morning) it works for me - in Docker. How are you starting the > >>> container? > >> > >> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN > >> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... > >> > > Do you have instructions how to build Isar in container, so at least > I could be able to reproduce the issue? > > Alex > > > > Try adding --privileged - that's needed for binfmt anyway. > > > > Jan > > > >> inside my sysfs is ro, a bind-mount of sysfs is ro and a "mount -t > >> sysfs ..." will be ro. Maybe i could add a "-o rw" to the mount > >> but for now i just reverted the two patches that deal with > >> mounting. > >> > >> Might also be a difference in our host systems. > >> > >> Henning > >> > >>> Jan > >>> > >>>> > >>>> Henning > >>>> > >>>> Am Tue, 6 Feb 2018 22:55:16 +0300 > >>>> schrieb Alexander Smirnov <asmirnov@ilbers.de>: > >>>> > >>>>> 8<-- > >>>>> > >>>>> That's it! Branch 'asmirnov/devel', please test and enjoy :-) > >>>>> > >>>>> 8<-- > >>>>> > >>>>> Now each multiconfig has registered handler for BuildCompleted > >>>>> event (see class 'isar-event.bbclass'). Moreover, the > >>>>> '/proc/mounts' file contains all the active mounts. In addition, > >>>>> from event handler we could derive all the variables like > >>>>> ${TMPDIR}, ${DISTRO} etc. So it's possible to find all the > >>>>> active mounts for current multiconfig and clean them. > >>>>> > >>>>> NOTE: if build is interrupted by double ^C, some mount points > >>>>> could stay uncleaned. This is caused by remaining processes > >>>>> started by bitbake, for example: > >>>>> - 'chroot build.sh ...' > >>>>> - 'multistrap ...' > >>>>> > >>>>> So please be careful when interrupting build. > >>>>> > >>>>> Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> > >>>>> --- > >>>>> meta-isar/recipes-core/images/isar-image-base.bb | 11 > >>>>> ++++------ meta/classes/dpkg-base.bbclass | > >>>>> 12 ++++------- > >>>>> meta/classes/isar-events.bbclass | 15 > >>>>> +++++++++++--- > >>>>> meta/recipes-devtools/buildchroot/buildchroot.bb | 24 > >>>>> +++++++++------------- .../buildchroot/files/configscript.sh | > >>>>> 4 ---- .../buildchroot/files/download_dev-random | 13 > >>>>> ------------ 6 files changed, 30 insertions(+), 49 deletions(-) > >>>>> delete mode 100644 > >>>>> meta/recipes-devtools/buildchroot/files/download_dev-random > >>>>> > >>>>> diff --git a/meta-isar/recipes-core/images/isar-image-base.bb > >>>>> b/meta-isar/recipes-core/images/isar-image-base.bb index > >>>>> e359ac3..8ddbabb 100644 --- > >>>>> a/meta-isar/recipes-core/images/isar-image-base.bb +++ > >>>>> b/meta-isar/recipes-core/images/isar-image-base.bb @@ -55,14 > >>>>> +55,10 @@ do_rootfs() { -e > >>>>> 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ > >>>>> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > >>>>> + # Do not use bitbake flag [dirs] here because this folder > >>>>> should have > >>>>> + # specific ownership. > >>>>> [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g > >>>>> 0 -m 555 ${IMAGE_ROOTFS}/proc sudo mount -t proc none > >>>>> ${IMAGE_ROOTFS}/proc > >>>>> - _do_rootfs_cleanup() { > >>>>> - ret=$? > >>>>> - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > >>>>> - (exit $ret) || bb_exit_handler > >>>>> - } > >>>>> - trap '_do_rootfs_cleanup' EXIT > >>>>> > >>>>> # Create root filesystem. We must use sudo -E here to > >>>>> preserve the environment # because of proxy settings > >>>>> @@ -72,5 +68,6 @@ do_rootfs() { > >>>>> sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} > >>>>> ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ ${ROOTFS_DEV} > >>>>> sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" > >>>>> - _do_rootfs_cleanup > >>>>> + > >>>>> + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > >>>>> } > >>>>> diff --git a/meta/classes/dpkg-base.bbclass > >>>>> b/meta/classes/dpkg-base.bbclass index 5d5a924..a34c21f 100644 > >>>>> --- a/meta/classes/dpkg-base.bbclass > >>>>> +++ b/meta/classes/dpkg-base.bbclass > >>>>> @@ -20,15 +20,11 @@ dpkg_runbuild() { > >>>>> do_build() { > >>>>> mkdir -p ${BUILDROOT} > >>>>> sudo mount --bind ${WORKDIR} ${BUILDROOT} > >>>>> - _do_build_cleanup() { > >>>>> - ret=$? > >>>>> - sudo umount ${BUILDROOT} 2>/dev/null || true > >>>>> - sudo rmdir ${BUILDROOT} 2>/dev/null || true > >>>>> - (exit $ret) || bb_exit_handler > >>>>> - } > >>>>> - trap '_do_build_cleanup' EXIT > >>>>> + > >>>>> dpkg_runbuild > >>>>> - _do_build_cleanup > >>>>> + > >>>>> + sudo umount ${BUILDROOT} 2>/dev/null || true > >>>>> + sudo rmdir ${BUILDROOT} 2>/dev/null || true > >>>>> } > >>>>> > >>>>> # Install package to Isar-apt > >>>>> diff --git a/meta/classes/isar-events.bbclass > >>>>> b/meta/classes/isar-events.bbclass index 55fc106..ae0f791 100644 > >>>>> --- a/meta/classes/isar-events.bbclass > >>>>> +++ b/meta/classes/isar-events.bbclass > >>>>> @@ -11,10 +11,19 @@ python isar_handler () { > >>>>> devnull = open(os.devnull, 'w') > >>>>> > >>>>> if isinstance(e, bb.event.BuildCompleted): > >>>>> - bchroot = d.getVar('BUILDCHROOT_DIR', True) > >>>>> + tmpdir = d.getVar('TMPDIR', True) > >>>>> + distro = d.getVar('DISTRO', True) > >>>>> + arch = d.getVar('DISTRO_ARCH', True) > >>>>> > >>>>> - # Clean up buildchroot > >>>>> - subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot > >>>>> + '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, > >>>>> shell=True) > >>>>> + w = tmpdir + '/work/' + distro + '-' + arch > >>>>> + > >>>>> + # '/proc/mounts' contains all the active mounts, so > >>>>> knowing 'w' we > >>>>> + # could get the list of mounts for the specific > >>>>> multiconfig and > >>>>> + # clean them. > >>>>> + with open('/proc/mounts', 'rU') as f: > >>>>> + for line in f: > >>>>> + if w in line: > >>>>> + subprocess.call('sudo umount -f ' + > >>>>> line.split()[1], stdout=devnull, stderr=devnull, shell=True) > >>>>> devnull.close() > >>>>> } > >>>>> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb > >>>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb index > >>>>> 304c67e..df9df19 100644 --- > >>>>> a/meta/recipes-devtools/buildchroot/buildchroot.bb +++ > >>>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb @@ -12,7 > >>>>> +12,6 @@ FILESPATH =. > >>>>> "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" SRC_URI = > >>>>> "file://multistrap.conf.in \ file://configscript.sh \ > >>>>> file://setup.sh \ > >>>>> - file://download_dev-random \ > >>>>> file://build.sh" > >>>>> PV = "1.0" > >>>>> > >>>>> @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ > >>>>> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > >>>>> > >>>>> do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" > >>>>> -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ > >>>>> - ${BUILDCHROOT_DIR}/isar-apt" > >>>>> +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ > >>>>> + ${BUILDCHROOT_DIR}/dev \ > >>>>> + ${BUILDCHROOT_DIR}/proc \ > >>>>> + ${BUILDCHROOT_DIR}/sys" > >>>>> do_build[depends] = "isar-apt:do_cache_config" > >>>>> > >>>>> do_build() { > >>>>> @@ -41,7 +42,6 @@ do_build() { > >>>>> > >>>>> chmod +x "${WORKDIR}/setup.sh" > >>>>> chmod +x "${WORKDIR}/configscript.sh" > >>>>> - install -m 755 "${WORKDIR}/download_dev-random" > >>>>> "${WORKDIR}/hooks_multistrap/" > >>>>> # Multistrap accepts only relative path in configuration > >>>>> files, so get it: cd ${TOPDIR} > >>>>> @@ -60,15 +60,6 @@ do_build() { > >>>>> -e > >>>>> 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ > >>>>> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > >>>>> - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 > >>>>> ${BUILDCHROOT_DIR}/proc > >>>>> - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > >>>>> - _do_build_cleanup() { > >>>>> - ret=$? > >>>>> - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > >>>>> - (exit $ret) || bb_exit_handler > >>>>> - } > >>>>> - trap '_do_build_cleanup' EXIT > >>>>> - > >>>>> do_setup_mounts > >>>>> > >>>>> # Create root filesystem > >>>>> @@ -79,7 +70,6 @@ do_build() { > >>>>> > >>>>> # Configure root filesystem > >>>>> sudo chroot ${BUILDCHROOT_DIR} /configscript.sh > >>>>> - _do_build_cleanup > >>>>> > >>>>> do_cleanup_mounts > >>>>> } > >>>>> @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = > >>>>> "${DISTRO}-${DISTRO_ARCH}" > >>>>> do_setup_mounts() { > >>>>> sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} > >>>>> ${BUILDCHROOT_DIR}/isar-apt > >>>>> + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev > >>>>> + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > >>>>> + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys > >>>>> } > >>>>> > >>>>> addtask setup_mounts after do_build > >>>>> > >>>>> do_cleanup_mounts() { > >>>>> sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || > >>>>> true > >>>>> + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true > >>>>> + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > >>>>> + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true > >>>>> } > >>>>> diff --git > >>>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh > >>>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh index > >>>>> 9813c9a..524e50c 100644 --- > >>>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh +++ > >>>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh @@ > >>>>> -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C #run pre > >>>>> installation script /var/lib/dpkg/info/dash.preinst install > >>>>> -# apt-get http method, gpg require /dev/null > >>>>> -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev > >>>>> - > >>>>> #configuring packages > >>>>> dpkg --configure -a > >>>>> apt-get update > >>>>> -umount /dev > >>>>> diff --git > >>>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random > >>>>> b/meta/recipes-devtools/buildchroot/files/download_dev-random > >>>>> deleted file mode 100644 index 5b5b96b..0000000 --- > >>>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random > >>>>> +++ /dev/null @@ -1,13 +0,0 @@ > >>>>> -#!/bin/sh > >>>>> - > >>>>> -set -e > >>>>> - > >>>>> -readonly ROOTFS="$1" > >>>>> - > >>>>> -mknod "${ROOTFS}/dev/random" c 1 8 > >>>>> -chmod 640 "${ROOTFS}/dev/random" > >>>>> -chown 0:0 "${ROOTFS}/dev/random" > >>>>> - > >>>>> -mknod "${ROOTFS}/dev/urandom" c 1 9 > >>>>> -chmod 640 "${ROOTFS}/dev/urandom" > >>>>> -chown 0:0 "${ROOTFS}/dev/urandom" > >>>> > >>> > >> > > > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 13:19 ` Henning Schild @ 2018-02-09 15:04 ` Henning Schild 2018-02-09 15:29 ` Alexander Smirnov 0 siblings, 1 reply; 19+ messages in thread From: Henning Schild @ 2018-02-09 15:04 UTC (permalink / raw) To: Alexander Smirnov; +Cc: Jan Kiszka, isar-users The new next works for me, thanks! Henning Am Fri, 9 Feb 2018 14:19:43 +0100 schrieb "[ext] Henning Schild" <henning.schild@siemens.com>: > Am Fri, 9 Feb 2018 16:08:01 +0300 > schrieb Alexander Smirnov <asmirnov@ilbers.de>: > > > On 02/09/2018 03:41 PM, Jan Kiszka wrote: > > > On 2018-02-09 13:40, Henning Schild wrote: > > >> Am Fri, 9 Feb 2018 13:35:15 +0100 > > >> schrieb Jan Kiszka <jan.kiszka@siemens.com>: > > >> > > >>> On 2018-02-09 13:33, [ext] Henning Schild wrote: > > >>>> Hi, > > >>>> > > >>>> this patch is causing problems when building in a docker > > >>>> container, because sysfs can only be mounted ro. (Subject: > > >>>> current next bash in buildchroot problem) > > >>>> Now we could discuss whether we should relax the security of > > >>>> our containers even more, or whether Isar should care about > > >>>> that use-case. > > >>>> > > >>>> But this patch actually does several things at a time, it > > >>>> changes >>>> the way we mount and adds three new mounts. I > > >>>> would suggest to > > > > Actually not. It adds the only one new mount for sysfs. /proc was > > mounted inside do_build, /dev was mounted inside configscript.sh, > > so this is a kind of consolidation of these calls in one place. > > Ok, in that case sys should be in a separate patch. > > > I have no case for sysfs, so probably we could drop it for now. > > Please let me know ASAP because I'm going to release v0.4. > > I brought up sysfs as part of a "complete" chroot. If we do not have a > real case for it yet, and it hurts us in some docker-corner-case ... > leave it out for now. > > As a general advice for the release. Most Isar-users probably consume > git anyways. And turning next directly into a release sounds like a > bad idea. I would first update master and wait some time until you get > bug-reports for your new master. > But hey, it is just a tag for people that like tarballs, might as well > leave some bugs in there ;). > > > >>>> split it up so we can discuss the issues with dev and sys while > > >>>> already merging the rest. > > > > There is no official Docker support in Isar, so until there will be > > a document which specifies the container configuration, it really > > would be inefficient to block contributions. We can't support > > everything everywhere. > > Fair enough, but i can assure you that a lot of people build Isar > images in docker. I could even name the container for that etc. And > until that becomes an official feature we can still try and make sure > we do not break it. > > Henning > > > >>> > > >>> I think (didn't check if there was an update of next this > > >>> morning) it works for me - in Docker. How are you starting the > > >>> container? > > >> > > >> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN > > >> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy > > >> stuff ... > > > > Do you have instructions how to build Isar in container, so at least > > I could be able to reproduce the issue? > > > > Alex > > > > > > > Try adding --privileged - that's needed for binfmt anyway. > > > > > > Jan > > > > > >> inside my sysfs is ro, a bind-mount of sysfs is ro and a "mount > > >> -t sysfs ..." will be ro. Maybe i could add a "-o rw" to the > > >> mount but for now i just reverted the two patches that deal with > > >> mounting. > > >> > > >> Might also be a difference in our host systems. > > >> > > >> Henning > > >> > > >>> Jan > > >>> > > >>>> > > >>>> Henning > > >>>> > > >>>> Am Tue, 6 Feb 2018 22:55:16 +0300 > > >>>> schrieb Alexander Smirnov <asmirnov@ilbers.de>: > > >>>> > > >>>>> 8<-- > > >>>>> > > >>>>> That's it! Branch 'asmirnov/devel', please test and enjoy :-) > > >>>>> > > >>>>> 8<-- > > >>>>> > > >>>>> Now each multiconfig has registered handler for BuildCompleted > > >>>>> event (see class 'isar-event.bbclass'). Moreover, the > > >>>>> '/proc/mounts' file contains all the active mounts. In > > >>>>> addition, from event handler we could derive all the > > >>>>> variables like ${TMPDIR}, ${DISTRO} etc. So it's possible to > > >>>>> find all the active mounts for current multiconfig and clean > > >>>>> them. > > >>>>> > > >>>>> NOTE: if build is interrupted by double ^C, some mount points > > >>>>> could stay uncleaned. This is caused by remaining processes > > >>>>> started by bitbake, for example: > > >>>>> - 'chroot build.sh ...' > > >>>>> - 'multistrap ...' > > >>>>> > > >>>>> So please be careful when interrupting build. > > >>>>> > > >>>>> Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> > > >>>>> --- > > >>>>> meta-isar/recipes-core/images/isar-image-base.bb | 11 > > >>>>> ++++------ meta/classes/dpkg-base.bbclass > > >>>>> | 12 ++++------- > > >>>>> meta/classes/isar-events.bbclass | 15 > > >>>>> +++++++++++--- > > >>>>> meta/recipes-devtools/buildchroot/buildchroot.bb | 24 > > >>>>> +++++++++------------- .../buildchroot/files/configscript.sh | > > >>>>> 4 ---- .../buildchroot/files/download_dev-random | 13 > > >>>>> ------------ 6 files changed, 30 insertions(+), 49 > > >>>>> deletions(-) delete mode 100644 > > >>>>> meta/recipes-devtools/buildchroot/files/download_dev-random > > >>>>> > > >>>>> diff --git a/meta-isar/recipes-core/images/isar-image-base.bb > > >>>>> b/meta-isar/recipes-core/images/isar-image-base.bb index > > >>>>> e359ac3..8ddbabb 100644 --- > > >>>>> a/meta-isar/recipes-core/images/isar-image-base.bb +++ > > >>>>> b/meta-isar/recipes-core/images/isar-image-base.bb @@ -55,14 > > >>>>> +55,10 @@ do_rootfs() { -e > > >>>>> 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ > > >>>>> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > > >>>>> + # Do not use bitbake flag [dirs] here because this folder > > >>>>> should have > > >>>>> + # specific ownership. > > >>>>> [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g > > >>>>> 0 -m 555 ${IMAGE_ROOTFS}/proc sudo mount -t proc none > > >>>>> ${IMAGE_ROOTFS}/proc > > >>>>> - _do_rootfs_cleanup() { > > >>>>> - ret=$? > > >>>>> - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > > >>>>> - (exit $ret) || bb_exit_handler > > >>>>> - } > > >>>>> - trap '_do_rootfs_cleanup' EXIT > > >>>>> > > >>>>> # Create root filesystem. We must use sudo -E here to > > >>>>> preserve the environment # because of proxy settings > > >>>>> @@ -72,5 +68,6 @@ do_rootfs() { > > >>>>> sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} > > >>>>> ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ ${ROOTFS_DEV} > > >>>>> sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" > > >>>>> - _do_rootfs_cleanup > > >>>>> + > > >>>>> + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > > >>>>> } > > >>>>> diff --git a/meta/classes/dpkg-base.bbclass > > >>>>> b/meta/classes/dpkg-base.bbclass index 5d5a924..a34c21f 100644 > > >>>>> --- a/meta/classes/dpkg-base.bbclass > > >>>>> +++ b/meta/classes/dpkg-base.bbclass > > >>>>> @@ -20,15 +20,11 @@ dpkg_runbuild() { > > >>>>> do_build() { > > >>>>> mkdir -p ${BUILDROOT} > > >>>>> sudo mount --bind ${WORKDIR} ${BUILDROOT} > > >>>>> - _do_build_cleanup() { > > >>>>> - ret=$? > > >>>>> - sudo umount ${BUILDROOT} 2>/dev/null || true > > >>>>> - sudo rmdir ${BUILDROOT} 2>/dev/null || true > > >>>>> - (exit $ret) || bb_exit_handler > > >>>>> - } > > >>>>> - trap '_do_build_cleanup' EXIT > > >>>>> + > > >>>>> dpkg_runbuild > > >>>>> - _do_build_cleanup > > >>>>> + > > >>>>> + sudo umount ${BUILDROOT} 2>/dev/null || true > > >>>>> + sudo rmdir ${BUILDROOT} 2>/dev/null || true > > >>>>> } > > >>>>> > > >>>>> # Install package to Isar-apt > > >>>>> diff --git a/meta/classes/isar-events.bbclass > > >>>>> b/meta/classes/isar-events.bbclass index 55fc106..ae0f791 > > >>>>> 100644 --- a/meta/classes/isar-events.bbclass > > >>>>> +++ b/meta/classes/isar-events.bbclass > > >>>>> @@ -11,10 +11,19 @@ python isar_handler () { > > >>>>> devnull = open(os.devnull, 'w') > > >>>>> > > >>>>> if isinstance(e, bb.event.BuildCompleted): > > >>>>> - bchroot = d.getVar('BUILDCHROOT_DIR', True) > > >>>>> + tmpdir = d.getVar('TMPDIR', True) > > >>>>> + distro = d.getVar('DISTRO', True) > > >>>>> + arch = d.getVar('DISTRO_ARCH', True) > > >>>>> > > >>>>> - # Clean up buildchroot > > >>>>> - subprocess.call('/usr/bin/sudo /bin/umount ' + > > >>>>> bchroot > > >>>>> + '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, > > >>>>> shell=True) > > >>>>> + w = tmpdir + '/work/' + distro + '-' + arch > > >>>>> + > > >>>>> + # '/proc/mounts' contains all the active mounts, so > > >>>>> knowing 'w' we > > >>>>> + # could get the list of mounts for the specific > > >>>>> multiconfig and > > >>>>> + # clean them. > > >>>>> + with open('/proc/mounts', 'rU') as f: > > >>>>> + for line in f: > > >>>>> + if w in line: > > >>>>> + subprocess.call('sudo umount -f ' + > > >>>>> line.split()[1], stdout=devnull, stderr=devnull, shell=True) > > >>>>> devnull.close() > > >>>>> } > > >>>>> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb > > >>>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb index > > >>>>> 304c67e..df9df19 100644 --- > > >>>>> a/meta/recipes-devtools/buildchroot/buildchroot.bb +++ > > >>>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb @@ -12,7 > > >>>>> +12,6 @@ FILESPATH =. > > >>>>> "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" > > >>>>> SRC_URI = "file://multistrap.conf.in \ file://configscript.sh > > >>>>> \ file://setup.sh \ > > >>>>> - file://download_dev-random \ > > >>>>> file://build.sh" > > >>>>> PV = "1.0" > > >>>>> > > >>>>> @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ > > >>>>> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > > >>>>> > > >>>>> do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" > > >>>>> -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ > > >>>>> - ${BUILDCHROOT_DIR}/isar-apt" > > >>>>> +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ > > >>>>> + ${BUILDCHROOT_DIR}/dev \ > > >>>>> + ${BUILDCHROOT_DIR}/proc \ > > >>>>> + ${BUILDCHROOT_DIR}/sys" > > >>>>> do_build[depends] = "isar-apt:do_cache_config" > > >>>>> > > >>>>> do_build() { > > >>>>> @@ -41,7 +42,6 @@ do_build() { > > >>>>> > > >>>>> chmod +x "${WORKDIR}/setup.sh" > > >>>>> chmod +x "${WORKDIR}/configscript.sh" > > >>>>> - install -m 755 "${WORKDIR}/download_dev-random" > > >>>>> "${WORKDIR}/hooks_multistrap/" > > >>>>> # Multistrap accepts only relative path in configuration > > >>>>> files, so get it: cd ${TOPDIR} > > >>>>> @@ -60,15 +60,6 @@ do_build() { > > >>>>> -e > > >>>>> 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ > > >>>>> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > > >>>>> - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 > > >>>>> ${BUILDCHROOT_DIR}/proc > > >>>>> - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > > >>>>> - _do_build_cleanup() { > > >>>>> - ret=$? > > >>>>> - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || > > >>>>> true > > >>>>> - (exit $ret) || bb_exit_handler > > >>>>> - } > > >>>>> - trap '_do_build_cleanup' EXIT > > >>>>> - > > >>>>> do_setup_mounts > > >>>>> > > >>>>> # Create root filesystem > > >>>>> @@ -79,7 +70,6 @@ do_build() { > > >>>>> > > >>>>> # Configure root filesystem > > >>>>> sudo chroot ${BUILDCHROOT_DIR} /configscript.sh > > >>>>> - _do_build_cleanup > > >>>>> > > >>>>> do_cleanup_mounts > > >>>>> } > > >>>>> @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = > > >>>>> "${DISTRO}-${DISTRO_ARCH}" > > >>>>> do_setup_mounts() { > > >>>>> sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} > > >>>>> ${BUILDCHROOT_DIR}/isar-apt > > >>>>> + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev > > >>>>> + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > > >>>>> + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys > > >>>>> } > > >>>>> > > >>>>> addtask setup_mounts after do_build > > >>>>> > > >>>>> do_cleanup_mounts() { > > >>>>> sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || > > >>>>> true > > >>>>> + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true > > >>>>> + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > > >>>>> + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true > > >>>>> } > > >>>>> diff --git > > >>>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh > > >>>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh > > >>>>> index 9813c9a..524e50c 100644 --- > > >>>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh +++ > > >>>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh @@ > > >>>>> -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C #run pre > > >>>>> installation script /var/lib/dpkg/info/dash.preinst install > > >>>>> -# apt-get http method, gpg require /dev/null > > >>>>> -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev > > >>>>> - > > >>>>> #configuring packages > > >>>>> dpkg --configure -a > > >>>>> apt-get update > > >>>>> -umount /dev > > >>>>> diff --git > > >>>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random > > >>>>> b/meta/recipes-devtools/buildchroot/files/download_dev-random > > >>>>> deleted file mode 100644 index 5b5b96b..0000000 --- > > >>>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random > > >>>>> +++ /dev/null @@ -1,13 +0,0 @@ > > >>>>> -#!/bin/sh > > >>>>> - > > >>>>> -set -e > > >>>>> - > > >>>>> -readonly ROOTFS="$1" > > >>>>> - > > >>>>> -mknod "${ROOTFS}/dev/random" c 1 8 > > >>>>> -chmod 640 "${ROOTFS}/dev/random" > > >>>>> -chown 0:0 "${ROOTFS}/dev/random" > > >>>>> - > > >>>>> -mknod "${ROOTFS}/dev/urandom" c 1 9 > > >>>>> -chmod 640 "${ROOTFS}/dev/urandom" > > >>>>> -chown 0:0 "${ROOTFS}/dev/urandom" > > >>>> > > >>> > > >> > > > > > > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 15:04 ` Henning Schild @ 2018-02-09 15:29 ` Alexander Smirnov 0 siblings, 0 replies; 19+ messages in thread From: Alexander Smirnov @ 2018-02-09 15:29 UTC (permalink / raw) To: Henning Schild; +Cc: Jan Kiszka, isar-users Hi, On 02/09/2018 06:04 PM, Henning Schild wrote: > The new next works for me, thanks! > Thank you for the quick feedback! > Henning > > Am Fri, 9 Feb 2018 14:19:43 +0100 > schrieb "[ext] Henning Schild" <henning.schild@siemens.com>: > >> Am Fri, 9 Feb 2018 16:08:01 +0300 >> schrieb Alexander Smirnov <asmirnov@ilbers.de>: >> >>> On 02/09/2018 03:41 PM, Jan Kiszka wrote: >>>> On 2018-02-09 13:40, Henning Schild wrote: >>>>> Am Fri, 9 Feb 2018 13:35:15 +0100 >>>>> schrieb Jan Kiszka <jan.kiszka@siemens.com>: >>>>> >>>>>> On 2018-02-09 13:33, [ext] Henning Schild wrote: >>>>>>> Hi, >>>>>>> >>>>>>> this patch is causing problems when building in a docker >>>>>>> container, because sysfs can only be mounted ro. (Subject: >>>>>>> current next bash in buildchroot problem) >>>>>>> Now we could discuss whether we should relax the security of >>>>>>> our containers even more, or whether Isar should care about >>>>>>> that use-case. >>>>>>> >>>>>>> But this patch actually does several things at a time, it >>>>>>> changes >>>> the way we mount and adds three new mounts. I >>>>>>> would suggest to >>> >>> Actually not. It adds the only one new mount for sysfs. /proc was >>> mounted inside do_build, /dev was mounted inside configscript.sh, >>> so this is a kind of consolidation of these calls in one place. >> >> Ok, in that case sys should be in a separate patch. >> >>> I have no case for sysfs, so probably we could drop it for now. >>> Please let me know ASAP because I'm going to release v0.4. >> >> I brought up sysfs as part of a "complete" chroot. If we do not have a >> real case for it yet, and it hurts us in some docker-corner-case ... >> leave it out for now. >> >> As a general advice for the release. Most Isar-users probably consume >> git anyways. And turning next directly into a release sounds like a >> bad idea. I would first update master and wait some time until you get >> bug-reports for your new master. >> But hey, it is just a tag for people that like tarballs, might as well >> leave some bugs in there ;). I see your point, yes, some products have such practice to provide release candidates and then official releases. But for me this looks like the overhead with current Isar size. 1. At the moment there are several series in the mailing list that assume Isar-core refactoring, so 'next' branch could be populated quite fast withing next days/weeks by new features. 2. If somebody has found an issue with current 'master' and sent the fix, I mostly like to apply this patch to 'next' and then merge whole current 'next' to master to avoid headache with rebasing and non-linear history. So this means that 'master' will be populated by new feature which also needs some time for field reports. This could lead to have releases very rarely, while in general 'master' contains working code that could be used. Also if users prefer to use official releases in their products, the functionality gap between two neighbor ones could be too big. Alex >> >>>>>>> split it up so we can discuss the issues with dev and sys while >>>>>>> already merging the rest. >>> >>> There is no official Docker support in Isar, so until there will be >>> a document which specifies the container configuration, it really >>> would be inefficient to block contributions. We can't support >>> everything everywhere. >> >> Fair enough, but i can assure you that a lot of people build Isar >> images in docker. I could even name the container for that etc. And >> until that becomes an official feature we can still try and make sure >> we do not break it. >> >> Henning >> >>>>>> >>>>>> I think (didn't check if there was an update of next this >>>>>> morning) it works for me - in Docker. How are you starting the >>>>>> container? >>>>> >>>>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN >>>>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy >>>>> stuff ... >>> >>> Do you have instructions how to build Isar in container, so at least >>> I could be able to reproduce the issue? >>> >>> Alex >>> >>> >>>> Try adding --privileged - that's needed for binfmt anyway. >>>> >>>> Jan >>>> >>>>> inside my sysfs is ro, a bind-mount of sysfs is ro and a "mount >>>>> -t sysfs ..." will be ro. Maybe i could add a "-o rw" to the >>>>> mount but for now i just reverted the two patches that deal with >>>>> mounting. >>>>> >>>>> Might also be a difference in our host systems. >>>>> >>>>> Henning >>>>> >>>>>> Jan >>>>>> >>>>>>> >>>>>>> Henning >>>>>>> >>>>>>> Am Tue, 6 Feb 2018 22:55:16 +0300 >>>>>>> schrieb Alexander Smirnov <asmirnov@ilbers.de>: >>>>>>> >>>>>>>> 8<-- >>>>>>>> >>>>>>>> That's it! Branch 'asmirnov/devel', please test and enjoy :-) >>>>>>>> >>>>>>>> 8<-- >>>>>>>> >>>>>>>> Now each multiconfig has registered handler for BuildCompleted >>>>>>>> event (see class 'isar-event.bbclass'). Moreover, the >>>>>>>> '/proc/mounts' file contains all the active mounts. In >>>>>>>> addition, from event handler we could derive all the >>>>>>>> variables like ${TMPDIR}, ${DISTRO} etc. So it's possible to >>>>>>>> find all the active mounts for current multiconfig and clean >>>>>>>> them. >>>>>>>> >>>>>>>> NOTE: if build is interrupted by double ^C, some mount points >>>>>>>> could stay uncleaned. This is caused by remaining processes >>>>>>>> started by bitbake, for example: >>>>>>>> - 'chroot build.sh ...' >>>>>>>> - 'multistrap ...' >>>>>>>> >>>>>>>> So please be careful when interrupting build. >>>>>>>> >>>>>>>> Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> >>>>>>>> --- >>>>>>>> meta-isar/recipes-core/images/isar-image-base.bb | 11 >>>>>>>> ++++------ meta/classes/dpkg-base.bbclass >>>>>>>> | 12 ++++------- >>>>>>>> meta/classes/isar-events.bbclass | 15 >>>>>>>> +++++++++++--- >>>>>>>> meta/recipes-devtools/buildchroot/buildchroot.bb | 24 >>>>>>>> +++++++++------------- .../buildchroot/files/configscript.sh | >>>>>>>> 4 ---- .../buildchroot/files/download_dev-random | 13 >>>>>>>> ------------ 6 files changed, 30 insertions(+), 49 >>>>>>>> deletions(-) delete mode 100644 >>>>>>>> meta/recipes-devtools/buildchroot/files/download_dev-random >>>>>>>> >>>>>>>> diff --git a/meta-isar/recipes-core/images/isar-image-base.bb >>>>>>>> b/meta-isar/recipes-core/images/isar-image-base.bb index >>>>>>>> e359ac3..8ddbabb 100644 --- >>>>>>>> a/meta-isar/recipes-core/images/isar-image-base.bb +++ >>>>>>>> b/meta-isar/recipes-core/images/isar-image-base.bb @@ -55,14 >>>>>>>> +55,10 @@ do_rootfs() { -e >>>>>>>> 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ >>>>>>>> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" >>>>>>>> + # Do not use bitbake flag [dirs] here because this folder >>>>>>>> should have >>>>>>>> + # specific ownership. >>>>>>>> [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g >>>>>>>> 0 -m 555 ${IMAGE_ROOTFS}/proc sudo mount -t proc none >>>>>>>> ${IMAGE_ROOTFS}/proc >>>>>>>> - _do_rootfs_cleanup() { >>>>>>>> - ret=$? >>>>>>>> - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true >>>>>>>> - (exit $ret) || bb_exit_handler >>>>>>>> - } >>>>>>>> - trap '_do_rootfs_cleanup' EXIT >>>>>>>> >>>>>>>> # Create root filesystem. We must use sudo -E here to >>>>>>>> preserve the environment # because of proxy settings >>>>>>>> @@ -72,5 +68,6 @@ do_rootfs() { >>>>>>>> sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} >>>>>>>> ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ ${ROOTFS_DEV} >>>>>>>> sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" >>>>>>>> - _do_rootfs_cleanup >>>>>>>> + >>>>>>>> + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true >>>>>>>> } >>>>>>>> diff --git a/meta/classes/dpkg-base.bbclass >>>>>>>> b/meta/classes/dpkg-base.bbclass index 5d5a924..a34c21f 100644 >>>>>>>> --- a/meta/classes/dpkg-base.bbclass >>>>>>>> +++ b/meta/classes/dpkg-base.bbclass >>>>>>>> @@ -20,15 +20,11 @@ dpkg_runbuild() { >>>>>>>> do_build() { >>>>>>>> mkdir -p ${BUILDROOT} >>>>>>>> sudo mount --bind ${WORKDIR} ${BUILDROOT} >>>>>>>> - _do_build_cleanup() { >>>>>>>> - ret=$? >>>>>>>> - sudo umount ${BUILDROOT} 2>/dev/null || true >>>>>>>> - sudo rmdir ${BUILDROOT} 2>/dev/null || true >>>>>>>> - (exit $ret) || bb_exit_handler >>>>>>>> - } >>>>>>>> - trap '_do_build_cleanup' EXIT >>>>>>>> + >>>>>>>> dpkg_runbuild >>>>>>>> - _do_build_cleanup >>>>>>>> + >>>>>>>> + sudo umount ${BUILDROOT} 2>/dev/null || true >>>>>>>> + sudo rmdir ${BUILDROOT} 2>/dev/null || true >>>>>>>> } >>>>>>>> >>>>>>>> # Install package to Isar-apt >>>>>>>> diff --git a/meta/classes/isar-events.bbclass >>>>>>>> b/meta/classes/isar-events.bbclass index 55fc106..ae0f791 >>>>>>>> 100644 --- a/meta/classes/isar-events.bbclass >>>>>>>> +++ b/meta/classes/isar-events.bbclass >>>>>>>> @@ -11,10 +11,19 @@ python isar_handler () { >>>>>>>> devnull = open(os.devnull, 'w') >>>>>>>> >>>>>>>> if isinstance(e, bb.event.BuildCompleted): >>>>>>>> - bchroot = d.getVar('BUILDCHROOT_DIR', True) >>>>>>>> + tmpdir = d.getVar('TMPDIR', True) >>>>>>>> + distro = d.getVar('DISTRO', True) >>>>>>>> + arch = d.getVar('DISTRO_ARCH', True) >>>>>>>> >>>>>>>> - # Clean up buildchroot >>>>>>>> - subprocess.call('/usr/bin/sudo /bin/umount ' + >>>>>>>> bchroot >>>>>>>> + '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, >>>>>>>> shell=True) >>>>>>>> + w = tmpdir + '/work/' + distro + '-' + arch >>>>>>>> + >>>>>>>> + # '/proc/mounts' contains all the active mounts, so >>>>>>>> knowing 'w' we >>>>>>>> + # could get the list of mounts for the specific >>>>>>>> multiconfig and >>>>>>>> + # clean them. >>>>>>>> + with open('/proc/mounts', 'rU') as f: >>>>>>>> + for line in f: >>>>>>>> + if w in line: >>>>>>>> + subprocess.call('sudo umount -f ' + >>>>>>>> line.split()[1], stdout=devnull, stderr=devnull, shell=True) >>>>>>>> devnull.close() >>>>>>>> } >>>>>>>> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb >>>>>>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb index >>>>>>>> 304c67e..df9df19 100644 --- >>>>>>>> a/meta/recipes-devtools/buildchroot/buildchroot.bb +++ >>>>>>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb @@ -12,7 >>>>>>>> +12,6 @@ FILESPATH =. >>>>>>>> "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" >>>>>>>> SRC_URI = "file://multistrap.conf.in \ file://configscript.sh >>>>>>>> \ file://setup.sh \ >>>>>>>> - file://download_dev-random \ >>>>>>>> file://build.sh" >>>>>>>> PV = "1.0" >>>>>>>> >>>>>>>> @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ >>>>>>>> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" >>>>>>>> >>>>>>>> do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" >>>>>>>> -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ >>>>>>>> - ${BUILDCHROOT_DIR}/isar-apt" >>>>>>>> +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ >>>>>>>> + ${BUILDCHROOT_DIR}/dev \ >>>>>>>> + ${BUILDCHROOT_DIR}/proc \ >>>>>>>> + ${BUILDCHROOT_DIR}/sys" >>>>>>>> do_build[depends] = "isar-apt:do_cache_config" >>>>>>>> >>>>>>>> do_build() { >>>>>>>> @@ -41,7 +42,6 @@ do_build() { >>>>>>>> >>>>>>>> chmod +x "${WORKDIR}/setup.sh" >>>>>>>> chmod +x "${WORKDIR}/configscript.sh" >>>>>>>> - install -m 755 "${WORKDIR}/download_dev-random" >>>>>>>> "${WORKDIR}/hooks_multistrap/" >>>>>>>> # Multistrap accepts only relative path in configuration >>>>>>>> files, so get it: cd ${TOPDIR} >>>>>>>> @@ -60,15 +60,6 @@ do_build() { >>>>>>>> -e >>>>>>>> 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ >>>>>>>> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" >>>>>>>> - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 >>>>>>>> ${BUILDCHROOT_DIR}/proc >>>>>>>> - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >>>>>>>> - _do_build_cleanup() { >>>>>>>> - ret=$? >>>>>>>> - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || >>>>>>>> true >>>>>>>> - (exit $ret) || bb_exit_handler >>>>>>>> - } >>>>>>>> - trap '_do_build_cleanup' EXIT >>>>>>>> - >>>>>>>> do_setup_mounts >>>>>>>> >>>>>>>> # Create root filesystem >>>>>>>> @@ -79,7 +70,6 @@ do_build() { >>>>>>>> >>>>>>>> # Configure root filesystem >>>>>>>> sudo chroot ${BUILDCHROOT_DIR} /configscript.sh >>>>>>>> - _do_build_cleanup >>>>>>>> >>>>>>>> do_cleanup_mounts >>>>>>>> } >>>>>>>> @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = >>>>>>>> "${DISTRO}-${DISTRO_ARCH}" >>>>>>>> do_setup_mounts() { >>>>>>>> sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} >>>>>>>> ${BUILDCHROOT_DIR}/isar-apt >>>>>>>> + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev >>>>>>>> + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc >>>>>>>> + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys >>>>>>>> } >>>>>>>> >>>>>>>> addtask setup_mounts after do_build >>>>>>>> >>>>>>>> do_cleanup_mounts() { >>>>>>>> sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || >>>>>>>> true >>>>>>>> + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true >>>>>>>> + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true >>>>>>>> + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true >>>>>>>> } >>>>>>>> diff --git >>>>>>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh >>>>>>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh >>>>>>>> index 9813c9a..524e50c 100644 --- >>>>>>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh +++ >>>>>>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh @@ >>>>>>>> -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C #run pre >>>>>>>> installation script /var/lib/dpkg/info/dash.preinst install >>>>>>>> -# apt-get http method, gpg require /dev/null >>>>>>>> -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev >>>>>>>> - >>>>>>>> #configuring packages >>>>>>>> dpkg --configure -a >>>>>>>> apt-get update >>>>>>>> -umount /dev >>>>>>>> diff --git >>>>>>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random >>>>>>>> b/meta/recipes-devtools/buildchroot/files/download_dev-random >>>>>>>> deleted file mode 100644 index 5b5b96b..0000000 --- >>>>>>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random >>>>>>>> +++ /dev/null @@ -1,13 +0,0 @@ >>>>>>>> -#!/bin/sh >>>>>>>> - >>>>>>>> -set -e >>>>>>>> - >>>>>>>> -readonly ROOTFS="$1" >>>>>>>> - >>>>>>>> -mknod "${ROOTFS}/dev/random" c 1 8 >>>>>>>> -chmod 640 "${ROOTFS}/dev/random" >>>>>>>> -chown 0:0 "${ROOTFS}/dev/random" >>>>>>>> - >>>>>>>> -mknod "${ROOTFS}/dev/urandom" c 1 9 >>>>>>>> -chmod 640 "${ROOTFS}/dev/urandom" >>>>>>>> -chown 0:0 "${ROOTFS}/dev/urandom" >>>>>>> >>>>>> >>>>> >>>> >>> >> > -- With best regards, Alexander Smirnov ilbers GmbH Baierbrunner Str. 28c D-81379 Munich +49 (89) 122 67 24-0 http://ilbers.de/ Commercial register Munich, HRB 214197 General manager: Baurzhan Ismagulov ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 12:41 ` Jan Kiszka 2018-02-09 13:08 ` Alexander Smirnov @ 2018-02-09 13:14 ` Henning Schild 2018-02-09 13:19 ` Jan Kiszka 1 sibling, 1 reply; 19+ messages in thread From: Henning Schild @ 2018-02-09 13:14 UTC (permalink / raw) To: Jan Kiszka; +Cc: Alexander Smirnov, isar-users Am Fri, 9 Feb 2018 13:41:23 +0100 schrieb Jan Kiszka <jan.kiszka@siemens.com>: > On 2018-02-09 13:40, Henning Schild wrote: > > Am Fri, 9 Feb 2018 13:35:15 +0100 > > schrieb Jan Kiszka <jan.kiszka@siemens.com>: > > > >> On 2018-02-09 13:33, [ext] Henning Schild wrote: > >>> Hi, > >>> > >>> this patch is causing problems when building in a docker > >>> container, because sysfs can only be mounted ro. (Subject: > >>> current next bash in buildchroot problem) > >>> Now we could discuss whether we should relax the security of our > >>> containers even more, or whether Isar should care about that > >>> use-case. > >>> > >>> But this patch actually does several things at a time, it changes > >>> the way we mount and adds three new mounts. I would suggest to > >>> split it up so we can discuss the issues with dev and sys while > >>> already merging the rest. > >> > >> I think (didn't check if there was an update of next this morning) > >> it works for me - in Docker. How are you starting the container? > > > > docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN > > --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... > > > > Try adding --privileged - that's needed for binfmt anyway. Mhh i could, But. I am doing an amd64 build on an amd64 host, so i do not use binfmt. And i did build arm images with binfmt and without privileged before. So i would like to understand what has changed before dropping all defense-lines in docker ... that where ok before. Henning > Jan > > > inside my sysfs is ro, a bind-mount of sysfs is ro and a "mount -t > > sysfs ..." will be ro. Maybe i could add a "-o rw" to the mount but > > for now i just reverted the two patches that deal with mounting. > > > > Might also be a difference in our host systems. > > > > Henning > > > >> Jan > >> > >>> > >>> Henning > >>> > >>> Am Tue, 6 Feb 2018 22:55:16 +0300 > >>> schrieb Alexander Smirnov <asmirnov@ilbers.de>: > >>> > >>>> 8<-- > >>>> > >>>> That's it! Branch 'asmirnov/devel', please test and enjoy :-) > >>>> > >>>> 8<-- > >>>> > >>>> Now each multiconfig has registered handler for BuildCompleted > >>>> event (see class 'isar-event.bbclass'). Moreover, the > >>>> '/proc/mounts' file contains all the active mounts. In addition, > >>>> from event handler we could derive all the variables like > >>>> ${TMPDIR}, ${DISTRO} etc. So it's possible to find all the active > >>>> mounts for current multiconfig and clean them. > >>>> > >>>> NOTE: if build is interrupted by double ^C, some mount points > >>>> could stay uncleaned. This is caused by remaining processes > >>>> started by bitbake, for example: > >>>> - 'chroot build.sh ...' > >>>> - 'multistrap ...' > >>>> > >>>> So please be careful when interrupting build. > >>>> > >>>> Signed-off-by: Alexander Smirnov <asmirnov@ilbers.de> > >>>> --- > >>>> meta-isar/recipes-core/images/isar-image-base.bb | 11 > >>>> ++++------ meta/classes/dpkg-base.bbclass | > >>>> 12 ++++------- > >>>> meta/classes/isar-events.bbclass | 15 > >>>> +++++++++++--- > >>>> meta/recipes-devtools/buildchroot/buildchroot.bb | 24 > >>>> +++++++++------------- .../buildchroot/files/configscript.sh | > >>>> 4 ---- .../buildchroot/files/download_dev-random | 13 > >>>> ------------ 6 files changed, 30 insertions(+), 49 deletions(-) > >>>> delete mode 100644 > >>>> meta/recipes-devtools/buildchroot/files/download_dev-random > >>>> > >>>> diff --git a/meta-isar/recipes-core/images/isar-image-base.bb > >>>> b/meta-isar/recipes-core/images/isar-image-base.bb index > >>>> e359ac3..8ddbabb 100644 --- > >>>> a/meta-isar/recipes-core/images/isar-image-base.bb +++ > >>>> b/meta-isar/recipes-core/images/isar-image-base.bb @@ -55,14 > >>>> +55,10 @@ do_rootfs() { -e > >>>> 's|##ISAR_DISTRO_SUITE##|${DEBDISTRONAME}|g' \ > >>>> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > >>>> + # Do not use bitbake flag [dirs] here because this folder > >>>> should have > >>>> + # specific ownership. > >>>> [ ! -d ${IMAGE_ROOTFS}/proc ] && sudo install -d -o 0 -g 0 > >>>> -m 555 ${IMAGE_ROOTFS}/proc sudo mount -t proc none > >>>> ${IMAGE_ROOTFS}/proc > >>>> - _do_rootfs_cleanup() { > >>>> - ret=$? > >>>> - sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > >>>> - (exit $ret) || bb_exit_handler > >>>> - } > >>>> - trap '_do_rootfs_cleanup' EXIT > >>>> > >>>> # Create root filesystem. We must use sudo -E here to > >>>> preserve the environment # because of proxy settings > >>>> @@ -72,5 +68,6 @@ do_rootfs() { > >>>> sudo chroot ${IMAGE_ROOTFS} /${DISTRO_CONFIG_SCRIPT} > >>>> ${MACHINE_SERIAL} ${BAUDRATE_TTY} \ ${ROOTFS_DEV} > >>>> sudo rm "${IMAGE_ROOTFS}/${DISTRO_CONFIG_SCRIPT}" > >>>> - _do_rootfs_cleanup > >>>> + > >>>> + sudo umount ${IMAGE_ROOTFS}/proc 2>/dev/null || true > >>>> } > >>>> diff --git a/meta/classes/dpkg-base.bbclass > >>>> b/meta/classes/dpkg-base.bbclass index 5d5a924..a34c21f 100644 > >>>> --- a/meta/classes/dpkg-base.bbclass > >>>> +++ b/meta/classes/dpkg-base.bbclass > >>>> @@ -20,15 +20,11 @@ dpkg_runbuild() { > >>>> do_build() { > >>>> mkdir -p ${BUILDROOT} > >>>> sudo mount --bind ${WORKDIR} ${BUILDROOT} > >>>> - _do_build_cleanup() { > >>>> - ret=$? > >>>> - sudo umount ${BUILDROOT} 2>/dev/null || true > >>>> - sudo rmdir ${BUILDROOT} 2>/dev/null || true > >>>> - (exit $ret) || bb_exit_handler > >>>> - } > >>>> - trap '_do_build_cleanup' EXIT > >>>> + > >>>> dpkg_runbuild > >>>> - _do_build_cleanup > >>>> + > >>>> + sudo umount ${BUILDROOT} 2>/dev/null || true > >>>> + sudo rmdir ${BUILDROOT} 2>/dev/null || true > >>>> } > >>>> > >>>> # Install package to Isar-apt > >>>> diff --git a/meta/classes/isar-events.bbclass > >>>> b/meta/classes/isar-events.bbclass index 55fc106..ae0f791 100644 > >>>> --- a/meta/classes/isar-events.bbclass > >>>> +++ b/meta/classes/isar-events.bbclass > >>>> @@ -11,10 +11,19 @@ python isar_handler () { > >>>> devnull = open(os.devnull, 'w') > >>>> > >>>> if isinstance(e, bb.event.BuildCompleted): > >>>> - bchroot = d.getVar('BUILDCHROOT_DIR', True) > >>>> + tmpdir = d.getVar('TMPDIR', True) > >>>> + distro = d.getVar('DISTRO', True) > >>>> + arch = d.getVar('DISTRO_ARCH', True) > >>>> > >>>> - # Clean up buildchroot > >>>> - subprocess.call('/usr/bin/sudo /bin/umount ' + bchroot + > >>>> '/isar-apt || /bin/true', stdout=devnull, stderr=devnull, > >>>> shell=True) > >>>> + w = tmpdir + '/work/' + distro + '-' + arch > >>>> + > >>>> + # '/proc/mounts' contains all the active mounts, so > >>>> knowing 'w' we > >>>> + # could get the list of mounts for the specific > >>>> multiconfig and > >>>> + # clean them. > >>>> + with open('/proc/mounts', 'rU') as f: > >>>> + for line in f: > >>>> + if w in line: > >>>> + subprocess.call('sudo umount -f ' + > >>>> line.split()[1], stdout=devnull, stderr=devnull, shell=True) > >>>> devnull.close() > >>>> } > >>>> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.bb > >>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb index > >>>> 304c67e..df9df19 100644 --- > >>>> a/meta/recipes-devtools/buildchroot/buildchroot.bb +++ > >>>> b/meta/recipes-devtools/buildchroot/buildchroot.bb @@ -12,7 +12,6 > >>>> @@ FILESPATH =. > >>>> "${LAYERDIR_core}/recipes-devtools/buildchroot/files:" SRC_URI = > >>>> "file://multistrap.conf.in \ file://configscript.sh \ > >>>> file://setup.sh \ > >>>> - file://download_dev-random \ > >>>> file://build.sh" > >>>> PV = "1.0" > >>>> > >>>> @@ -32,8 +31,10 @@ BUILDCHROOT_PREINSTALL ?= "gcc \ > >>>> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > >>>> > >>>> do_build[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" > >>>> -do_build[dirs] = "${WORKDIR}/hooks_multistrap \ > >>>> - ${BUILDCHROOT_DIR}/isar-apt" > >>>> +do_build[dirs] = "${BUILDCHROOT_DIR}/isar-apt \ > >>>> + ${BUILDCHROOT_DIR}/dev \ > >>>> + ${BUILDCHROOT_DIR}/proc \ > >>>> + ${BUILDCHROOT_DIR}/sys" > >>>> do_build[depends] = "isar-apt:do_cache_config" > >>>> > >>>> do_build() { > >>>> @@ -41,7 +42,6 @@ do_build() { > >>>> > >>>> chmod +x "${WORKDIR}/setup.sh" > >>>> chmod +x "${WORKDIR}/configscript.sh" > >>>> - install -m 755 "${WORKDIR}/download_dev-random" > >>>> "${WORKDIR}/hooks_multistrap/" > >>>> # Multistrap accepts only relative path in configuration > >>>> files, so get it: cd ${TOPDIR} > >>>> @@ -60,15 +60,6 @@ do_build() { > >>>> -e > >>>> 's|##DIR_HOOKS##|./'"$WORKDIR_REL"'/hooks_multistrap|g' \ > >>>> "${WORKDIR}/multistrap.conf.in" > "${WORKDIR}/multistrap.conf" > >>>> - [ ! -d ${BUILDCHROOT_DIR}/proc ] && install -d -m 555 > >>>> ${BUILDCHROOT_DIR}/proc > >>>> - sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > >>>> - _do_build_cleanup() { > >>>> - ret=$? > >>>> - sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > >>>> - (exit $ret) || bb_exit_handler > >>>> - } > >>>> - trap '_do_build_cleanup' EXIT > >>>> - > >>>> do_setup_mounts > >>>> > >>>> # Create root filesystem > >>>> @@ -79,7 +70,6 @@ do_build() { > >>>> > >>>> # Configure root filesystem > >>>> sudo chroot ${BUILDCHROOT_DIR} /configscript.sh > >>>> - _do_build_cleanup > >>>> > >>>> do_cleanup_mounts > >>>> } > >>>> @@ -96,10 +86,16 @@ do_setup_mounts[stamp-extra-info] = > >>>> "${DISTRO}-${DISTRO_ARCH}" > >>>> do_setup_mounts() { > >>>> sudo mount --bind ${DEPLOY_DIR_APT}/${DISTRO} > >>>> ${BUILDCHROOT_DIR}/isar-apt > >>>> + sudo mount --bind /dev ${BUILDCHROOT_DIR}/dev > >>>> + sudo mount -t proc none ${BUILDCHROOT_DIR}/proc > >>>> + sudo mount -t sysfs none ${BUILDCHROOT_DIR}/sys > >>>> } > >>>> > >>>> addtask setup_mounts after do_build > >>>> > >>>> do_cleanup_mounts() { > >>>> sudo umount ${BUILDCHROOT_DIR}/isar-apt 2>/dev/null || true > >>>> + sudo umount ${BUILDCHROOT_DIR}/dev 2>/dev/null || true > >>>> + sudo umount ${BUILDCHROOT_DIR}/proc 2>/dev/null || true > >>>> + sudo umount ${BUILDCHROOT_DIR}/sys 2>/dev/null || true > >>>> } > >>>> diff --git > >>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh > >>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh index > >>>> 9813c9a..524e50c 100644 --- > >>>> a/meta/recipes-devtools/buildchroot/files/configscript.sh +++ > >>>> b/meta/recipes-devtools/buildchroot/files/configscript.sh @@ > >>>> -39,10 +39,6 @@ export LC_ALL=C LANGUAGE=C LANG=C #run pre > >>>> installation script /var/lib/dpkg/info/dash.preinst install > >>>> -# apt-get http method, gpg require /dev/null > >>>> -mount -t devtmpfs -o mode=0755,nosuid devtmpfs /dev > >>>> - > >>>> #configuring packages > >>>> dpkg --configure -a > >>>> apt-get update > >>>> -umount /dev > >>>> diff --git > >>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random > >>>> b/meta/recipes-devtools/buildchroot/files/download_dev-random > >>>> deleted file mode 100644 index 5b5b96b..0000000 --- > >>>> a/meta/recipes-devtools/buildchroot/files/download_dev-random > >>>> +++ /dev/null @@ -1,13 +0,0 @@ > >>>> -#!/bin/sh > >>>> - > >>>> -set -e > >>>> - > >>>> -readonly ROOTFS="$1" > >>>> - > >>>> -mknod "${ROOTFS}/dev/random" c 1 8 > >>>> -chmod 640 "${ROOTFS}/dev/random" > >>>> -chown 0:0 "${ROOTFS}/dev/random" > >>>> - > >>>> -mknod "${ROOTFS}/dev/urandom" c 1 9 > >>>> -chmod 640 "${ROOTFS}/dev/urandom" > >>>> -chown 0:0 "${ROOTFS}/dev/urandom" > >>> > >> > > > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 13:14 ` Henning Schild @ 2018-02-09 13:19 ` Jan Kiszka 2018-02-09 13:29 ` Henning Schild 0 siblings, 1 reply; 19+ messages in thread From: Jan Kiszka @ 2018-02-09 13:19 UTC (permalink / raw) To: Henning Schild; +Cc: Alexander Smirnov, isar-users On 2018-02-09 14:14, Henning Schild wrote: > Am Fri, 9 Feb 2018 13:41:23 +0100 > schrieb Jan Kiszka <jan.kiszka@siemens.com>: > >> On 2018-02-09 13:40, Henning Schild wrote: >>> Am Fri, 9 Feb 2018 13:35:15 +0100 >>> schrieb Jan Kiszka <jan.kiszka@siemens.com>: >>> >>>> On 2018-02-09 13:33, [ext] Henning Schild wrote: >>>>> Hi, >>>>> >>>>> this patch is causing problems when building in a docker >>>>> container, because sysfs can only be mounted ro. (Subject: >>>>> current next bash in buildchroot problem) >>>>> Now we could discuss whether we should relax the security of our >>>>> containers even more, or whether Isar should care about that >>>>> use-case. >>>>> >>>>> But this patch actually does several things at a time, it changes >>>>> the way we mount and adds three new mounts. I would suggest to >>>>> split it up so we can discuss the issues with dev and sys while >>>>> already merging the rest. >>>> >>>> I think (didn't check if there was an update of next this morning) >>>> it works for me - in Docker. How are you starting the container? >>> >>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN >>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... >>> >> >> Try adding --privileged - that's needed for binfmt anyway. > > Mhh i could, But. I am doing an amd64 build on an amd64 host, so i do > not use binfmt. And i did build arm images with binfmt and without > privileged before. That was working by chance, because you had the right settings already applied on the host system (binfmt is not container-ready, is not working per-namespace). > So i would like to understand what has changed before dropping all > defense-lines in docker ... that where ok before. The answer to isolation remains "us a VM" for now (can also be "use the container insider a VM"). Docker itself is no sufficient isolation technology for us at this point. Jan ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] isar: Clean mount point on bitbake exit 2018-02-09 13:19 ` Jan Kiszka @ 2018-02-09 13:29 ` Henning Schild 0 siblings, 0 replies; 19+ messages in thread From: Henning Schild @ 2018-02-09 13:29 UTC (permalink / raw) To: Jan Kiszka; +Cc: Alexander Smirnov, isar-users Am Fri, 9 Feb 2018 14:19:26 +0100 schrieb Jan Kiszka <jan.kiszka@siemens.com>: > On 2018-02-09 14:14, Henning Schild wrote: > > Am Fri, 9 Feb 2018 13:41:23 +0100 > > schrieb Jan Kiszka <jan.kiszka@siemens.com>: > > > >> On 2018-02-09 13:40, Henning Schild wrote: > >>> Am Fri, 9 Feb 2018 13:35:15 +0100 > >>> schrieb Jan Kiszka <jan.kiszka@siemens.com>: > >>> > >>>> On 2018-02-09 13:33, [ext] Henning Schild wrote: > >>>>> Hi, > >>>>> > >>>>> this patch is causing problems when building in a docker > >>>>> container, because sysfs can only be mounted ro. (Subject: > >>>>> current next bash in buildchroot problem) > >>>>> Now we could discuss whether we should relax the security of our > >>>>> containers even more, or whether Isar should care about that > >>>>> use-case. > >>>>> > >>>>> But this patch actually does several things at a time, it > >>>>> changes the way we mount and adds three new mounts. I would > >>>>> suggest to split it up so we can discuss the issues with dev > >>>>> and sys while already merging the rest. > >>>> > >>>> I think (didn't check if there was an update of next this > >>>> morning) it works for me - in Docker. How are you starting the > >>>> container? > >>> > >>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN > >>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy > >>> stuff ... > >> > >> Try adding --privileged - that's needed for binfmt anyway. > > > > Mhh i could, But. I am doing an amd64 build on an amd64 host, so i > > do not use binfmt. And i did build arm images with binfmt and > > without privileged before. > > That was working by chance, because you had the right settings already > applied on the host system (binfmt is not container-ready, is not > working per-namespace). Ok, but if i did not care about arm i would be ok without privileged ... whatever that means in detail. > > So i would like to understand what has changed before dropping all > > defense-lines in docker ... that where ok before. > > The answer to isolation remains "us a VM" for now (can also be "use > the container insider a VM"). Docker itself is no sufficient isolation > technology for us at this point. True from a theoretical point of view, in practice we all use that on our productive machines directly. I do not care about the 101st sudo in that container, as long as i do not have to disable all security around that. I have already lost the "hostname" of my laptop a few times, i do not want to see that happen to the rootfs ... Henning > Jan ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2018-02-09 15:29 UTC | newest] Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-02-06 19:55 [PATCH] isar: Clean mount point on bitbake exit Alexander Smirnov 2018-02-06 20:31 ` Jan Kiszka 2018-02-06 20:45 ` Alexander Smirnov 2018-02-06 20:56 ` Jan Kiszka 2018-02-06 21:10 ` Alexander Smirnov 2018-02-09 9:56 ` Alexander Smirnov 2018-02-09 12:33 ` Henning Schild 2018-02-09 12:35 ` Jan Kiszka 2018-02-09 12:40 ` Henning Schild 2018-02-09 12:41 ` Jan Kiszka 2018-02-09 13:08 ` Alexander Smirnov 2018-02-09 13:14 ` Jan Kiszka 2018-02-09 13:39 ` Alexander Smirnov 2018-02-09 13:19 ` Henning Schild 2018-02-09 15:04 ` Henning Schild 2018-02-09 15:29 ` Alexander Smirnov 2018-02-09 13:14 ` Henning Schild 2018-02-09 13:19 ` Jan Kiszka 2018-02-09 13:29 ` Henning Schild
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox