[PATCH] buildchroot: build debian packages as "builder" not "root"

[PATCH] buildchroot: build debian packages as "builder" not "root"

[Henning Schild]

We used to build packages as "root" and now do that as a regular user.
Not building as "root" allows us to find mistakes in debian/rules where
privileged operations are used while they should not (a sudo was
found in a rules-file). Further some build steps might actually expect
to not run as root (seen in openssl test suite).

Not building as root should increase overall quality and brings us
closer to how debian packages are build by others.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 meta/recipes-devtools/buildchroot/buildchroot-target.bb | 3 ++-
 meta/recipes-devtools/buildchroot/files/build.sh        | 6 ++++--
 meta/recipes-devtools/buildchroot/files/configscript.sh | 4 ++++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-devtools/buildchroot/buildchroot-target.bb b/meta/recipes-devtools/buildchroot/buildchroot-target.bb
index 42f47fc..c342625 100644
--- a/meta/recipes-devtools/buildchroot/buildchroot-target.bb
+++ b/meta/recipes-devtools/buildchroot/buildchroot-target.bb
@@ -18,6 +18,7 @@ BUILDCHROOT_PREINSTALL ?= "gcc \
                            apt \
                            automake \
                            devscripts \
-                           equivs"
+                           equivs \
+                           adduser"
 
 do_build[depends] = "isar-apt:do_cache_config isar-bootstrap-target:do_bootstrap"
diff --git a/meta/recipes-devtools/buildchroot/files/build.sh b/meta/recipes-devtools/buildchroot/files/build.sh
index e74bc14..d98eb2e 100644
--- a/meta/recipes-devtools/buildchroot/files/build.sh
+++ b/meta/recipes-devtools/buildchroot/files/build.sh
@@ -14,5 +14,7 @@ for i in configure aclocal.m4 Makefile.am Makefile.in; do
     fi
 done
 
-# Build the package
-dpkg-buildpackage -a$target_arch -d --source-option=-I
+# Build the package as user "builder"
+chown -R builder:builder $1 # the sources
+chown builder:builder $1/.. # the output
+su - builder -c "cd $1; dpkg-buildpackage -a$target_arch -d --source-option=-I"
diff --git a/meta/recipes-devtools/buildchroot/files/configscript.sh b/meta/recipes-devtools/buildchroot/files/configscript.sh
index d591c2a..30660e7 100644
--- a/meta/recipes-devtools/buildchroot/files/configscript.sh
+++ b/meta/recipes-devtools/buildchroot/files/configscript.sh
@@ -9,3 +9,7 @@ debconf-set-selections <<END
 locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8
 locales locales/default_environment_locale select en_US.UTF-8
 END
+
+addgroup --quiet --system builder
+useradd --system --gid builder --no-create-home --home /home/builder --no-user-group --comment "Isar buildchroot build user" builder
+chown -R builder:builder /home/builder
-- 
2.19.1

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Baurzhan Ismagulov]

On Fri, Oct 26, 2018 at 12:49:14PM +0200, Henning Schild wrote:
> We used to build packages as "root" and now do that as a regular user.
> Not building as "root" allows us to find mistakes in debian/rules where
> privileged operations are used while they should not (a sudo was
> found in a rules-file). Further some build steps might actually expect
> to not run as root (seen in openssl test suite).
> 
> Not building as root should increase overall quality and brings us
> closer to how debian packages are build by others.

Thanks, a good step.


> +su - builder -c "cd $1; dpkg-buildpackage -a$target_arch -d --source-option=-I"

I suggest adding -rfakeroot to satisfy the cases below.

https://www.debian.org/doc/debian-policy/ch-files.html#permissions-and-owners
https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-rules-requires-root


With kind regards,
Baurzhan.

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Henning Schild]

Am Mon, 29 Oct 2018 11:54:02 +0100
schrieb Baurzhan Ismagulov <ibr@radix50.net>:

> On Fri, Oct 26, 2018 at 12:49:14PM +0200, Henning Schild wrote:
> > We used to build packages as "root" and now do that as a regular
> > user. Not building as "root" allows us to find mistakes in
> > debian/rules where privileged operations are used while they should
> > not (a sudo was found in a rules-file). Further some build steps
> > might actually expect to not run as root (seen in openssl test
> > suite).
> > 
> > Not building as root should increase overall quality and brings us
> > closer to how debian packages are build by others.  
> 
> Thanks, a good step.
> 
> 
> > +su - builder -c "cd $1; dpkg-buildpackage -a$target_arch -d
> > --source-option=-I"  
> 
> I suggest adding -rfakeroot to satisfy the cases below.

"-rfakeroot" is the default and can be omitted ... it is already in
there. Unless the defaults are different in the various versions we
support.

Henning

> https://www.debian.org/doc/debian-policy/ch-files.html#permissions-and-owners
> https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-rules-requires-root
> 
> 
> With kind regards,
> Baurzhan.
> 

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Baurzhan Ismagulov]

On Mon, Oct 29, 2018 at 12:27:39PM +0100, Henning Schild wrote:
> "-rfakeroot" is the default and can be omitted ... it is already in
> there. Unless the defaults are different in the various versions we
> support.

Thanks for the hint. Turns out it's there since at least Wheezy, so no action
required.

With kind regards,
Baurzhan.

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Maxim Yu. Osipov]

On 10/26/18 1:49 PM, Henning Schild wrote:
> We used to build packages as "root" and now do that as a regular user.
> Not building as "root" allows us to find mistakes in debian/rules where
> privileged operations are used while they should not (a sudo was
> found in a rules-file). Further some build steps might actually expect
> to not run as root (seen in openssl test suite).
> 
> Not building as root should increase overall quality and brings us
> closer to how debian packages are build by others.

Applied to the 'next',

Thanks,
Maxim.

> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>   meta/recipes-devtools/buildchroot/buildchroot-target.bb | 3 ++-
>   meta/recipes-devtools/buildchroot/files/build.sh        | 6 ++++--
>   meta/recipes-devtools/buildchroot/files/configscript.sh | 4 ++++
>   3 files changed, 10 insertions(+), 3 deletions(-)
> 
> diff --git a/meta/recipes-devtools/buildchroot/buildchroot-target.bb b/meta/recipes-devtools/buildchroot/buildchroot-target.bb
> index 42f47fc..c342625 100644
> --- a/meta/recipes-devtools/buildchroot/buildchroot-target.bb
> +++ b/meta/recipes-devtools/buildchroot/buildchroot-target.bb
> @@ -18,6 +18,7 @@ BUILDCHROOT_PREINSTALL ?= "gcc \
>                              apt \
>                              automake \
>                              devscripts \
> -                           equivs"
> +                           equivs \
> +                           adduser"
>   
>   do_build[depends] = "isar-apt:do_cache_config isar-bootstrap-target:do_bootstrap"
> diff --git a/meta/recipes-devtools/buildchroot/files/build.sh b/meta/recipes-devtools/buildchroot/files/build.sh
> index e74bc14..d98eb2e 100644
> --- a/meta/recipes-devtools/buildchroot/files/build.sh
> +++ b/meta/recipes-devtools/buildchroot/files/build.sh
> @@ -14,5 +14,7 @@ for i in configure aclocal.m4 Makefile.am Makefile.in; do
>       fi
>   done
>   
> -# Build the package
> -dpkg-buildpackage -a$target_arch -d --source-option=-I
> +# Build the package as user "builder"
> +chown -R builder:builder $1 # the sources
> +chown builder:builder $1/.. # the output
> +su - builder -c "cd $1; dpkg-buildpackage -a$target_arch -d --source-option=-I"
> diff --git a/meta/recipes-devtools/buildchroot/files/configscript.sh b/meta/recipes-devtools/buildchroot/files/configscript.sh
> index d591c2a..30660e7 100644
> --- a/meta/recipes-devtools/buildchroot/files/configscript.sh
> +++ b/meta/recipes-devtools/buildchroot/files/configscript.sh
> @@ -9,3 +9,7 @@ debconf-set-selections <<END
>   locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8
>   locales locales/default_environment_locale select en_US.UTF-8
>   END
> +
> +addgroup --quiet --system builder
> +useradd --system --gid builder --no-create-home --home /home/builder --no-user-group --comment "Isar buildchroot build user" builder
> +chown -R builder:builder /home/builder
> 


-- 
Maxim Osipov
ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn
Germany
+49 (151) 6517 6917
mosipov@ilbers.de
http://ilbers.de/
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Jan Kiszka]

On 26.10.18 12:49, [ext] Henning Schild wrote:
> We used to build packages as "root" and now do that as a regular user.
> Not building as "root" allows us to find mistakes in debian/rules where
> privileged operations are used while they should not (a sudo was
> found in a rules-file). Further some build steps might actually expect
> to not run as root (seen in openssl test suite).
> 
> Not building as root should increase overall quality and brings us
> closer to how debian packages are build by others.

I strongly suspect this is the cause for more and more rebuild errors of this kind:

| make[1]: Leaving directory '/home/builder/u-boot/u-boot-v2018.09'
|    dh_clean -O--parallel
|  dpkg-source -I -b u-boot-v2018.09
| dpkg-source: warning: no source format specified in debian/source/format, see dpkg-source(1)
| dpkg-source: warning: source directory 'u-boot-v2018.09' is not <sourcepackage>-<upstreamversion> 'u-boot-2018.09'
| dpkg-source: info: using source format '1.0'
| dpkg-source: info: building u-boot in u-boot_2018.09.tar.gz
| dpkg-source: error: cannot write u-boot_2018.09.dsc: Permission denied
| dpkg-source: info: building u-boot in u-boot_2018.09.dsc
| dpkg-buildpackage: error: dpkg-source -I -b u-boot-v2018.09 gave error exit status 13
| WARNING: exit code 13 from a shell command.
| ERROR: Function failed: do_build (log file is located at /work/build/tmp/work/long-life-ebsy-armhf/u-boot-2018.09-r0/temp/log.do_build.15761)

Are we missing some cleandirs in dpkg[-base].class?

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Henning Schild]

Am Thu, 8 Nov 2018 14:32:42 +0100
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 26.10.18 12:49, [ext] Henning Schild wrote:
> > We used to build packages as "root" and now do that as a regular
> > user. Not building as "root" allows us to find mistakes in
> > debian/rules where privileged operations are used while they should
> > not (a sudo was found in a rules-file). Further some build steps
> > might actually expect to not run as root (seen in openssl test
> > suite).
> > 
> > Not building as root should increase overall quality and brings us
> > closer to how debian packages are build by others.  
> 
> I strongly suspect this is the cause for more and more rebuild errors
> of this kind:
> 
> | make[1]: Leaving directory '/home/builder/u-boot/u-boot-v2018.09'
> |    dh_clean -O--parallel
> |  dpkg-source -I -b u-boot-v2018.09
> | dpkg-source: warning: no source format specified in
> debian/source/format, see dpkg-source(1) | dpkg-source: warning:
> source directory 'u-boot-v2018.09' is not
> <sourcepackage>-<upstreamversion> 'u-boot-2018.09' | dpkg-source:
> info: using source format '1.0' | dpkg-source: info: building u-boot
> in u-boot_2018.09.tar.gz | dpkg-source: error: cannot write
> u-boot_2018.09.dsc: Permission denied | dpkg-source: info: building
> u-boot in u-boot_2018.09.dsc | dpkg-buildpackage: error: dpkg-source
> -I -b u-boot-v2018.09 gave error exit status 13 | WARNING: exit code
> 13 from a shell command. | ERROR: Function failed: do_build (log file
> is located
> at /work/build/tmp/work/long-life-ebsy-armhf/u-boot-2018.09-r0/temp/log.do_build.15761)
> 
> Are we missing some cleandirs in dpkg[-base].class?

Does the file exist and can not be written by builder, or does it not
exist and the dir must not receive new files. I am guessing the former
but have not clue why.
Maybe you can tell be how to reproduce this.

Henning

> Jan
> 

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Jan Kiszka]

On 08.11.18 15:54, Henning Schild wrote:
> Am Thu, 8 Nov 2018 14:32:42 +0100
> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> 
>> On 26.10.18 12:49, [ext] Henning Schild wrote:
>>> We used to build packages as "root" and now do that as a regular
>>> user. Not building as "root" allows us to find mistakes in
>>> debian/rules where privileged operations are used while they should
>>> not (a sudo was found in a rules-file). Further some build steps
>>> might actually expect to not run as root (seen in openssl test
>>> suite).
>>>
>>> Not building as root should increase overall quality and brings us
>>> closer to how debian packages are build by others.
>>
>> I strongly suspect this is the cause for more and more rebuild errors
>> of this kind:
>>
>> | make[1]: Leaving directory '/home/builder/u-boot/u-boot-v2018.09'
>> |    dh_clean -O--parallel
>> |  dpkg-source -I -b u-boot-v2018.09
>> | dpkg-source: warning: no source format specified in
>> debian/source/format, see dpkg-source(1) | dpkg-source: warning:
>> source directory 'u-boot-v2018.09' is not
>> <sourcepackage>-<upstreamversion> 'u-boot-2018.09' | dpkg-source:
>> info: using source format '1.0' | dpkg-source: info: building u-boot
>> in u-boot_2018.09.tar.gz | dpkg-source: error: cannot write
>> u-boot_2018.09.dsc: Permission denied | dpkg-source: info: building
>> u-boot in u-boot_2018.09.dsc | dpkg-buildpackage: error: dpkg-source
>> -I -b u-boot-v2018.09 gave error exit status 13 | WARNING: exit code
>> 13 from a shell command. | ERROR: Function failed: do_build (log file
>> is located
>> at /work/build/tmp/work/long-life-ebsy-armhf/u-boot-2018.09-r0/temp/log.do_build.15761)
>>
>> Are we missing some cleandirs in dpkg[-base].class?
> 
> Does the file exist and can not be written by builder, or does it not
> exist and the dir must not receive new files. I am guessing the former
> but have not clue why.
> Maybe you can tell be how to reproduce this.

The breakage comes from the UID and GID of builder inside the chroot. They are 
not in sync with the IDs used on the host side, so we can end up chown'ing to 
unknown user:group from host perspective.

Either ensure that the IDs are synchronized or revert this commit for now.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Henning Schild]

Am Fri, 9 Nov 2018 10:14:51 +0100
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 08.11.18 15:54, Henning Schild wrote:
> > Am Thu, 8 Nov 2018 14:32:42 +0100
> > schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> >   
> >> On 26.10.18 12:49, [ext] Henning Schild wrote:  
> >>> We used to build packages as "root" and now do that as a regular
> >>> user. Not building as "root" allows us to find mistakes in
> >>> debian/rules where privileged operations are used while they
> >>> should not (a sudo was found in a rules-file). Further some build
> >>> steps might actually expect to not run as root (seen in openssl
> >>> test suite).
> >>>
> >>> Not building as root should increase overall quality and brings us
> >>> closer to how debian packages are build by others.  
> >>
> >> I strongly suspect this is the cause for more and more rebuild
> >> errors of this kind:
> >>
> >> | make[1]: Leaving directory '/home/builder/u-boot/u-boot-v2018.09'
> >> |    dh_clean -O--parallel
> >> |  dpkg-source -I -b u-boot-v2018.09
> >> | dpkg-source: warning: no source format specified in
> >> debian/source/format, see dpkg-source(1) | dpkg-source: warning:
> >> source directory 'u-boot-v2018.09' is not
> >> <sourcepackage>-<upstreamversion> 'u-boot-2018.09' | dpkg-source:
> >> info: using source format '1.0' | dpkg-source: info: building
> >> u-boot in u-boot_2018.09.tar.gz | dpkg-source: error: cannot write
> >> u-boot_2018.09.dsc: Permission denied | dpkg-source: info: building
> >> u-boot in u-boot_2018.09.dsc | dpkg-buildpackage: error:
> >> dpkg-source -I -b u-boot-v2018.09 gave error exit status 13 |
> >> WARNING: exit code 13 from a shell command. | ERROR: Function
> >> failed: do_build (log file is located
> >> at /work/build/tmp/work/long-life-ebsy-armhf/u-boot-2018.09-r0/temp/log.do_build.15761)
> >>
> >> Are we missing some cleandirs in dpkg[-base].class?  
> > 
> > Does the file exist and can not be written by builder, or does it
> > not exist and the dir must not receive new files. I am guessing the
> > former but have not clue why.
> > Maybe you can tell be how to reproduce this.  
> 
> The breakage comes from the UID and GID of builder inside the chroot.
> They are not in sync with the IDs used on the host side, so we can
> end up chown'ing to unknown user:group from host perspective.

I am not sure i get that. Before it was "root:root" so whatever the
host (the thing where isar runs?) is doing must have been privileged
and should be able to deal with any uids.

The user and group names are only used within the buildchroot(s).

What i see is a dpkg-source ... so my guess is we are talking about
cross compile and the two chroots are not sync ... id-wise. Will the
WORKDIR be mounted first in one chroot and later in another?

> Either ensure that the IDs are synchronized or revert this commit for
> now.

I will send a patch once i have understood the problem. Still do not
know how to reproduce ...

Henning

> Jan
> 

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Jan Kiszka]

On 09.11.18 10:34, Henning Schild wrote:
> Am Fri, 9 Nov 2018 10:14:51 +0100
> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> 
>> On 08.11.18 15:54, Henning Schild wrote:
>>> Am Thu, 8 Nov 2018 14:32:42 +0100
>>> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
>>>    
>>>> On 26.10.18 12:49, [ext] Henning Schild wrote:
>>>>> We used to build packages as "root" and now do that as a regular
>>>>> user. Not building as "root" allows us to find mistakes in
>>>>> debian/rules where privileged operations are used while they
>>>>> should not (a sudo was found in a rules-file). Further some build
>>>>> steps might actually expect to not run as root (seen in openssl
>>>>> test suite).
>>>>>
>>>>> Not building as root should increase overall quality and brings us
>>>>> closer to how debian packages are build by others.
>>>>
>>>> I strongly suspect this is the cause for more and more rebuild
>>>> errors of this kind:
>>>>
>>>> | make[1]: Leaving directory '/home/builder/u-boot/u-boot-v2018.09'
>>>> |    dh_clean -O--parallel
>>>> |  dpkg-source -I -b u-boot-v2018.09
>>>> | dpkg-source: warning: no source format specified in
>>>> debian/source/format, see dpkg-source(1) | dpkg-source: warning:
>>>> source directory 'u-boot-v2018.09' is not
>>>> <sourcepackage>-<upstreamversion> 'u-boot-2018.09' | dpkg-source:
>>>> info: using source format '1.0' | dpkg-source: info: building
>>>> u-boot in u-boot_2018.09.tar.gz | dpkg-source: error: cannot write
>>>> u-boot_2018.09.dsc: Permission denied | dpkg-source: info: building
>>>> u-boot in u-boot_2018.09.dsc | dpkg-buildpackage: error:
>>>> dpkg-source -I -b u-boot-v2018.09 gave error exit status 13 |
>>>> WARNING: exit code 13 from a shell command. | ERROR: Function
>>>> failed: do_build (log file is located
>>>> at /work/build/tmp/work/long-life-ebsy-armhf/u-boot-2018.09-r0/temp/log.do_build.15761)
>>>>
>>>> Are we missing some cleandirs in dpkg[-base].class?
>>>
>>> Does the file exist and can not be written by builder, or does it
>>> not exist and the dir must not receive new files. I am guessing the
>>> former but have not clue why.
>>> Maybe you can tell be how to reproduce this.
>>
>> The breakage comes from the UID and GID of builder inside the chroot.
>> They are not in sync with the IDs used on the host side, so we can
>> end up chown'ing to unknown user:group from host perspective.
> 
> I am not sure i get that. Before it was "root:root" so whatever the
> host (the thing where isar runs?) is doing must have been privileged
> and should be able to deal with any uids.

As the build was run as root, it didn't matter if IDs matched - they were 
overruled. Now they mismatch and there no power to paper over that anymore.

> 
> The user and group names are only used within the buildchroot(s).

Nope, there are also steps run outside of the chroot, in recipes.

> 
> What i see is a dpkg-source ... so my guess is we are talking about
> cross compile and the two chroots are not sync ... id-wise. Will the
> WORKDIR be mounted first in one chroot and later in another?
> 
>> Either ensure that the IDs are synchronized or revert this commit for
>> now.
> 
> I will send a patch once i have understood the problem. Still do not
> know how to reproduce ...

Cross-build (didn't test native, but I bet it will be similar) de0-nano-soc, 
e.g. Change some dpkg-based recipe to retrigger a build, and you will get. In my 
case, it was u-boot.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Jan Kiszka]

On 09.11.18 10:37, Jan Kiszka wrote:
> On 09.11.18 10:34, Henning Schild wrote:
>> Am Fri, 9 Nov 2018 10:14:51 +0100
>> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
>>
>>> On 08.11.18 15:54, Henning Schild wrote:
>>>> Am Thu, 8 Nov 2018 14:32:42 +0100
>>>> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
>>>>> On 26.10.18 12:49, [ext] Henning Schild wrote:
>>>>>> We used to build packages as "root" and now do that as a regular
>>>>>> user. Not building as "root" allows us to find mistakes in
>>>>>> debian/rules where privileged operations are used while they
>>>>>> should not (a sudo was found in a rules-file). Further some build
>>>>>> steps might actually expect to not run as root (seen in openssl
>>>>>> test suite).
>>>>>>
>>>>>> Not building as root should increase overall quality and brings us
>>>>>> closer to how debian packages are build by others.
>>>>>
>>>>> I strongly suspect this is the cause for more and more rebuild
>>>>> errors of this kind:
>>>>>
>>>>> | make[1]: Leaving directory '/home/builder/u-boot/u-boot-v2018.09'
>>>>> |    dh_clean -O--parallel
>>>>> |  dpkg-source -I -b u-boot-v2018.09
>>>>> | dpkg-source: warning: no source format specified in
>>>>> debian/source/format, see dpkg-source(1) | dpkg-source: warning:
>>>>> source directory 'u-boot-v2018.09' is not
>>>>> <sourcepackage>-<upstreamversion> 'u-boot-2018.09' | dpkg-source:
>>>>> info: using source format '1.0' | dpkg-source: info: building
>>>>> u-boot in u-boot_2018.09.tar.gz | dpkg-source: error: cannot write
>>>>> u-boot_2018.09.dsc: Permission denied | dpkg-source: info: building
>>>>> u-boot in u-boot_2018.09.dsc | dpkg-buildpackage: error:
>>>>> dpkg-source -I -b u-boot-v2018.09 gave error exit status 13 |
>>>>> WARNING: exit code 13 from a shell command. | ERROR: Function
>>>>> failed: do_build (log file is located
>>>>> at 
>>>>> /work/build/tmp/work/long-life-ebsy-armhf/u-boot-2018.09-r0/temp/log.do_build.15761) 
>>>>>
>>>>>
>>>>> Are we missing some cleandirs in dpkg[-base].class?
>>>>
>>>> Does the file exist and can not be written by builder, or does it
>>>> not exist and the dir must not receive new files. I am guessing the
>>>> former but have not clue why.
>>>> Maybe you can tell be how to reproduce this.
>>>
>>> The breakage comes from the UID and GID of builder inside the chroot.
>>> They are not in sync with the IDs used on the host side, so we can
>>> end up chown'ing to unknown user:group from host perspective.
>>
>> I am not sure i get that. Before it was "root:root" so whatever the
>> host (the thing where isar runs?) is doing must have been privileged
>> and should be able to deal with any uids.
> 
> As the build was run as root, it didn't matter if IDs matched - they were 
> overruled. Now they mismatch and there no power to paper over that anymore.
> 
>>
>> The user and group names are only used within the buildchroot(s).
> 
> Nope, there are also steps run outside of the chroot, in recipes.
> 
>>
>> What i see is a dpkg-source ... so my guess is we are talking about
>> cross compile and the two chroots are not sync ... id-wise. Will the
>> WORKDIR be mounted first in one chroot and later in another?
>>
>>> Either ensure that the IDs are synchronized or revert this commit for
>>> now.
>>
>> I will send a patch once i have understood the problem. Still do not
>> know how to reproduce ...
> 
> Cross-build (didn't test native, but I bet it will be similar) de0-nano-soc, 
> e.g. Change some dpkg-based recipe to retrigger a build, and you will get. In my 
> case, it was u-boot.
> 

I just had to revert this commit: It started to block me as a build recipe under 
development got EPERM even during a clean build.

We must fix the ID mess. Do you have anything in that direction already?

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

[Baurzhan Ismagulov]

On Fri, Nov 09, 2018 at 12:16:54PM +0100, Jan Kiszka wrote:
> I just had to revert this commit: It started to block me as a build recipe
> under development got EPERM even during a clean build.
> 
> We must fix the ID mess.

Yes, definitely. I'd rather move forward than backwards.

With kind regards,
Baurzhan.