Re: [PATCH] isar: Clean mount point on bitbake exit

[Alexander Smirnov <asmirnov@ilbers.de>]

On 02/09/2018 04:14 PM, Jan Kiszka wrote:
> On 2018-02-09 14:08, Alexander Smirnov wrote:
>> On 02/09/2018 03:41 PM, Jan Kiszka wrote:
>>> On 2018-02-09 13:40, Henning Schild wrote:
>>>> Am Fri, 9 Feb 2018 13:35:15 +0100
>>>> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
>>>>
>>>>> On 2018-02-09 13:33, [ext] Henning Schild wrote:
>>>>>> Hi,
>>>>>>
>>>>>> this patch is causing problems when building in a docker container,
>>>>>> because sysfs can only be mounted ro. (Subject: current next bash in
>>>>>> buildchroot problem)
>>>>>> Now we could discuss whether we should relax the security of our
>>>>>> containers even more, or whether Isar should care about that
>>>>>> use-case.
>>>>>>
>>>>>> But this patch actually does several things at a time, it changes
>>>>>>>>>> the way we mount and adds three new mounts. I would suggest to
>>
>> Actually not. It adds the only one new mount for sysfs. /proc was
>> mounted inside do_build, /dev was mounted inside configscript.sh, so
>> this is a kind of consolidation of these calls in one place.
>>
>> I have no case for sysfs, so probably we could drop it for now. Please
>> let me know ASAP because I'm going to release v0.4.
>>
>>>>>> split it up so we can discuss the issues with dev and sys while
>>>>>> already merging the rest.
>>
>> There is no official Docker support in Isar, so until there will be a
>> document which specifies the container configuration, it really would be
>> inefficient to block contributions. We can't support everything everywhere.
> 
> There is official Docker support for Isar (via kasproject/kas-isar), and
> we are heavily relying on it. Our CI will also be based on it.

I only mean that I want this document in master before claiming Docker 
support. So I'll be able to test that this feature works with each 
update. :-) Otherwise I can't guarantee that custom user's environment 
will work. So the action item here is to publish the document and add CI 
test case.

> 
> But I think this issue is really just related to a missing switch when
> launching the container.

That's exactly what I mean. One option could make the whole contribution 
red...

Alex

> 
>>
>>>>>
>>>>> I think (didn't check if there was an update of next this morning) it
>>>>> works for me - in Docker. How are you starting the container?
>>>>
>>>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN
>>>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ...
>>>>
>>
>> Do you have instructions how to build Isar in container, so at least I
>> could be able to reproduce the issue?
> 
> I will publish my repo later that does a full amd64 image build inside
> docker (for a Jailhouse demo). In a nutshell, it works like this:
> 
> #!/bin/sh
> mkdir -p out
> docker run -v $(pwd):/isar-jailhouse:ro -v $(pwd)/out:/out:rw \
> 	   -e USER_ID=$(id -u) --rm -t -i \
> 	   --cap-add=SYS_ADMIN --cap-add=MKNOD --privileged \
> 	   --device $(/sbin/losetup -f) \
> 	   -e http_proxy=$http_proxy -e https_proxy=$https_proxy \
> 	   -e no_proxy=$no_proxy \
> 	   kasproject/kas-isar sh -c "
> 		cd /out;
> 		kas build /isar-jailhouse/kas.yml"
> 
> Jan
> 

-- 
With best regards,
Alexander Smirnov

ilbers GmbH
Baierbrunner Str. 28c
D-81379 Munich
+49 (89) 122 67 24-0
http://ilbers.de/
Commercial register Munich, HRB 214197
General manager: Baurzhan Ismagulov