From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6519532471426482176 X-Received: by 10.80.186.135 with SMTP id x7mr808086ede.0.1518183577034; Fri, 09 Feb 2018 05:39:37 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 10.80.182.240 with SMTP id f45ls3545407ede.1.gmail; Fri, 09 Feb 2018 05:39:36 -0800 (PST) X-Google-Smtp-Source: AH8x226yXDop1vDQqrpI7LG0H8sTqughOA6atPHqWCYZtajF544o+gtiDXKGqllUtZT+0U/ZK6yw X-Received: by 10.80.186.135 with SMTP id x7mr808079ede.0.1518183576440; Fri, 09 Feb 2018 05:39:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518183576; cv=none; d=google.com; s=arc-20160816; b=M4gMeJTmKW06ocmrcU78yUEL9ggosRZ83M0Y8Qc0W2age15npBe+Z/yhZXK8PONH7H U8HARRoeyaeTZixad+GBlto8v90/KXt5pG897JWCtABDurWbHQipGqx20+8LHc2lfyz4 GdJp928SWnTIszAG5LaJ/hZ1DMe8wge2twBboppOrMkZpnGMXBNuDznDK8/VoMjkMA6L FGVEXkgNFedZvlWGhPMTcUDwh7jBNt29xsw7OrJC5AGlkm5ipu7TeGsysoDkL7ZgmQ/+ 8MD7rx7GU8nm+H6uY8bYZPpbDChp+qp8xppNzn6ZtF2FW+D0Gtxr4Mgz/06tVK9mvgPo TzJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject :arc-authentication-results; bh=ZWi/KD+uxaoUaTtY2FdOEXbwtoYqGVDOTPlz1wwuHmc=; b=tsS9b2Wgzblh0kNViRThJLQJUu2l4Ij5Hfsr9AGeqP6F77tN2WQXm36+HXOx4rJsBC xerUprSqUeSFszcrlxbcOpa8Dj1TUPwr1qxUM9MCw0AZKftmpvAsRh4iUvy3ueJR3wPm 7uzd0Qpqnh1Ns9u5U9tq4kwh3Tqs5e8+Jq801znO86nwM9GceGs4eZhs2QQvXIYlkfzW FdML38M2fCU5sNjaPGcDRSNVPH2Ms7yr8d+7tRMiZeq1Tq1LdH55cDaGgu1P/nXny7G2 tpx2UqNhMK0+ZvJMIfME1kcztgCrXMZAFDYigizC2Xgrvw/WU7I+qMgeOQuFkiSeLESE A9mA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: best guess record for domain of asmirnov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=asmirnov@ilbers.de Return-Path: Received: from aqmola.ilbers.de (aqmola.ilbers.de. [85.214.62.211]) by gmr-mx.google.com with ESMTPS id g45si139047eda.0.2018.02.09.05.39.36 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Feb 2018 05:39:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of asmirnov@ilbers.de designates 85.214.62.211 as permitted sender) client-ip=85.214.62.211; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: best guess record for domain of asmirnov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=asmirnov@ilbers.de Received: from [10.0.2.15] (client.yota.ru [94.25.228.179] (may be forged)) (authenticated bits=0) by aqmola.ilbers.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id w19DdWkK014313 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 9 Feb 2018 14:39:34 +0100 Subject: Re: [PATCH] isar: Clean mount point on bitbake exit To: Jan Kiszka , Henning Schild Cc: isar-users@googlegroups.com References: <20180206195516.32153-1-asmirnov@ilbers.de> <20180209133340.681c00b5@mmd1pvb1c.ad001.siemens.net> <0fe2f7a9-4a02-9abd-7a97-44605f4f865b@siemens.com> <20180209134013.022008e2@mmd1pvb1c.ad001.siemens.net> <9e6f99ef-ba9f-d92a-2a09-cf99126b1f6b@siemens.com> <702c2f98-48d5-9791-79d1-50bb1b42812b@ilbers.de> <506165af-cf5d-d707-fb65-41128cf6c889@siemens.com> From: Alexander Smirnov Message-ID: <3bfe49c7-29a4-42b9-eb79-627e6d49f82d@ilbers.de> Date: Fri, 9 Feb 2018 16:39:27 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <506165af-cf5d-d707-fb65-41128cf6c889@siemens.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: UhM1YCCgA8sz On 02/09/2018 04:14 PM, Jan Kiszka wrote: > On 2018-02-09 14:08, Alexander Smirnov wrote: >> On 02/09/2018 03:41 PM, Jan Kiszka wrote: >>> On 2018-02-09 13:40, Henning Schild wrote: >>>> Am Fri, 9 Feb 2018 13:35:15 +0100 >>>> schrieb Jan Kiszka : >>>> >>>>> On 2018-02-09 13:33, [ext] Henning Schild wrote: >>>>>> Hi, >>>>>> >>>>>> this patch is causing problems when building in a docker container, >>>>>> because sysfs can only be mounted ro. (Subject: current next bash in >>>>>> buildchroot problem) >>>>>> Now we could discuss whether we should relax the security of our >>>>>> containers even more, or whether Isar should care about that >>>>>> use-case. >>>>>> >>>>>> But this patch actually does several things at a time, it changes >>>>>>>>>> the way we mount and adds three new mounts. I would suggest to >> >> Actually not. It adds the only one new mount for sysfs. /proc was >> mounted inside do_build, /dev was mounted inside configscript.sh, so >> this is a kind of consolidation of these calls in one place. >> >> I have no case for sysfs, so probably we could drop it for now. Please >> let me know ASAP because I'm going to release v0.4. >> >>>>>> split it up so we can discuss the issues with dev and sys while >>>>>> already merging the rest. >> >> There is no official Docker support in Isar, so until there will be a >> document which specifies the container configuration, it really would be >> inefficient to block contributions. We can't support everything everywhere. > > There is official Docker support for Isar (via kasproject/kas-isar), and > we are heavily relying on it. Our CI will also be based on it. I only mean that I want this document in master before claiming Docker support. So I'll be able to test that this feature works with each update. :-) Otherwise I can't guarantee that custom user's environment will work. So the action item here is to publish the document and add CI test case. > > But I think this issue is really just related to a missing switch when > launching the container. That's exactly what I mean. One option could make the whole contribution red... Alex > >> >>>>> >>>>> I think (didn't check if there was an update of next this morning) it >>>>> works for me - in Docker. How are you starting the container? >>>> >>>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN >>>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... >>>> >> >> Do you have instructions how to build Isar in container, so at least I >> could be able to reproduce the issue? > > I will publish my repo later that does a full amd64 image build inside > docker (for a Jailhouse demo). In a nutshell, it works like this: > > #!/bin/sh > mkdir -p out > docker run -v $(pwd):/isar-jailhouse:ro -v $(pwd)/out:/out:rw \ > -e USER_ID=$(id -u) --rm -t -i \ > --cap-add=SYS_ADMIN --cap-add=MKNOD --privileged \ > --device $(/sbin/losetup -f) \ > -e http_proxy=$http_proxy -e https_proxy=$https_proxy \ > -e no_proxy=$no_proxy \ > kasproject/kas-isar sh -c " > cd /out; > kas build /isar-jailhouse/kas.yml" > > Jan > -- With best regards, Alexander Smirnov ilbers GmbH Baierbrunner Str. 28c D-81379 Munich +49 (89) 122 67 24-0 http://ilbers.de/ Commercial register Munich, HRB 214197 General manager: Baurzhan Ismagulov