From: "'cedric.hombourger@siemens.com' via isar-users" <isar-users@googlegroups.com>
To: "isar-users@googlegroups.com" <isar-users@googlegroups.com>,
"MOESSBAUER, Felix" <felix.moessbauer@siemens.com>
Cc: "Arjunan, Srinu" <srinuvasan.a@siemens.com>
Subject: Re: [PATCH] rootfs: do not expose /sys/firmware while building root file-systems
Date: Tue, 17 Jun 2025 14:48:18 +0000 [thread overview]
Message-ID: <3f8f2e81d38e66b4d2dc269903de7f39a9df280b.camel@siemens.com> (raw)
In-Reply-To: <23351a3bdc42f238a0b8341afd2d3611d5cbca03.camel@siemens.com>
On Tue, 2025-06-17 at 12:58 +0000, Moessbauer, Felix (FT RPD CED OES-
DE) wrote:
> On Tue, 2025-06-17 at 14:35 +0200, 'Cedric Hombourger' via isar-users
> wrote:
> > We need /sys while assembling the target root file-system but it
> > exposes
> > more than the build really needs. Some maintainer scripts (e.g.
> > mdmadm)
> > check /sys/firmware/efi/efivars while configuring themselves. This
> > would
> > normally be fine but for Isar builds, any information extracted
> > from
> > there
> > is for the host doing the build and not for the target we are
> > building for.
> > In addition, packages seeing /sys/firmware/efi will mount efivars
> > there
> > and will cause do_rootfs_umount to fail unmounting /sys (because of
> > that
> > extra mount). By mounting a (small) tmpfs as /sys/firmware in the
> > root
> > file-system, we hide host details from the build; that extra mount
> > needs
> > to be removed before we attempt to unmount /sys (but we are in
> > control).
>
> Good catch! Eventually all these mountpoints should be documented as
> well.
>
> >
> > Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
> > ---
> > meta/classes/rootfs.bbclass | 9 +++++++++
> > 1 file changed, 9 insertions(+)
> >
> > diff --git a/meta/classes/rootfs.bbclass
> > b/meta/classes/rootfs.bbclass
> > index 5f877962..7b7859b9 100644
> > --- a/meta/classes/rootfs.bbclass
> > +++ b/meta/classes/rootfs.bbclass
> > @@ -48,6 +48,12 @@ rootfs_do_mounts() {
> > mount -o bind,private /sys '${ROOTFSDIR}/sys'
> > mount --make-rslave '${ROOTFSDIR}/sys'
> >
> > + # Mount a tmpfs on /sys/firmware to avoid host
> > contamination
> > problems
> > + # (maintainer scripts shouldn't pull host data from there)
> > + if [ -d '${ROOTFSDIR}/sys/firmware' ]; then
> > + mount -t tmpfs -o size=1m,nosuid,nodev none
> > '${ROOTFSDIR}/sys/firmware'
> > + fi
> > +
>
> Would bubblewrap help in this case? I'm also wondering if we really
> should bind-mount the devices from the host or better mknod them in
> the
> chroot.
bwrap creates a minimal /dev (unless we use --dev-bind AFAICT),
it does not mount /proc unless requested (--proc DEST)
and happily leaves /sys unmounted (unless we explicitly --bind it from
the host)
bind-mounting was introduced in 2018 via
768908a33b3e8c375ca24cf59ec61c0a9dfa8661
it was found needed by some packages at least when building them
as Felix suggested in [1], we could investigate doing the rootfs
construction within a bwrap session and take that chance to revisit
bind mounts we do (and document them somewhere so we may also note the
why there)
Cedric
[1]
https://lists.isar-build.org/isar-users/20250515150727.1764989-1-cedric.hombourger@siemens.com/T/#m2686bcfd0c11a7fd19f80a12491e3113340a9766
>
> Anyways, this discussion should not stop the patch from being merged.
>
> Felix
>
> > # Mount isar-apt if the directory does not exist or if it
> > is
> > empty
> > # This prevents overwriting something that was copied
> > there
> > if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \
> > @@ -94,6 +100,9 @@ rootfs_do_umounts() {
> > if mountpoint -q '${ROOTFSDIR}/proc'; then
> > umount '${ROOTFSDIR}/proc'
> > fi
> > + if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then
> > + umount '${ROOTFSDIR}/sys/firmware'
> > + fi
> > if mountpoint -q '${ROOTFSDIR}/sys'; then
> > umount '${ROOTFSDIR}/sys'
> > fi
> > --
> > 2.39.5
>
> --
> Siemens AG
> Linux Expert Center
> Friedrich-Ludwig-Bauer-Str. 3
> 85748 Garching, Germany
>
--
Cedric Hombourger
Siemens AG
www.siemens.com
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/3f8f2e81d38e66b4d2dc269903de7f39a9df280b.camel%40siemens.com.
prev parent reply other threads:[~2025-06-17 14:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-17 12:35 'Cedric Hombourger' via isar-users
2025-06-17 12:39 ` Srinuvasan Arjunan
2025-06-17 12:58 ` 'MOESSBAUER, Felix' via isar-users
2025-06-17 14:26 ` 'Jan Kiszka' via isar-users
2025-06-17 14:48 ` 'cedric.hombourger@siemens.com' via isar-users [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3f8f2e81d38e66b4d2dc269903de7f39a9df280b.camel@siemens.com \
--to=isar-users@googlegroups.com \
--cc=cedric.hombourger@siemens.com \
--cc=felix.moessbauer@siemens.com \
--cc=srinuvasan.a@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox