From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7076124590445953024
X-Received: by 2002:a17:907:724d:b0:6df:ff4c:8941 with SMTP id ds13-20020a170907724d00b006dfff4c8941mr5673348ejc.10.1647863457999;
        Mon, 21 Mar 2022 04:50:57 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a17:906:a94a:b0:6d0:76e0:adbd with SMTP id
 hh10-20020a170906a94a00b006d076e0adbdls7747410ejb.9.gmail; Mon, 21 Mar 2022
 04:50:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxApoNWEbY7REY4pWv/283O01GdmHmckBy2SGQQOztIzJSKayBSzyTEQsmXetGvuU8fSWSZ
X-Received: by 2002:a17:906:7316:b0:6d7:16be:b584 with SMTP id di22-20020a170906731600b006d716beb584mr19741168ejc.759.1647863456973;
        Mon, 21 Mar 2022 04:50:56 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1647863456; cv=pass;
        d=google.com; s=arc-20160816;
        b=q9NqyXZq1CLM9R8cbwZBabSxa8iN4KNOP1Y2jJDYq1Tgpf1U0JQl0AOAvFXZU/gT4I
         X1sCQeW/kpLTEib4F5KTOxz9DLGCJzXnXQ5uOqtBSwsOmDGkujLqklFZ1YB8Olh9JA4T
         uOSk4yJIrsCsdXdfvMBEYyI1amxhgmLPdeFNYDd2RN6nxOKjhPsrB+nXyU4hgfSeoOVq
         aINivGO99oaQICMJWQVCTYo0TY5q6NiTvs18bMuQrk2uTQIyxr3lzfzq7U2s2YYfxULa
         IhhWt0Z0aRdSNOcdjSr1FTZoagdrYAlUrJBFh7zrElnfPj1LjvyNoPHnMaFPrY2WZg3o
         ZXDg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:to:content-language:subject:from
         :user-agent:mime-version:date:message-id:dkim-signature;
        bh=1geUndgLJFulFQwYg+o1nlPvA9bpwsB2PWbxZGH8uAg=;
        b=ZJedJyc0ygkBdGn0lAG674bTqoj9n3Vr4g9zTwzHnAg+XLEoX9Zrj21TdflIoCTXr4
         26iS9wXfRH9LjSglIcHY2INi16nMGWqOUv7JtXKVFrJuzRRZwTbzh1FC0dPNYPu5e+w+
         orTfl3468z/6Ie/8/SKQvXX8BiyTF737rmY8Txv2TqB6+Mh62uPVKq5acqVUTIHwceRW
         S+aDlEJ2szevbrSgE+h7wD4VZ6+HbWvLWkAauDv8jfo8obq8eIVgsfaXxfuTsCtbKEEu
         oszAAS806XsmbbHr/jwKg7SH0u7Xb+a3P/T4WBDa1E1U46WADz9WUnsqJ3KhxPEgiclb
         ExOg==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=uYDubKEb;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:7d00::614 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <jan.kiszka@siemens.com>
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20614.outbound.protection.outlook.com. [2a01:111:f400:7d00::614])
        by gmr-mx.google.com with ESMTPS id e25-20020a056402089900b0041907f749dasi562388edy.1.2022.03.21.04.50.56
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 21 Mar 2022 04:50:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:7d00::614 as permitted sender) client-ip=2a01:111:f400:7d00::614;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=uYDubKEb;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:7d00::614 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=NLRdHxCH5/CIJGp13B90BeEJLawC32O3cpUqj55HpgkrUgq3VyjKSQuh+y6h16al8XQtKmtegpqO+4AiKNgmxzIZkkqjHzKZBPw5U59d2KEq0u1/OKyJ9+Nt0glLK6fQTZSZlk1cabs11oPwDHug9cOWJqX+QEoQl0TnRA12vENZdn8auPOZONUbiUspNlhf0VfB/ilMJjlmllhboD6V2Jf19zOZaslyc58ZgmpGZA0VmGZxZGaHw7si2CYA/u06LjErqtDc3q/zwtCBHGBqxc8H7S4R+wjcPiojNH2GeY93M2vyg/uPaPmxTCTHDQ8dR2H/sHfbmkKEwDuO3IIhig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=1geUndgLJFulFQwYg+o1nlPvA9bpwsB2PWbxZGH8uAg=;
 b=WDwoZ770fkdc7Z53af7XdlJpROVSez7FaMxcAmO9uG94jcpcE5+C5DDzb0R9WaLq24TFdtBNKf7AR4O82eMzMTHcVWaQEp/7CwWLBl/+n6KGfnfUOqAhnsNoZsF9hZotjiMEUSMLJXyILIVVMFp8CV2DtsiEd3hd7+Kyt73X7z0F/6nq18t3M92Mmmgt/K40HBIS5DxY5cnR1uDMkfSnQIYRmLr0/ZnWnoVeBWH3FgL5nv5fxoWtChfTYs9XcbVzxzwdx3EhptEkpn2gXEx7cgkpkcR9dGKuMB6seLlDSyDed9u/oGQ8ZxlHLEL1Vch+RkwD5WCWXC3GtUbvqAmOSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 194.138.21.70) smtp.rcpttodomain=googlegroups.com smtp.mailfrom=siemens.com;
 dmarc=pass (p=none sp=none pct=100) action=none header.from=siemens.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=1geUndgLJFulFQwYg+o1nlPvA9bpwsB2PWbxZGH8uAg=;
 b=uYDubKEbtplcuz2UID6INakLJLNkntB6beDcti7Gv8/ta+nmDp51VvJoHp4mNwLo7cCW6awNTWf/H/grntMZ2JhbINCjYid4bIHixOqYdQ7EPrZjLMTUZ6uhTcd0BkeMeDEaghBDRjRvmUP1lviK/u46BGdP6sCXVAwsrzAZCtCKNZ3U+K4SJj7eEiDryEUJ7BIrgQ2LRyPIa9HkN235NyZ+a47Iz5jM2GBxeAtdF+P4zusg+uQLIYmXOVms8thsFqBn6zHuUuR3weuzc3qgFDVs+u1kXtUO66RDqfASU7QcLwf6ex4ULOr/ueeey2bk5/l+y/Aa4F6+9nOPkrsA7Q==
Received: from SV0P279CA0024.NORP279.PROD.OUTLOOK.COM (2603:10a6:f10:12::11)
 by AM9PR10MB4229.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:1f3::19) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.19; Mon, 21 Mar
 2022 11:50:55 +0000
Received: from HE1EUR01FT102.eop-EUR01.prod.protection.outlook.com
 (2603:10a6:f10:12:cafe::5b) by SV0P279CA0024.outlook.office365.com
 (2603:10a6:f10:12::11) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.22 via Frontend
 Transport; Mon, 21 Mar 2022 11:50:55 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.70)
 smtp.mailfrom=siemens.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=siemens.com;
Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates
 194.138.21.70 as permitted sender) receiver=protection.outlook.com;
 client-ip=194.138.21.70; helo=hybrid.siemens.com;
Received: from hybrid.siemens.com (194.138.21.70) by
 HE1EUR01FT102.mail.protection.outlook.com (10.152.1.64) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.5081.10 via Frontend Transport; Mon, 21 Mar 2022 11:50:55 +0000
Received: from DEMCHDC8A0A.ad011.siemens.net (139.25.226.106) by
 DEMCHDC9SJA.ad011.siemens.net (194.138.21.70) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Mon, 21 Mar 2022 12:50:54 +0100
Received: from [167.87.32.40] (167.87.32.40) by DEMCHDC8A0A.ad011.siemens.net
 (139.25.226.106) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.18; Mon, 21 Mar
 2022 12:50:54 +0100
Message-ID: <402b0166-9aca-6f49-63b4-d24ac89f8505@siemens.com>
Date: Mon, 21 Mar 2022 12:50:53 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.1
From: Jan Kiszka <jan.kiszka@siemens.com>
Subject: [PATCH v3] Avoid sharing of /dev/shm from the build context
Content-Language: en-US
To: isar-users <isar-users@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Return-Path: jan.kiszka@siemens.com
X-Originating-IP: [167.87.32.40]
X-ClientProxiedBy: DEMCHDC89YA.ad011.siemens.net (139.25.226.104) To
 DEMCHDC8A0A.ad011.siemens.net (139.25.226.106)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a7032ec2-5473-4c9b-80d6-08da0b310e88
X-MS-TrafficTypeDiagnostic: AM9PR10MB4229:EE_
X-Microsoft-Antispam-PRVS:
	<AM9PR10MB4229BCEAFA64A56F15EBDB7195169@AM9PR10MB4229.EURPRD10.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
	vqvIOg5AL9Ls1u6wCYjR2kLVyKv+a/9njBWsVAo4EYAoQmXfDZDRUS5NgL9Gw8k3WndC+WyI5cVIw+/opKL+E0aHjW4wjCBwpqmkuAxIIV7AElm33BjVeZcfNbmLKnllci5VH3zDqcB0quEq0DYleWqrTWZuzKfV1QRrbHhbr9UwNRqvN8+ZbVIIcH5Otj/ThY/lFkF0Qhr9NTO26vUVFnCYZ94ZwIj41K8wWpocQF1HauZ+6vNbeA0431C1c386qGdJA75jORXyx2FdofiNch82EE9i8ux0i5ej94NWZq5/U4quKE4oSzJVRfkdGH8qBCYhMXmWt4RJuhYuhAweao5pCfp3qna+Dt+wDpD1IT4/bhZpv1yYQF7nznoQX7NYfjjzyWy+MXXAWbZA1rVXu7dxCoIQuxecgVPngQT9ZDCADKZMqtuGopOHawZ1a9LwLjXxhK+PGdT9diA4F4OHAibp9xNU9xdnS2wvT1sOgEUaq5yF/N8DIM0ulyfCrp1i2X03W6YZrqbbPCKEodjB/uGjNxGb2KjPbqYQoF4g9hL/OTcqHavRSq+5XWHXfatQ59df7J0s2wxwzEZMUE+0yPPqI2lKs1tpWKHldabpx5eT2RgwIpvQ9IV+OTELyTjuDngXPw/jVrofJFbRkgXS4WT52uYM0kE8zkyXgsP5AUBLmxhRAQGsvRD64LxvZjVHmNW54xx1biT7AcdNx4Yp7BVXFDqtnUn7wW25251PCT84itoT+HkIFNZw3ujx/N2f
X-Forefront-Antispam-Report:
	CIP:194.138.21.70;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:hybrid.siemens.com;PTR:hybrid.siemens.com;CAT:NONE;SFS:(13230001)(4636009)(40470700004)(46966006)(36840700001)(336012)(82310400004)(82960400001)(186003)(8676002)(7596003)(356005)(7636003)(40460700003)(26005)(70206006)(70586007)(16526019)(2616005)(956004)(47076005)(5660300002)(31696002)(6916009)(6706004)(2906002)(36860700001)(44832011)(31686004)(16576012)(498600001)(8936002)(83380400001)(86362001)(36756003)(3940600001)(43740500002);DIR:OUT;SFP:1101;
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Mar 2022 11:50:55.0695
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a7032ec2-5473-4c9b-80d6-08da0b310e88
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;Ip=[194.138.21.70];Helo=[hybrid.siemens.com]
X-MS-Exchange-CrossTenant-AuthSource:
	HE1EUR01FT102.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4229
X-TUID: imu5n2V9z3q6

From: Jan Kiszka <jan.kiszka@siemens.com>

By bind-mounting complete /dev into the various chroots, we also share
the host instance of /dev/shm between them. If some package installation
should actually make use of that tmpfs instance, it may find content of
others there. That is at least not desirable, in few cases even
problematic (sysrepo package uses it during postinst, and this causes
troubles when multiple images are built in parallel).

This decouples all instances by mounting new instances over the
bind-mounted ones.

While at it, it switches the recursive bind-mounting of /dev to
explicit one. /dev/shm then becomes the only sub-mount. This is assumed
to be sufficient for the given use cases.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

Changes in v3:
 - drop rslave for /dev

 meta/classes/buildchroot.bbclass                    | 4 ++--
 meta/classes/rootfs.bbclass                         | 4 ++--
 meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 5 +++--
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/meta/classes/buildchroot.bbclass b/meta/classes/buildchroot.bbclass
index dd8f4206..3d2211b9 100644
--- a/meta/classes/buildchroot.bbclass
+++ b/meta/classes/buildchroot.bbclass
@@ -42,8 +42,8 @@ buildchroot_do_mounts() {
                 mount --bind '${CCACHE_DIR}' '${BUILDCHROOT_DIR}/ccache'
         fi
         mountpoint -q '${BUILDCHROOT_DIR}/dev' ||
-            mount --rbind /dev '${BUILDCHROOT_DIR}/dev'
-        mount --make-rslave '${BUILDCHROOT_DIR}/dev'
+            ( mount --bind /dev '${BUILDCHROOT_DIR}/dev' &&
+              mount -t tmpfs none '${BUILDCHROOT_DIR}/dev/shm' )
         mountpoint -q '${BUILDCHROOT_DIR}/proc' ||
             mount -t proc none '${BUILDCHROOT_DIR}/proc'
         mountpoint -q '${BUILDCHROOT_DIR}/sys' ||
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 927af13f..d760ba5c 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -34,8 +34,8 @@ rootfs_do_mounts() {
     sudo -s <<'EOSUDO'
         set -e
         mountpoint -q '${ROOTFSDIR}/dev' || \
-            mount --rbind /dev '${ROOTFSDIR}/dev'
-        mount --make-rslave '${ROOTFSDIR}/dev'
+            ( mount --bind /dev '${ROOTFSDIR}/dev' &&
+              mount -t tmpfs none '${ROOTFSDIR}/dev/shm' )
         mountpoint -q '${ROOTFSDIR}/proc' || \
             mount -t proc none '${ROOTFSDIR}/proc'
         mountpoint -q '${ROOTFSDIR}/sys' || \
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 1b16f874..c7fc2b4f 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -360,8 +360,8 @@ do_bootstrap() {
         "${ROOTFSDIR}/chroot-setup.sh" "setup" "${ROOTFSDIR}"
 
         # update APT
-        mount --rbind /dev ${ROOTFSDIR}/dev
-        mount --make-rslave ${ROOTFSDIR}/dev
+        mount --bind /dev ${ROOTFSDIR}/dev
+        mount -t tmpfs none "${ROOTFSDIR}/dev/shm"
         mount -t proc none ${ROOTFSDIR}/proc
         mount --rbind /sys ${ROOTFSDIR}/sys
         mount --make-rslave ${ROOTFSDIR}/sys
@@ -381,6 +381,7 @@ do_bootstrap() {
         chroot "${ROOTFSDIR}" /usr/bin/apt-get dist-upgrade -y \
                                 -o Debug::pkgProblemResolver=yes
 
+        umount -l "${ROOTFSDIR}/dev/shm"
         umount -l "${ROOTFSDIR}/dev"
         umount -l "${ROOTFSDIR}/proc"
         umount -l "${ROOTFSDIR}/sys"
-- 
2.34.1