Re: [PATCH] isar: Clean mount point on bitbake exit

[Jan Kiszka <jan.kiszka@siemens.com>]

On 2018-02-09 14:08, Alexander Smirnov wrote:
> On 02/09/2018 03:41 PM, Jan Kiszka wrote:
>> On 2018-02-09 13:40, Henning Schild wrote:
>>> Am Fri, 9 Feb 2018 13:35:15 +0100
>>> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
>>>
>>>> On 2018-02-09 13:33, [ext] Henning Schild wrote:
>>>>> Hi,
>>>>>
>>>>> this patch is causing problems when building in a docker container,
>>>>> because sysfs can only be mounted ro. (Subject: current next bash in
>>>>> buildchroot problem)
>>>>> Now we could discuss whether we should relax the security of our
>>>>> containers even more, or whether Isar should care about that
>>>>> use-case.
>>>>>
>>>>> But this patch actually does several things at a time, it changes
>>>>> >>>> the way we mount and adds three new mounts. I would suggest to
> 
> Actually not. It adds the only one new mount for sysfs. /proc was
> mounted inside do_build, /dev was mounted inside configscript.sh, so
> this is a kind of consolidation of these calls in one place.
> 
> I have no case for sysfs, so probably we could drop it for now. Please
> let me know ASAP because I'm going to release v0.4.
> 
>>>>> split it up so we can discuss the issues with dev and sys while
>>>>> already merging the rest.
> 
> There is no official Docker support in Isar, so until there will be a
> document which specifies the container configuration, it really would be
> inefficient to block contributions. We can't support everything everywhere.

There is official Docker support for Isar (via kasproject/kas-isar), and
we are heavily relying on it. Our CI will also be based on it.

But I think this issue is really just related to a missing switch when
launching the container.

> 
>>>>
>>>> I think (didn't check if there was an update of next this morning) it
>>>> works for me - in Docker. How are you starting the container?
>>>
>>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN
>>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ...
>>>
> 
> Do you have instructions how to build Isar in container, so at least I
> could be able to reproduce the issue?

I will publish my repo later that does a full amd64 image build inside
docker (for a Jailhouse demo). In a nutshell, it works like this:

#!/bin/sh
mkdir -p out
docker run -v $(pwd):/isar-jailhouse:ro -v $(pwd)/out:/out:rw \
	   -e USER_ID=$(id -u) --rm -t -i \
	   --cap-add=SYS_ADMIN --cap-add=MKNOD --privileged \
	   --device $(/sbin/losetup -f) \
	   -e http_proxy=$http_proxy -e https_proxy=$https_proxy \
	   -e no_proxy=$no_proxy \
	   kasproject/kas-isar sh -c "
		cd /out;
		kas build /isar-jailhouse/kas.yml"

Jan