From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6519532471426482176 X-Received: by 10.46.118.14 with SMTP id r14mr173185ljc.8.1518182054452; Fri, 09 Feb 2018 05:14:14 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 10.46.54.2 with SMTP id d2ls724243lja.10.gmail; Fri, 09 Feb 2018 05:14:13 -0800 (PST) X-Google-Smtp-Source: AH8x224fmdJDg17GI0bhtGxbupQ/o8U8v6/fYnR0JGz/N7xxQ2k2hu3VnfzPqhPKYOmDXotsJA3D X-Received: by 10.46.71.206 with SMTP id u197mr173314lja.16.1518182053737; Fri, 09 Feb 2018 05:14:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518182053; cv=none; d=google.com; s=arc-20160816; b=Sq8tkVVxGm66FK8amSvqdQGyLjYUjQXIUWv1E0qBAvfQZmM/J32zgVluabKQHY6FLy gk/42JYan+42Yi/KQDAu+onjBfTilRlN5r+TonvVUUUki0QqgWM7gyo+w7RiNDSWeoX4 V4pLlDB4GE5AwM8WYuujYr07+B8jLsmU4TZL78TuMeui+jPSa7chLlo63Afbe0H6GcUw WJIaJlXQtBqUYNNC1vEGn1LZJ0K/9TAG4s5APqvoF5ZY3Svcsh2Fl5SqUT8TdAee2wUc /pMGhbELEQzTiFYS8ZTEU+ysZd3mqXonpQL00ZXs0F4aFGstUntE5KHyp+rjM/pFgpyT Uc0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject :arc-authentication-results; bh=s54PmBPJwScJ0IK+2IH1kJUZV74vhzSZDaE/NGqLMBg=; b=y1ARmLVjh6U9tdtC+QbKoo5rKidCmbXa8RuQQ31ZjMqsdSndnNbfg1ffek5r6jkGWt OEASbNv0F+LqeKVaBiQax1URKhUEWGupfT8ySssB5NZHuq5/Ae9vcRWGp1NuO7hh4vNk 32b8UQtAL/ZtuNYlIY2WKAfc/Vl/edBq6WlK9TGAhmyAjdL1FrlyZAwKezaGQ1hum0WE splmNU4ShHP+VOlIFV7M1oK2hVbxqmBFEKJpsoo6CUD8zCOm51ILO/Zw2C3brLtTKuyW 3paPiddCAU896Z/ITwHv+T4tayuR2KZMRuTDfpYI5ZZMWKwkA+DvB69Gts4J/HflE6pG dqVA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id b10si103808lfe.4.2018.02.09.05.14.13 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Feb 2018 05:14:13 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Received: from mail3.siemens.de (mail3.siemens.de [139.25.208.14]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id w19DECdp021558 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 9 Feb 2018 14:14:12 +0100 Received: from [139.25.246.30] ([139.25.246.30]) by mail3.siemens.de (8.15.2/8.15.2) with ESMTP id w19DECIm017685; Fri, 9 Feb 2018 14:14:12 +0100 Subject: Re: [PATCH] isar: Clean mount point on bitbake exit To: Alexander Smirnov , Henning Schild Cc: isar-users@googlegroups.com References: <20180206195516.32153-1-asmirnov@ilbers.de> <20180209133340.681c00b5@mmd1pvb1c.ad001.siemens.net> <0fe2f7a9-4a02-9abd-7a97-44605f4f865b@siemens.com> <20180209134013.022008e2@mmd1pvb1c.ad001.siemens.net> <9e6f99ef-ba9f-d92a-2a09-cf99126b1f6b@siemens.com> <702c2f98-48d5-9791-79d1-50bb1b42812b@ilbers.de> From: Jan Kiszka Message-ID: <506165af-cf5d-d707-fb65-41128cf6c889@siemens.com> Date: Fri, 9 Feb 2018 14:14:11 +0100 User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 MIME-Version: 1.0 In-Reply-To: <702c2f98-48d5-9791-79d1-50bb1b42812b@ilbers.de> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: CjNdCNG9SHeJ On 2018-02-09 14:08, Alexander Smirnov wrote: > On 02/09/2018 03:41 PM, Jan Kiszka wrote: >> On 2018-02-09 13:40, Henning Schild wrote: >>> Am Fri, 9 Feb 2018 13:35:15 +0100 >>> schrieb Jan Kiszka : >>> >>>> On 2018-02-09 13:33, [ext] Henning Schild wrote: >>>>> Hi, >>>>> >>>>> this patch is causing problems when building in a docker container, >>>>> because sysfs can only be mounted ro. (Subject: current next bash in >>>>> buildchroot problem) >>>>> Now we could discuss whether we should relax the security of our >>>>> containers even more, or whether Isar should care about that >>>>> use-case. >>>>> >>>>> But this patch actually does several things at a time, it changes >>>>> >>>> the way we mount and adds three new mounts. I would suggest to > > Actually not. It adds the only one new mount for sysfs. /proc was > mounted inside do_build, /dev was mounted inside configscript.sh, so > this is a kind of consolidation of these calls in one place. > > I have no case for sysfs, so probably we could drop it for now. Please > let me know ASAP because I'm going to release v0.4. > >>>>> split it up so we can discuss the issues with dev and sys while >>>>> already merging the rest. > > There is no official Docker support in Isar, so until there will be a > document which specifies the container configuration, it really would be > inefficient to block contributions. We can't support everything everywhere. There is official Docker support for Isar (via kasproject/kas-isar), and we are heavily relying on it. Our CI will also be based on it. But I think this issue is really just related to a missing switch when launching the container. > >>>> >>>> I think (didn't check if there was an update of next this morning) it >>>> works for me - in Docker. How are you starting the container? >>> >>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN >>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... >>> > > Do you have instructions how to build Isar in container, so at least I > could be able to reproduce the issue? I will publish my repo later that does a full amd64 image build inside docker (for a Jailhouse demo). In a nutshell, it works like this: #!/bin/sh mkdir -p out docker run -v $(pwd):/isar-jailhouse:ro -v $(pwd)/out:/out:rw \ -e USER_ID=$(id -u) --rm -t -i \ --cap-add=SYS_ADMIN --cap-add=MKNOD --privileged \ --device $(/sbin/losetup -f) \ -e http_proxy=$http_proxy -e https_proxy=$https_proxy \ -e no_proxy=$no_proxy \ kasproject/kas-isar sh -c " cd /out; kas build /isar-jailhouse/kas.yml" Jan