From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7076124590445953024
X-Received: by 2002:a5d:4f12:0:b0:203:f0cc:da04 with SMTP id c18-20020a5d4f12000000b00203f0ccda04mr5847276wru.248.1647625565164;
        Fri, 18 Mar 2022 10:46:05 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a5d:584e:0:b0:203:8599:7254 with SMTP id i14-20020a5d584e000000b0020385997254ls356131wrf.0.gmail;
 Fri, 18 Mar 2022 10:46:04 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyfmDKazJ5fEleA31W2PP7EPJSH+tRPZy1Ac08bmaD//MAjJICle8DBFINlk8hGym5pAJFn
X-Received: by 2002:a5d:4204:0:b0:203:d794:93e0 with SMTP id n4-20020a5d4204000000b00203d79493e0mr8658419wrq.136.1647625564156;
        Fri, 18 Mar 2022 10:46:04 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1647625564; cv=pass;
        d=google.com; s=arc-20160816;
        b=kF89KrzHIWcRBLnBwZftx58n3/uYOieHLuoe9zgkyZSpFtf+AWMaqEEOq2PQypTPSD
         +eJGmdw0pkyJdt+os8wiqXl8Kwx+Juzo4YzWyOztaCyWaGQE7BxbdJ4NN32ft7WXv1c+
         zG1GUL/wD8Rh+rhs+Wt7J7mdJ8V+xr6hJ50O2INGTNsmym3PdVPIacIW8gLRbG55dYf3
         lb2AIr2qURJ8/as0HbytTqi08TpbmsoCrFAf7RrzzhIyOy/o9dJssxkYTWgih2jBBwP3
         aZOYsyKzApq3AblIrDTPthPg49hes+k2oqnboVCE95V0Za1aSSZPAIxbqdgnGTO1klX5
         6gAQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:to:content-language:subject:from
         :user-agent:mime-version:date:message-id:dkim-signature;
        bh=T//yNf3xawdlVbdXgppU2StuSGZA1N6XgUfH0hJuhFU=;
        b=MS+k6CBYctnlodxS3a+7dargOlsKzAhd4s+klGgXPB/xCYSdWOkdGVDU1ygXGGu8U3
         tDFwcQGosbbCuTE5T+s6GMeiBKMLlvmhSlO2d2c4hpoc3NvoLk40bK2NF/4ZxjpBoD7E
         KyYDYIMZd+LlnrTJWC60LsEyOfsG7OhISMP97G4TY8+3lcx9BaALdtHPxVxKBqCZj+v9
         F+JLYvNnue1l1mC8O26FQ7kFibYezPYkNPnoROZiFX8a0qw0Gp+aHBkJjR9sS5vFSRxK
         P/9jy+tDIE+xRBMEPIGF6khq7oG8mBUcZipKZADp+piFjcBzLnkDLFC36ZCHCsmnO/se
         1P6g==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=kSBmGrjo;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:fe0e::619 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <jan.kiszka@siemens.com>
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0619.outbound.protection.outlook.com. [2a01:111:f400:fe0e::619])
        by gmr-mx.google.com with ESMTPS id i12-20020a5d558c000000b001ea830df1aasi472985wrv.7.2022.03.18.10.46.03
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 18 Mar 2022 10:46:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:fe0e::619 as permitted sender) client-ip=2a01:111:f400:fe0e::619;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=kSBmGrjo;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:fe0e::619 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=OcvVg/6JiHtyJvZN3RbtwqYyl1OeoY1yPHbUiD0jge45QRJcN2r8Ec4TjLh6PeHDu7aYcEFfb+a8JitRb/4FYiSUfbVD1GHTfyFdEs5ny3HqRnDCmRiaGUQJRFqKY54olSiNAsl/j6unO1JwVdoTgzqiYDq1Zp9M1zfXfFhqqUGSMXgBfjzT0MM+KoqzUeLK3HzsyBEg8+NPt4gkD+AYDj0qb9310uG8EmFw3k5pArCju/DnXkPWuQJT/6PmepfDkMLisYABhHsiiDZAaDTqxn225qhlJN2NhQ2vw//CtfifBXfzfb+MbuVHjrpfXDyseiheUyH00ewiaH23WJYaQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=T//yNf3xawdlVbdXgppU2StuSGZA1N6XgUfH0hJuhFU=;
 b=nqkq7MxK0qwuqiYOFOJrXUQmZvBG6j/ekMIj1hRB44/hOZ2ZBdYvEiI5tPWQ69CiBDgN5sLNLtLRSTgZL1cN6YQMB6iRUlle5+N6Kyisp50aesKRzhy2wQ0YQvH2yPEDyjVs352TGVlxl+V6fIuwveGaYtmOk/jgs4K4aciie15/Fc56PTIOtOAion2rP17+lHtKYV82cw+Aex0xcllQAdjkLvdO8uUOnXx3s2cLTY0SVDwJxT2ecvUg8YvREOPPfdY6qdEMAIAYCPQ/NADfZm+OhQzP0LzRmDxDX3LNrzfyyAEiGUNlWOrvYCfVRNOg1Bs36ZoNbnZTzaZX2Ctb0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 194.138.21.71) smtp.rcpttodomain=googlegroups.com smtp.mailfrom=siemens.com;
 dmarc=pass (p=none sp=none pct=100) action=none header.from=siemens.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=T//yNf3xawdlVbdXgppU2StuSGZA1N6XgUfH0hJuhFU=;
 b=kSBmGrjoQdZ65Atq8gX/Kq+LaEPEizgdmJ0Wq80Vt+RVDVdr4rsA7+Rqhdg7+qHW2ERtRuQgkTHpQwvtlH0TSDEvxpCXsJDGAeAhRL9khaM35zfjNY60biXXHZYKJ6HqGrMEqnzEYCDv6ILZjQR1aW0TxGyc5KnnhJKz8qPk6XlmDgVWi5SgJCD3hDJFJav6M/t4WW0fJ4QGRBY+pap0fbWiretjcADtxWpUz7btUQy9KPw1WTW2Rmo22l+3tXarbtuJFIdBz1mIYrUMynyEq+C59uoM12Hmu93aIvW3Z+7oMjfBee+UaYCRJhsKi92I/WjIIVhqcWkniW25qM28HQ==
Received: from SV0P279CA0018.NORP279.PROD.OUTLOOK.COM (2603:10a6:f10:11::23)
 by AM9PR10MB4213.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:1cd::12) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.14; Fri, 18 Mar
 2022 17:46:02 +0000
Received: from HE1EUR01FT089.eop-EUR01.prod.protection.outlook.com
 (2603:10a6:f10:11:cafe::50) by SV0P279CA0018.outlook.office365.com
 (2603:10a6:f10:11::23) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5061.25 via Frontend
 Transport; Fri, 18 Mar 2022 17:46:02 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.71)
 smtp.mailfrom=siemens.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=siemens.com;
Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates
 194.138.21.71 as permitted sender) receiver=protection.outlook.com;
 client-ip=194.138.21.71; helo=hybrid.siemens.com;
Received: from hybrid.siemens.com (194.138.21.71) by
 HE1EUR01FT089.mail.protection.outlook.com (10.152.1.43) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.5081.10 via Frontend Transport; Fri, 18 Mar 2022 17:46:01 +0000
Received: from DEMCHDC8A0A.ad011.siemens.net (139.25.226.106) by
 DEMCHDC9SKA.ad011.siemens.net (194.138.21.71) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Fri, 18 Mar 2022 18:46:01 +0100
Received: from [167.87.72.239] (167.87.72.239) by
 DEMCHDC8A0A.ad011.siemens.net (139.25.226.106) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.18; Fri, 18 Mar 2022 18:46:00 +0100
Message-ID: <50a15579-0b26-8dbe-6c71-d037f04bf53a@siemens.com>
Date: Fri, 18 Mar 2022 18:46:00 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.1
From: Jan Kiszka <jan.kiszka@siemens.com>
Subject: [PATCH v2] Avoid sharing of /dev/shm from the build context
Content-Language: en-US
To: isar-users <isar-users@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Return-Path: jan.kiszka@siemens.com
X-Originating-IP: [167.87.72.239]
X-ClientProxiedBy: DEMCHDC8A1A.ad011.siemens.net (139.25.226.107) To
 DEMCHDC8A0A.ad011.siemens.net (139.25.226.106)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 710d438c-f8e9-449b-9e42-08da09072b17
X-MS-TrafficTypeDiagnostic: AM9PR10MB4213:EE_
X-Microsoft-Antispam-PRVS:
	<AM9PR10MB421370DC38224D8511003A9095139@AM9PR10MB4213.EURPRD10.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
	oH5REFoS/Xw5JlXIaoy6Kvsx0jXgsvN6UPgoKugsEmB45XaoGnuW6HqUNstt/nVAgEbW3EVbXVTlU1pSDJOiVJb9HZ4V8RCTNDTiacusoU/k9DlQdNQSQkarXtkqOQYMhA0lZYuaeSvdKLGnWmlPXYoEaQbMdhoYJjMY64ZeEChT2QYAwyLvu6J9K9iH4HAtdrDvpw8eE8TF0nlJ+bpyD2Qcqrl/sbv5QB2jpATKhyBk4ODh1Gtf3dj/RhRVselqt3olm5E7NiL6ynzIwwLvY1UwHvWwUAMst2/y2qPG6S7qvbfgFr3v1pitCLL9ACMzQGyMUuVZsWmOawP9YHrGZMdB8yrl6TT0leIg96u/Q+ba+xKSmLkJgFiN/fdEC6zAZzg5PH6lb1izlFALo8Qe4OwKARQCcNXwxoL3+6Es/6yYqHgHcln9mNBuspEEgxZZZkcDjhSv7yuVHVhtypLtUYgZAuMR71cM7KnOzTj2MZwNBoWZDjYjgOtdwyQA9RNtbv2Pae0JZcV7PKP3Vh6fXInRv6s4RcZEXOjPJYLDGf/nwMjMe8hhS7hzz+iHGQsjwu93yqnvcmFQ0/skIEQfp2pwVXIkPyINJqgxahLkoN3TDhQYbkWkJWb1jDyYtlUV1TtwCcAH2VEw5y3Unc6gLDhep+H4ClKt4Ow6W8Zm6JhByfBUEz2jxleGlWIwoMIXTZ+ZiPWvECuJ+of4Rr/35C+qIViNePdPefKAF9RNZ2l917P49w6r2AWM2bhNY7N546bVo1ZN+6uu0gUNSe2Bog==
X-Forefront-Antispam-Report:
	CIP:194.138.21.71;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:hybrid.siemens.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230001)(4636009)(40470700004)(36840700001)(46966006)(44832011)(31696002)(16526019)(86362001)(2616005)(956004)(5660300002)(6916009)(6706004)(31686004)(16576012)(36756003)(36860700001)(70586007)(70206006)(336012)(83380400001)(82310400004)(2906002)(47076005)(81166007)(40460700003)(26005)(82960400001)(186003)(498600001)(356005)(8676002)(8936002)(3940600001)(36900700001)(43740500002);DIR:OUT;SFP:1101;
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Mar 2022 17:46:01.7954
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 710d438c-f8e9-449b-9e42-08da09072b17
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;Ip=[194.138.21.71];Helo=[hybrid.siemens.com]
X-MS-Exchange-CrossTenant-AuthSource:
	HE1EUR01FT089.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4213
X-TUID: cVv5+cUMgKy1

From: Jan Kiszka <jan.kiszka@siemens.com>

By bind-mounting complete /dev into the various chroots, we also share
the host instance of /dev/shm between them. If some package installation
should actually make use of that tmpfs instance, it may find content of
others there. That is at least not desirable, in few cases even
problematic (sysrepo package uses it during postinst, and this causes
troubles when multiple images are built in parallel).

This decouples all instances by mounting new instances over the
bind-mounted ones.

While at it, it switches the recursive bind-mounting of /dev to
explicit one. /dev/shm then becomes the only sub-mount. This is assumed
to be sufficient for the given use cases.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

Changes in v2:
 - replace --rbind with --bind
 - link both sub-shell mounts via &&

 meta/classes/buildchroot.bbclass                    | 3 ++-
 meta/classes/rootfs.bbclass                         | 3 ++-
 meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/meta/classes/buildchroot.bbclass b/meta/classes/buildchroot.bbclass
index dd8f4206..01078684 100644
--- a/meta/classes/buildchroot.bbclass
+++ b/meta/classes/buildchroot.bbclass
@@ -42,7 +42,8 @@ buildchroot_do_mounts() {
                 mount --bind '${CCACHE_DIR}' '${BUILDCHROOT_DIR}/ccache'
         fi
         mountpoint -q '${BUILDCHROOT_DIR}/dev' ||
-            mount --rbind /dev '${BUILDCHROOT_DIR}/dev'
+            ( mount --bind /dev '${BUILDCHROOT_DIR}/dev' &&
+              mount -t tmpfs none '${BUILDCHROOT_DIR}/dev/shm' )
         mount --make-rslave '${BUILDCHROOT_DIR}/dev'
         mountpoint -q '${BUILDCHROOT_DIR}/proc' ||
             mount -t proc none '${BUILDCHROOT_DIR}/proc'
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 927af13f..16303778 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -34,7 +34,8 @@ rootfs_do_mounts() {
     sudo -s <<'EOSUDO'
         set -e
         mountpoint -q '${ROOTFSDIR}/dev' || \
-            mount --rbind /dev '${ROOTFSDIR}/dev'
+            ( mount --bind /dev '${ROOTFSDIR}/dev' &&
+              mount -t tmpfs none '${ROOTFSDIR}/dev/shm' )
         mount --make-rslave '${ROOTFSDIR}/dev'
         mountpoint -q '${ROOTFSDIR}/proc' || \
             mount -t proc none '${ROOTFSDIR}/proc'
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 1b16f874..9e858a46 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -360,7 +360,8 @@ do_bootstrap() {
         "${ROOTFSDIR}/chroot-setup.sh" "setup" "${ROOTFSDIR}"
 
         # update APT
-        mount --rbind /dev ${ROOTFSDIR}/dev
+        mount --bind /dev ${ROOTFSDIR}/dev
+        mount -t tmpfs none "${ROOTFSDIR}/dev/shm"
         mount --make-rslave ${ROOTFSDIR}/dev
         mount -t proc none ${ROOTFSDIR}/proc
         mount --rbind /sys ${ROOTFSDIR}/sys
@@ -381,6 +382,7 @@ do_bootstrap() {
         chroot "${ROOTFSDIR}" /usr/bin/apt-get dist-upgrade -y \
                                 -o Debug::pkgProblemResolver=yes
 
+        umount -l "${ROOTFSDIR}/dev/shm"
         umount -l "${ROOTFSDIR}/dev"
         umount -l "${ROOTFSDIR}/proc"
         umount -l "${ROOTFSDIR}/sys"
-- 
2.34.1