From: "Schmidt, Adriaan" <adriaan.schmidt@siemens.com>
To: Anton Mikanovich <amikan@ilbers.de>,
"isar-users@googlegroups.com" <isar-users@googlegroups.com>
Subject: RE: [PATCH v2 00/18] Migrate to Bitbake 2.0
Date: Wed, 20 Jul 2022 05:26:43 +0000 [thread overview]
Message-ID: <AS4PR10MB5318057C4682D83A29D570C4ED8E9@AS4PR10MB5318.EURPRD10.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <d86e2480-8e84-1840-e82f-72c347c1f1b0@ilbers.de>
Anton Mikanovich, Dienstag, 19. Juli 2022 15:10:
> 19.07.2022 14:36, Schmidt, Adriaan wrote:
> > Anton Mikanovich, Freitag, 15. Juli 2022 08:04:
> >> This patchset moves Isar to use Bitbake 2.0 branch.
> > Hi Anton,
> >
> > Looks great overall!
> >
> >> scripts/contrib/convert-overrides.py is the script for overrides update
> and
> >> it
> >> needs some testing on downstream layers. Usage:
> >> $ ./scripts/contrib/convert-overrides.py meta-customlayer
> > I found a number of variables in the image(r) context in meta that we use
> with
> > overrides, and that are not yet covered by the conversion script:
> > IMAGE_FSTYPES
> > IMAGE_SRC_URI
> > IMAGE_TEMPLATE_FILES
> > IMAGE_TEMPLATE_VARS
> > IMAGE_CMD_REQUIRED_ARGS
> > IMAGE_FULLNAME
> > CONVERSION_DEPS
> > BUILDCHROOT_PREINSTALL
> > IMAGER_BUILD_DEPS
> > IMAGER_INSTALL
> >
> > And then there's the issue with the [network] flag we currently add to
> > tasks that need network, but also to those that use sudo.
> > I'm not sure if there's a reason why bitbake creates a new user namespace
> > when disabling network. We could discuss with upsteam. This patch would
> > enable sudo for Isar:
> > ---
> > diff --git a/bitbake/lib/bb/utils.py b/bitbake/lib/bb/utils.py
> > index 05adb415..d11da978 100644
> > --- a/bitbake/lib/bb/utils.py
> > +++ b/bitbake/lib/bb/utils.py
> > @@ -1618,7 +1618,7 @@ def disable_network(uid=None, gid=None):
> > if gid is None:
> > gid = os.getgid()
> >
> > - ret = libc.unshare(CLONE_NEWNET)
> > + ret = libc.unshare(CLONE_NEWNET | CLONE_NEWUSER)
> > if ret != 0:
> > logger.debug("System doesn't suport disabling network without
> admin privs")
> > return
> > ---
> >
> > Adriaan
>
> Hello, Adriaan
>
> I've just send v3 which is already good enough to pass CI tests.
> Will look into imagetypes-related vars for the next version.
>
> Does CLONE_NEWUSER flag disable network task checking also?
> If yes, this is not the right way, because we should keep documented
> bitbake checks.
Aah... sorry, for some reason I posted that patch above in reverse...
So, to clarify:
Currently bitbake uses "libc.unshare(CLONE_NEWNET | CLONE_NEWUSER)" on tasks
that don't have [network] = "1". The CLONE_NEWUSER is what breaks sudo for us.
Removing that (i.e., changing to "libc.unshare(CLONE_NEWNET)") would mean
we still need to set [network], but only on those tasks that actually need network,
and sudo would work in all tasks.
Adriaan
prev parent reply other threads:[~2022-07-20 5:26 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-15 6:04 Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 01/18] meta: change deprecated parse calls Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 02/18] scripts/contrib: Add override conversion script Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 03/18] scripts/contrib: configure " Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 04/18] meta-isar: set default branch names Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 05/18] meta: remove non recommended syntax Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 06/18] bitbake: Update to Bitbake 2.0.1 Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 07/18] doc: require zstd tool Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 08/18] meta: update bitbake variables Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 09/18] bitbake.conf: align hash vars with openembedded Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 10/18] meta: mark network and sudo tasks Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 11/18] meta: update overrides syntax Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 12/18] sstate: update bbclass Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 13/18] bitbake.conf: declare default XZ and ZSTD options Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 14/18] Revert "devshell: Use different termination test to avoid warnings" Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 15/18] meta: align with OE-core libraries update Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 16/18] Revert "Revert "devshell: Use different termination test to avoid warnings"" Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 17/18] CI: Adopt tests to syntax change Anton Mikanovich
2022-07-15 6:04 ` [PATCH v2 18/18] isar-sstate: adopt sstate maintenance script Anton Mikanovich
2022-07-19 11:36 ` [PATCH v2 00/18] Migrate to Bitbake 2.0 Schmidt, Adriaan
2022-07-19 13:09 ` Anton Mikanovich
2022-07-20 5:26 ` Schmidt, Adriaan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AS4PR10MB5318057C4682D83A29D570C4ED8E9@AS4PR10MB5318.EURPRD10.PROD.OUTLOOK.COM \
--to=adriaan.schmidt@siemens.com \
--cc=amikan@ilbers.de \
--cc=isar-users@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox