From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7076124590445953024
X-Received: by 2002:a7b:c928:0:b0:38c:71e5:cb59 with SMTP id h8-20020a7bc928000000b0038c71e5cb59mr21160124wml.186.1647864071486;
        Mon, 21 Mar 2022 05:01:11 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:600c:3544:b0:38c:6c15:b2dd with SMTP id
 i4-20020a05600c354400b0038c6c15b2ddls1157817wmq.3.gmail; Mon, 21 Mar 2022
 05:01:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxhYhaoP5Y64XuU5wMuh9z0ueDg1CFTZlmJd7MF0YDIpT0EV97fvtyeMY8EnnqMSu9YE5OY
X-Received: by 2002:a1c:e915:0:b0:37b:d847:e127 with SMTP id q21-20020a1ce915000000b0037bd847e127mr19471278wmc.180.1647864070621;
        Mon, 21 Mar 2022 05:01:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1647864070; cv=none;
        d=google.com; s=arc-20160816;
        b=wsSKbBi2XxVuhKx1J5tpndrFvk+hdJgdzdWQTmnJosOaSMAyP+tFFGU6ZGXqAQt1AL
         e4P0BUzOLskxQjF3wotMw06WDHLwetELQsQYIw9Hqdoa380ilZXeNczEPefw1ZACgML/
         YTEYeS05yw1x2eLD3oihDKDCwPzf9drbtNbbSDV95/tmqQSWUlh5CH4ROOi/JjTn25Jg
         kgnhBmniy32OAY1k+gDjO5ig7yWYrEtez7XGGtYVyhXM13CG8njt8n5K74AHQyf3cx+/
         b7F/f/xpPBi9q0TXpW9FqeKq1yFLviX66+fLzVu6VkqxrdIKL5bh9Bj0HXGOdmgvVBem
         /0+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:references
         :mail-followup-to:message-id:subject:cc:to:from:date;
        bh=jGHYmlTITRyA8xEP+mW5oTPKnCuH2LpvjaRs+oa6pyc=;
        b=tMkfHSGPGszRjwMKSJSvLxQh4jREIBXF0OHOc7ty+3dgmhdzQawM5QkeRpYFGqblHg
         YGOiZq3DnsIX7M3BuIdtklCGY2NrFRRb8anuTGg8zAXyGJiAtu7VaXOQTacTf0Od20BU
         n87tUZkGiAlRwiVJPl03TULWxJEfyWriZgIIFpQ9LF/u/bGhHzlagvfcD2/UUsUxF/Ho
         d32vc2aHzu0Fa4xV2L3x4gWVUnz7r58AvoYBYy6PiOP9OIADm+ecEfw94j9cIfAqkyME
         89kPKaJwbppxifhFxfU+xbj+7D3GYVMWD9cJ6A1ok3SlqKCKDQNDClnAsKnQbaEEcjXh
         u4/Q==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=neutral (google.com: 85.214.156.166 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net
Return-Path: <ibr@radix50.net>
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id r2-20020a05600c35c200b0038c99860114si324767wmq.0.2022.03.21.05.01.10
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Mon, 21 Mar 2022 05:01:10 -0700 (PDT)
Received-SPF: neutral (google.com: 85.214.156.166 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) client-ip=85.214.156.166;
Authentication-Results: gmr-mx.google.com;
       spf=neutral (google.com: 85.214.156.166 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net
Received: from ilbers.de (host-80-81-17-52.static.customer.m-online.net [80.81.17.52])
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8) with ESMTPSA id 22LC18wC012534
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Mon, 21 Mar 2022 13:01:09 +0100
Date: Mon, 21 Mar 2022 13:01:08 +0100
From: Baurzhan Ismagulov <ibr@radix50.net>
To: isar-users <isar-users@googlegroups.com>
Cc: Jan Kiszka <jan.kiszka@siemens.com>
Subject: Re: [PATCH v3] Avoid sharing of /dev/shm from the build context
Message-ID: <YjhpBBXUDHRgcKHi@ilbers.de>
Mail-Followup-To: isar-users <isar-users@googlegroups.com>,
	Jan Kiszka <jan.kiszka@siemens.com>
References: <402b0166-9aca-6f49-63b4-d24ac89f8505@siemens.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <402b0166-9aca-6f49-63b4-d24ac89f8505@siemens.com>
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: HXgAa7rH7ULt

On Mon, Mar 21, 2022 at 12:50:53PM +0100, Jan Kiszka wrote:
> diff --git a/meta/classes/buildchroot.bbclass b/meta/classes/buildchroot.bbclass
> index dd8f4206..3d2211b9 100644
> --- a/meta/classes/buildchroot.bbclass
> +++ b/meta/classes/buildchroot.bbclass
> @@ -42,8 +42,8 @@ buildchroot_do_mounts() {
>                  mount --bind '${CCACHE_DIR}' '${BUILDCHROOT_DIR}/ccache'
>          fi
>          mountpoint -q '${BUILDCHROOT_DIR}/dev' ||
> -            mount --rbind /dev '${BUILDCHROOT_DIR}/dev'
> -        mount --make-rslave '${BUILDCHROOT_DIR}/dev'
> +            ( mount --bind /dev '${BUILDCHROOT_DIR}/dev' &&
> +              mount -t tmpfs none '${BUILDCHROOT_DIR}/dev/shm' )
>          mountpoint -q '${BUILDCHROOT_DIR}/proc' ||
>              mount -t proc none '${BUILDCHROOT_DIR}/proc'
>          mountpoint -q '${BUILDCHROOT_DIR}/sys' ||
> diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
> index 927af13f..d760ba5c 100644
> --- a/meta/classes/rootfs.bbclass
> +++ b/meta/classes/rootfs.bbclass
> @@ -34,8 +34,8 @@ rootfs_do_mounts() {
>      sudo -s <<'EOSUDO'
>          set -e
>          mountpoint -q '${ROOTFSDIR}/dev' || \
> -            mount --rbind /dev '${ROOTFSDIR}/dev'
> -        mount --make-rslave '${ROOTFSDIR}/dev'
> +            ( mount --bind /dev '${ROOTFSDIR}/dev' &&
> +              mount -t tmpfs none '${ROOTFSDIR}/dev/shm' )
>          mountpoint -q '${ROOTFSDIR}/proc' || \
>              mount -t proc none '${ROOTFSDIR}/proc'
>          mountpoint -q '${ROOTFSDIR}/sys' || \
> diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> index 1b16f874..c7fc2b4f 100644
> --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> @@ -360,8 +360,8 @@ do_bootstrap() {
>          "${ROOTFSDIR}/chroot-setup.sh" "setup" "${ROOTFSDIR}"
>  
>          # update APT
> -        mount --rbind /dev ${ROOTFSDIR}/dev
> -        mount --make-rslave ${ROOTFSDIR}/dev
> +        mount --bind /dev ${ROOTFSDIR}/dev
> +        mount -t tmpfs none "${ROOTFSDIR}/dev/shm"
>          mount -t proc none ${ROOTFSDIR}/proc
>          mount --rbind /sys ${ROOTFSDIR}/sys
>          mount --make-rslave ${ROOTFSDIR}/sys
> @@ -381,6 +381,7 @@ do_bootstrap() {
>          chroot "${ROOTFSDIR}" /usr/bin/apt-get dist-upgrade -y \
>                                  -o Debug::pkgProblemResolver=yes
>  
> +        umount -l "${ROOTFSDIR}/dev/shm"
>          umount -l "${ROOTFSDIR}/dev"
>          umount -l "${ROOTFSDIR}/proc"
>          umount -l "${ROOTFSDIR}/sys"

Thanks, LGTM.

I hope we can address lazy umounts in the next mount rework version.

With kind regards,
Baurzhan.