From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7076124590445953024 X-Received: by 2002:a05:600c:6001:b0:38c:6c43:4427 with SMTP id az1-20020a05600c600100b0038c6c434427mr432402wmb.186.1648489757676; Mon, 28 Mar 2022 10:49:17 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a5d:6f11:0:b0:205:92ad:ce90 with SMTP id ay17-20020a5d6f11000000b0020592adce90ls1518313wrb.0.gmail; Mon, 28 Mar 2022 10:49:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzx3zW9Beld/IdiEqt47kLhrv8MVDsvEZW+/t5Aj2nD6NagCIUIrzjyO8/BG4PcDPz+zeMz X-Received: by 2002:adf:eec1:0:b0:1e3:1e0a:72f0 with SMTP id a1-20020adfeec1000000b001e31e0a72f0mr25675093wrp.524.1648489756795; Mon, 28 Mar 2022 10:49:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648489756; cv=none; d=google.com; s=arc-20160816; b=UA6bgJRP7b0+LCDysWTJFF0fM1PeOsiq/ilXJyWXVv84Al/naREU++SnlZI3mQ/+2d tvxnGt8JivEYL6+S9jfK4uL2gRnM6rHFZQ9ZpWy2GqZqRuxxyKAbrS/RSnaajQMp+itG b9kVubd6bD1Lsi71fZkpp+vY3onEYb57jya5c9J+40gvR4O2RyMyXeW2AIsOS8lzcROW rRLHfwqI6MJ9jahvpjbo/RjIKXgc3d4C5TXCXCAXnGlCxdikzfO3A3A7n+56dkdANBdK hrvk5H7mBwzurrm5Wz3ih3sqrQGtgjY+46uZ1ZRv0xiEOaB8kK3gEm4o4XBnNmLpLBmG yNZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id; bh=/RFHlEsaAztw/ASpYyc5laQ5Q5ERASSO0KFMkhlVmF8=; b=YxhCGFrktKRgwaCiQzh7XebuiICKBoLi09M4VeFIe39Ut4Ak64UF8+VPxy0Az7Ghoa IrhlwG2J5OpPFBVoBbWgtHWQpbcB9wXIPPgSYTzknAdiQa3g5XzF3x21nIxBlyNuzqBK OSsLoa0HX/7Z/CaD+Lg9X/nsEJGFRmseRpIJb9oN4UtOH02b8b6yWuQHwOvcOYJgI7tK hM5mWVE4PkjV/W9OQbqdWGBgudHLlTdXG8bBUBOY0uCnPYWWvCYIVgo2uZt1G1lWCqtK bULqQx5QNgtJbc2k8X93qqEz3x0R2iVBOKW/Y0BhbBOh4rc911RZnrz6EXywLyE69qjs 0vCw== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de Return-Path: Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id l7-20020a1ced07000000b0038cca9138f7si13061wmh.2.2022.03.28.10.49.16 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 28 Mar 2022 10:49:16 -0700 (PDT) Received-SPF: pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de Received: from [127.0.0.1] (host-80-81-17-52.static.customer.m-online.net [80.81.17.52]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8) with ESMTPSA id 22SHnE9D011568 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Mar 2022 19:49:15 +0200 Message-ID: Date: Mon, 28 Mar 2022 20:49:14 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [PATCH v3] Avoid sharing of /dev/shm from the build context Content-Language: en-US To: Jan Kiszka , isar-users References: <402b0166-9aca-6f49-63b4-d24ac89f8505@siemens.com> From: Anton Mikanovich In-Reply-To: <402b0166-9aca-6f49-63b4-d24ac89f8505@siemens.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: pWiNweBWRtzY 21.03.2022 14:50, Jan Kiszka wrote: > From: Jan Kiszka > > By bind-mounting complete /dev into the various chroots, we also share > the host instance of /dev/shm between them. If some package installation > should actually make use of that tmpfs instance, it may find content of > others there. That is at least not desirable, in few cases even > problematic (sysrepo package uses it during postinst, and this causes > troubles when multiple images are built in parallel). > > This decouples all instances by mounting new instances over the > bind-mounted ones. > > While at it, it switches the recursive bind-mounting of /dev to > explicit one. /dev/shm then becomes the only sub-mount. This is assumed > to be sufficient for the given use cases. > > Signed-off-by: Jan Kiszka Applied to next, thanks.