From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6519532471426482176 X-Received: by 10.80.184.23 with SMTP id j23mr783111ede.3.1518182369408; Fri, 09 Feb 2018 05:19:29 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 10.80.171.6 with SMTP id s6ls3519549edc.2.gmail; Fri, 09 Feb 2018 05:19:28 -0800 (PST) X-Google-Smtp-Source: AH8x226rlocju2QsBvh0WlEVZkbULNYq7WougFzRwk47MJY+tEq88oRvr0ywozQ/+UwVyeGXO0wo X-Received: by 10.80.202.11 with SMTP id d11mr782272edi.9.1518182368815; Fri, 09 Feb 2018 05:19:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518182368; cv=none; d=google.com; s=arc-20160816; b=uQh1QRaeelG/V0vS7DK69DsEn0B9Y10Nr7KcOiwVO5UCk+Ztfp8kCk+eDvXuM8Ok7F 4Mqux10WfBW2ECkmFOUJYS9R94ubjB6OuHO7JvM+yVUHHHIxsDJ4Jj+x8rrEV7TEG0+V nX4qLuHWjSvJ0ESAMSr7JqOGgqKen7XvNJ4XVh1Gglke+RjyIRZgDPUoqygFbkwqnjYG I6Xpgu6rhWY4mKwW/gk1EOvwHLxoSK7s24wDG/7qde764oBGUWEqhOqs7L33Ddd7zxZT /45CRyNQ2T7zktX/MzlkbrOrP3Y2bKyyLHNtuanm+njs9GsG5vFbtrgc8plFhL1WZZ9C DbcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject :arc-authentication-results; bh=W26uThfOp124U6RUuqD5Rg3XrPw6Apv+U4CY4mQYe5o=; b=Vxog1X9xE70DR/FE0YnK7pp0ttXTVb0ZSZ9uvcf6mrx7Bs/nrX0g962nwTl7pDAGZf lNJV7rO1gaf9dbFLWdQhZMHZHj5yYOCB17g4IeyjanvGf5UayJ65PYF3cCsIERv0RBjI IfhnYeNhPoSqpF15BNglD/OUM+ZuoqPV0e+4B2cbAXk9S29xkUrBxkFwmO/F2YZlcl0Z 67tTIQckxQ85t0zVQjrTa/YJx/czWN1L27OHVAlMPsqubUpEtztbAiy/vsrYzd8tyVYh 0IfLjue2Fm4T0OD0Mhgj0r8SXLR2epmXM+VRlNZX88OPM76n6rzNx8norwFl9/PROdpn lhWg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Return-Path: Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28]) by gmr-mx.google.com with ESMTPS id m19si132900edd.4.2018.02.09.05.19.28 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Feb 2018 05:19:28 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Received: from mail3.siemens.de (mail3.siemens.de [139.25.208.14]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id w19DJSvB003160 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 9 Feb 2018 14:19:28 +0100 Received: from [139.25.246.30] ([139.25.246.30]) by mail3.siemens.de (8.15.2/8.15.2) with ESMTP id w19DJRKD020497; Fri, 9 Feb 2018 14:19:27 +0100 Subject: Re: [PATCH] isar: Clean mount point on bitbake exit To: Henning Schild Cc: Alexander Smirnov , isar-users@googlegroups.com References: <20180206195516.32153-1-asmirnov@ilbers.de> <20180209133340.681c00b5@mmd1pvb1c.ad001.siemens.net> <0fe2f7a9-4a02-9abd-7a97-44605f4f865b@siemens.com> <20180209134013.022008e2@mmd1pvb1c.ad001.siemens.net> <9e6f99ef-ba9f-d92a-2a09-cf99126b1f6b@siemens.com> <20180209141446.3d82eafa@mmd1pvb1c.ad001.siemens.net> From: Jan Kiszka Message-ID: Date: Fri, 9 Feb 2018 14:19:26 +0100 User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 MIME-Version: 1.0 In-Reply-To: <20180209141446.3d82eafa@mmd1pvb1c.ad001.siemens.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: N9pMS1g0DuDp On 2018-02-09 14:14, Henning Schild wrote: > Am Fri, 9 Feb 2018 13:41:23 +0100 > schrieb Jan Kiszka : > >> On 2018-02-09 13:40, Henning Schild wrote: >>> Am Fri, 9 Feb 2018 13:35:15 +0100 >>> schrieb Jan Kiszka : >>> >>>> On 2018-02-09 13:33, [ext] Henning Schild wrote: >>>>> Hi, >>>>> >>>>> this patch is causing problems when building in a docker >>>>> container, because sysfs can only be mounted ro. (Subject: >>>>> current next bash in buildchroot problem) >>>>> Now we could discuss whether we should relax the security of our >>>>> containers even more, or whether Isar should care about that >>>>> use-case. >>>>> >>>>> But this patch actually does several things at a time, it changes >>>>> the way we mount and adds three new mounts. I would suggest to >>>>> split it up so we can discuss the issues with dev and sys while >>>>> already merging the rest. >>>> >>>> I think (didn't check if there was an update of next this morning) >>>> it works for me - in Docker. How are you starting the container? >>> >>> docker run -e USER_ID=$(id -u) --rm -t -i --cap-add=SYS_ADMIN >>> --cap-add=MKNOD --device $(/sbin/losetup -f) -e ... proxy stuff ... >>> >> >> Try adding --privileged - that's needed for binfmt anyway. > > Mhh i could, But. I am doing an amd64 build on an amd64 host, so i do > not use binfmt. And i did build arm images with binfmt and without > privileged before. That was working by chance, because you had the right settings already applied on the host system (binfmt is not container-ready, is not working per-namespace). > So i would like to understand what has changed before dropping all > defense-lines in docker ... that where ok before. The answer to isolation remains "us a VM" for now (can also be "use the container insider a VM"). Docker itself is no sufficient isolation technology for us at this point. Jan