Skip to content

Experiment with using rootlesskit instead of fakeroot + native solbuild container/network code #106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
ermo wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Experiment with using rootlesskit instead of fakeroot + native solbuild container/network code #106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
af53724
manager: Make namespace functions noops
ermo Aug 28, 2024
78f18ed
build: Use rootlesskit instead of fatfakeroot
ermo Aug 28, 2024
55ee9ff
util+build: Add and use RootlesskitExec function
ermo Aug 28, 2024
28a5940
build: Might as well try building as "root"
ermo Aug 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions builder/build.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -326,23 +326,35 @@ func (p *Package) BuildYpkg(notif PidNotifier, usr *UserInfo, pman *EopkgManager
ymlFile := filepath.Join(wdir, filepath.Base(p.Path))

// Now build the package
cmd := fmt.Sprintf("/bin/su %s -- fakeroot ypkg-build -D %s %s", BuildUser, wdir, ymlFile)
// cmd := fmt.Sprintf("/bin/su %s -- fakeroot ypkg-build -D %s %s", BuildUser, wdir, ymlFile)
// use rootlesskit instead of fatfakeroot
buildCmd := fmt.Sprintf("ypkg-build -D %s %s", wdir, ymlFile)
if DisableColors {
cmd += " -n"
buildCmd += " -n"
}
// Pass unix timestamp of last git update
if h != nil && len(h.Updates) > 0 {
cmd += fmt.Sprintf(" -t %v", h.GetLastVersionTimestamp())
buildCmd += fmt.Sprintf(" -t %v", h.GetLastVersionTimestamp())
}

// need to properly quote the innner -c 'command' syntax
//suCmd := fmt.Sprintf("strace /bin/su %s --command='%s'", BuildUser, buildCmd)

if p.CanCCache {
// Start an sccache server to work around #87
StartSccache(overlay.MountPoint)
}

// ensure that the BuildUser has /etc/sub{g,u}id files present for use with rootlesskit user namespaces
usermodCmd := fmt.Sprintf("touch /etc/sub{g,u}id && usermod --add-subuids 100000-165535 --add-subgids 100000-165535 %s", BuildUser)
if err := ChrootExec(notif, overlay.MountPoint, usermodCmd); err != nil {
slog.Error(fmt.Sprintf("Failed to ensure that user '%s' has /etc/sub{g,u}id files in chroot", BuildUser))
}

slog.Info("Now starting build", "package", p.Name)
slog.Info("Build", "command", buildCmd)

if err := ChrootExec(notif, overlay.MountPoint, cmd); err != nil {
if err := RootlesskitExec(notif, overlay.MountPoint, buildCmd); err != nil {
return fmt.Errorf("Failed to start build of package, reason: %w\n", err)
}

Expand Down
16 changes: 8 additions & 8 deletions builder/namespaces.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,18 +17,18 @@
package builder

import (
"fmt"
//"fmt"
"log/slog"
"syscall"
//"syscall"
)

// ConfigureNamespace will unshare() context, entering a new namespace.
func ConfigureNamespace() error {
slog.Debug("Configuring container namespace")

if err := syscall.Unshare(syscall.CLONE_NEWNS | syscall.CLONE_NEWIPC); err != nil {
return fmt.Errorf("Failed to configure namespace, reason: %w\n", err)
}
// if err := syscall.Unshare(syscall.CLONE_NEWNS | syscall.CLONE_NEWIPC); err != nil {
// return fmt.Errorf("Failed to configure namespace, reason: %w\n", err)
// }

return nil
}
Expand All @@ -37,9 +37,9 @@ func ConfigureNamespace() error {
func DropNetworking() error {
slog.Debug("Dropping container networking")

if err := syscall.Unshare(syscall.CLONE_NEWNET | syscall.CLONE_NEWUTS); err != nil {
return fmt.Errorf("Failed to drop networking capabilities, reason: %w\n", err)
}
// if err := syscall.Unshare(syscall.CLONE_NEWNET | syscall.CLONE_NEWUTS); err != nil {
// return fmt.Errorf("Failed to drop networking capabilities, reason: %w\n", err)
// }

return nil
}
25 changes: 25 additions & 0 deletions builder/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,31 @@ func ChrootExec(notif PidNotifier, dir, command string) error {
return c.Wait()
}

// RootlesskitExec is a simple wrapper to return a correctly set up rootlesskit chroot command
// using the 'solbuild' user (expected to exist a priori and have /etc/sub{g,u}id files),
// such that we can store the PID for long running tasks.
func RootlesskitExec(notif PidNotifier, dir, command string) error {
rootlesskitCmd := fmt.Sprintf(
"-c rootlesskit --copy-up=/var/cache/eopkg/archives chroot %s %s", dir, command)
args := []string{"solbuild", rootlesskitCmd}
c := exec.Command("/bin/su", args...)
c.Stdout = os.Stdout
c.Stderr = os.Stdout
c.Stdin = os.Stdin
c.Env = ChrootEnvironment
c.SysProcAttr = &syscall.SysProcAttr{Setsid: true}

slog.Info("RootlesskitExec", "command", c)

if err := c.Start(); err != nil {
return err
}

notif.SetActivePID(c.Process.Pid)

return c.Wait()
}

// ChrootExecStdin is almost identical to ChrootExec, except it permits a stdin
// to be associated with the command.
func ChrootExecStdin(notif PidNotifier, dir, command string) error {
Expand Down