[buildd-tools-devel] Bug#637870: Provide more isolation than just chroot

Vincent Bernat bernat at debian.org
Mon Aug 15 10:46:31 UTC 2011 

Package: schroot
Version: 1.4.23-1
Severity: wishlist

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

Recent Linux kernels allow more advanced isolation than just
chrooting. From clone(2) manpage, those possibilities exist:

 - CLONE_NEWPID: new PID namespace, including the fact that when the
   initial process dies (in case of schroot, this could be the shell),
   all other processes start die as well. This would be a very cool
   feature when starting daemons in the chroot.
 - CLONE_NEWNS: mentioned in bug #488225.
 - CLONE_NEWIPC: new IPC namespace, with complete destruction on exit
 - CLONE_NEWNET: new network namespace, maybe could be done later
   since it needs to be configured properly to be useful.
 - CLONE_NEWUTS: not sure when it is useful

CLONE_NEWPID + CLONE_NEWNS + CLONE_NEWIPC would be great!

I am unsure if this can be done into setup scripts but I will look at
it. Maybe with an helper?

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages schroot depends on:
ii  libboost-filesystem1.46.1   1.46.1-6     filesystem operations (portable pa
ii  libboost-program-options1.4 1.46.1-6     program options library for C++
ii  libboost-regex1.46.1        1.46.1-6     regular expression library for C++
ii  libboost-system1.46.1       1.46.1-6     Operating system (e.g. diagnostics
ii  libc6                       2.13-16      Embedded GNU C Library: Shared lib
ii  libgcc1                     1:4.6.1-6    GCC support library
ii  liblockdev1                 1.0.3-1.4+b1 Run-time shared library for lockin
ii  libpam0g                    1.1.3-2      Pluggable Authentication Modules l
ii  libstdc++6                  4.6.1-6      GNU Standard C++ Library v3
ii  libuuid1                    2.19.1-5     Universally Unique ID library
ii  schroot-common              1.4.23-1     common files for schroot

schroot recommends no packages.

Versions of packages schroot suggests:
pn  aufs-modules | unionfs-modul <none>      (no description available)
pn  btrfs-tools                  <none>      (no description available)
ii  debootstrap                  1.0.35      Bootstrap a basic Debian system
ii  lvm2                         2.02.84-3.1 The Linux Logical Volume Manager
ii  unzip                        6.0-5       De-archiver for .zip files

- -- Configuration Files:
/etc/schroot/schroot.conf changed [not included]

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk5I+QQACgkQKFvXofIqeU6JTwCgoGSWB/vUDK3iAId0O43U01og
kC8AmwYTW6h1x4upNMxXpdvZtb4YkMgl
=7PRW
-----END PGP SIGNATURE-----

More information about the Buildd-tools-devel mailing list