[reprotest] 01/02: build: just use "sudo -h localhost" instead of messing around with mount namespaces
Ximin Luo
infinity0 at debian.org
Fri Nov 24 18:19:26 UTC 2017
This is an automated email from the git hooks/post-receive script.
infinity0 pushed a commit to branch master
in repository reprotest.
commit 4e57b19194ffea3de594ce0aabfeae7839ad823b
Author: Ximin Luo <infinity0 at debian.org>
Date: Fri Nov 24 18:03:45 2017 +0100
build: just use "sudo -h localhost" instead of messing around with mount namespaces
---
README.rst | 9 +++++++--
reprotest/build.py | 45 ++++++++++++++++-----------------------------
2 files changed, 23 insertions(+), 31 deletions(-)
diff --git a/README.rst b/README.rst
index e682784..9e712e0 100644
--- a/README.rst
+++ b/README.rst
@@ -299,8 +299,13 @@ this in reprotest without heavy effort.
Therefore, it is recommended to run this variation with use_sudo=1. To avoid
password prompts, see the section "Avoid sudo(1) password prompts" below.
-Currently, neither the sudo nor non-sudo options work inside a container; give
---vary=-domain_host if you need to run it inside one. FIXME.
+When running inside a virtual-server:
+
+The non-sudo method fails with "Operation not permitted", even if you edited
+``/proc/sys/kernel/unprivileged_userns_clone``. The cause is currently unknown.
+
+The sudo method works only if you take measures to avoid sudo password prompts,
+since containers don't have a method to input this.
User or group
-------------
diff --git a/reprotest/build.py b/reprotest/build.py
index 201ce8c..8a1006c 100644
--- a/reprotest/build.py
+++ b/reprotest/build.py
@@ -218,31 +218,20 @@ def domain_host(ctx, build, vary):
# TODO: below only works on linux, of course..
if ctx.spec.domain_host.use_sudo:
- ns_uts, ns_mnt = ('%s/ns-%s' % (build.aux_tree, ns) for ns in ("uts", "mnt"))
- _ = _.append_setup_exec('touch', ns_mnt, ns_uts)
- # make ns_mnt have propagation=private, required for --mount=$ns_mnt
- _ = _.append_setup_exec('sudo', 'mount', '-B', ns_mnt, ns_mnt)
- _ = _.append_setup_exec('sudo', 'mount', '--make-private', ns_mnt)
- _ = _.prepend_cleanup_exec('sudo', 'umount', ns_mnt)
+ ns_uts = '%s/ns-%s' % (build.aux_tree, "uts")
+ _ = _.append_setup_exec('touch', ns_uts)
# create our unshare
- ns_args = ['--mount=%s' % ns_mnt, '--uts=%s' % ns_uts]
- _ = _.append_setup_exec('sudo', 'unshare', *ns_args, 'true')
- _ = _.prepend_cleanup_exec('sudo', 'umount', ns_mnt)
- _ = _.prepend_cleanup_exec('sudo', 'umount', ns_uts)
+ ns_args = ['--uts=%s' % ns_uts]
+ _ = _.append_setup_exec(*SUDO, 'unshare', *ns_args, 'true')
+ _ = _.prepend_cleanup_exec(*SUDO, 'umount', ns_uts)
# configure our unshare
- # FIXME: this does not work in nsenter due to a bug, upstream is working on a fix
- # https://www.spinics.net/lists/util-linux-ng/msg14759.html
- nsenter = ['sudo', 'nsenter'] + ns_args
+ nsenter = SUDO + ['nsenter'] + ns_args
_ = _.append_setup_exec(*nsenter, 'hostname', hostname)
_ = _.append_setup_exec(*nsenter, 'domainname', domainname)
- # the mount -B hack suppresses spurious sudo(1) warnings about "unable to resolve host"
- _ = _.append_setup_exec('sh', '-ec',
- 'echo "127.0.0.1 {1}" > {0}/hosts && cat /etc/hosts >> {0}/hosts'.format(build.aux_tree, hostname))
- _ = _.append_setup_exec(*nsenter, 'mount', '-B', '%s/hosts' % build.aux_tree, '/etc/hosts')
# wrap our build command
- _ = _.prepend_to_build_command('sudo', '-E', *(nsenter[1:]), *make_sudo_command(*current_user_group()))
+ _ = _.prepend_to_build_command(*SUDO, '-E', *(nsenter[len(SUDO):]), *make_sudo_command(*current_user_group()))
else:
- logger.warn("Not using sudo for domain_host; it is recommended. Your build may fail.")
+ logger.warn("Not using sudo for domain_host; your build may fail. See man page for other options.")
logger.warn("Be sure to `echo 1 > /proc/sys/kernel/unprivileged_userns_clone` if on a Debian system.")
if "user_group" in ctx.spec and ctx.spec.user_group.available:
logger.error("Incompatible variations: domain_host.use_sudo False, user_group.available non-empty.")
@@ -382,11 +371,13 @@ def current_user_group():
return getpass.getuser(), grp.getgrgid(os.getgid()).gr_name
+SUDO = ['sudo', '-h', 'localhost']
+
def make_sudo_command(user, group):
assert user or group
userarg = ['-u', user] if user else []
grouparg = ['-g', group] if group else []
- return ['sudo', '-E'] + userarg + grouparg + ['env',
+ return SUDO + ['-E'] + userarg + grouparg + ['env',
'-u', 'SUDO_COMMAND', '-u', 'SUDO_GID', '-u', 'SUDO_UID', '-u', 'SUDO_USER']
def parse_user_group(user_group):
@@ -585,7 +576,7 @@ def print_sudoers(spec):
"build-experiment-[1-9][0-9]",
"build-experiment-blacklist",
"build-experiment-non-whitelist",
- ]]
+ ] + ["build-experiment-%s" % k for k in VariationSpec.all_names()]]
if "user_group" in spec and spec.user_group.available:
user_groups = [parse_user_group(user_group) for user_group in spec.user_group.available]
@@ -611,14 +602,10 @@ def print_sudoers(spec):
print("""# Rules for varying domain_host""")
for base_ex in experiments:
print("""\
-%(user)s ALL = NOPASSWD: /bin/mount -B %(base_ex)s-aux/ns-mnt %(base_ex)s-aux/ns-mnt
-%(user)s ALL = NOPASSWD: /bin/mount --make-private %(base_ex)s-aux/ns-mnt
-%(user)s ALL = NOPASSWD: /usr/bin/unshare --mount=%(base_ex)s-aux/ns-mnt --uts=%(base_ex)s-aux/ns-uts true
-%(user)s ALL = NOPASSWD: /usr/bin/nsenter --mount=%(base_ex)s-aux/ns-mnt --uts=%(base_ex)s-aux/ns-uts hostname reprotest-*
-%(user)s ALL = NOPASSWD: /usr/bin/nsenter --mount=%(base_ex)s-aux/ns-mnt --uts=%(base_ex)s-aux/ns-uts domainname reprotest-*
-%(user)s ALL = NOPASSWD: /usr/bin/nsenter --mount=%(base_ex)s-aux/ns-mnt --uts=%(base_ex)s-aux/ns-uts mount -B %(base_ex)s-aux/hosts /etc/hosts
-%(user)s ALL = NOPASSWD:SETENV: /usr/bin/nsenter --mount=%(base_ex)s-aux/ns-mnt --uts=%(base_ex)s-aux/ns-uts sudo -E -u %(user)s -g %(group)s env *
-%(user)s ALL = NOPASSWD: /bin/umount %(base_ex)s-aux/ns-mnt
+%(user)s ALL = NOPASSWD: /usr/bin/unshare --uts=%(base_ex)s-aux/ns-uts true
+%(user)s ALL = NOPASSWD: /usr/bin/nsenter --uts=%(base_ex)s-aux/ns-uts hostname reprotest-*
+%(user)s ALL = NOPASSWD: /usr/bin/nsenter --uts=%(base_ex)s-aux/ns-uts domainname reprotest-*
+%(user)s ALL = NOPASSWD:SETENV: /usr/bin/nsenter --uts=%(base_ex)s-aux/ns-uts sudo -h localhost -E -u %(user)s -g %(group)s env *
%(user)s ALL = NOPASSWD: /bin/umount %(base_ex)s-aux/ns-uts
""".rstrip() % dict(**variables, base_ex=base_ex))
print()
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/reprotest.git
More information about the Reproducible-commits
mailing list