Skip to content

Comments

Use mount namespace instead of chroot#62

Open
valentindavid wants to merge 1 commit intocanonical:mainfrom
valentindavid:valentindavid/namespace
Open

Use mount namespace instead of chroot#62
valentindavid wants to merge 1 commit intocanonical:mainfrom
valentindavid:valentindavid/namespace

Conversation

@valentindavid
Copy link
Contributor

This allow to not worry about mounts done within the namespace. We
can now bind mount files into the sysroot instead of copying them.

@valentindavid
Copy link
Contributor Author

I would like to get #61 merged first and I will rebase it. I keep it as draft for the moment.

@valentindavid valentindavid reopened this Jun 16, 2022
@valentindavid valentindavid reopened this Jun 16, 2022
@valentindavid valentindavid force-pushed the valentindavid/namespace branch 3 times, most recently from de1ca25 to 4d57eb8 Compare June 23, 2022 15:15
@valentindavid valentindavid marked this pull request as ready for review June 24, 2022 10:28
@valentindavid valentindavid force-pushed the valentindavid/namespace branch from 4d57eb8 to 1b84617 Compare June 30, 2022 10:19
Copy link
Member

@alfonsosanchezbeato alfonsosanchezbeato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach is interesting but tbh I am not totally bought on this, which are the advantages from your POV?

Also, please try to build on launchpad, as maybe because of container limitations we find some problem.

;;
esac
done
exec unshare --mount --root="${sysroot}" -- "${@}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it would be good to add comments on why we need to call unshare twice (from spawn, then from init) and why we use exec the second time.

mount-ns.sh Outdated
mount -t tmpfs -o mode=1777 tmpfs "${sysroot}/tmp"
mount -t tmpfs -o mode=0755 tmpfs "${sysroot}/run"
trap cleanup EXIT
unshare --pid --fork --mount -- "${0}" init "${sysroot}" "${@}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add comment clarifying that you are calling the script again with a different command.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

I have also noticed there was a potential race condition with the tmpfs when launch multiple time in the same time. So I have changed the tmpfs to be mounted in a temporary directory and bind mounted in the second phase.

@valentindavid valentindavid force-pushed the valentindavid/namespace branch from 1b84617 to 0382fde Compare July 18, 2022 11:03
@valentindavid
Copy link
Contributor Author

The approach is interesting but tbh I am not totally bought on this, which are the advantages from your POV?

Namespaces can isolate better than chroot in general.

My main reason here is that we can hide the mounts done within the namespace to the rest system. So when the build is done and some mounts were not unmounted properly, it is fine, because they will be removed with the namespace.

Mounting of /proc in hooks/001-extra-packages.chroot was the reason I did this. First of all, we should always have /proc mounted. And if we did mount things in the hook scripts, then we should make sure they are not exposed to the rest of the system.

This allow to not worry about mounts done within the namespace.  We
can now bind mount files into the sysroot instead of copying them.
@valentindavid valentindavid force-pushed the valentindavid/namespace branch from 0382fde to a931362 Compare September 19, 2023 12:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants