diff options
| author |   Matt Turner <mattst88@gentoo.org> | 2020-10-29 11:00:42 -0400 |
|---|---|---|
| committer | Matt Turner <mattst88@gentoo.org> | 2020-10-30 18:40:52 -0400 |
| commit | 488b06bf5dbe1eba68ac11de95f56feeb6cead83 (patch) | |
| tree | 19a43a33210b99fd85708bd511012fb975192d27 | |
| parent | catalyst: Add and use namespace context manager (diff) | |
| download | catalyst-488b06bf5dbe1eba68ac11de95f56feeb6cead83.tar.gz catalyst-488b06bf5dbe1eba68ac11de95f56feeb6cead83.tar.bz2 catalyst-488b06bf5dbe1eba68ac11de95f56feeb6cead83.zip | |
catalyst: Run the build sequence in new mount namespace
Catalyst has a lot of code to unmount the bind mounts it's made, and
then more to try harder when something fails. This is important because
if bind mounts still exist within the chroot when clean up happens,
files outside of the chroot on the host system can inadvertently be
deleted. E.g., distfiles, binpkgs, kerncache.
Running the build sequence (the steps that need bind mounts) within a
mount namespace and exiting the mount namespace when finished ensures
that clean up can never accidentally delete files outside the chroot.
Signed-off-by: Matt Turner <mattst88@gentoo.org>
| -rw-r--r-- | catalyst/base/stagebase.py | 7 | ||||
| -rw-r--r-- | catalyst/main.py | 2 |
2 files changed, 5 insertions, 4 deletions
diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py index 06ec8727..caec5935 100644 --- a/catalyst/base/stagebase.py +++ b/catalyst/base/stagebase.py @@ -15,6 +15,7 @@ from snakeoil.osutils import pjoin from DeComp.compress import CompressMap from catalyst import log +from catalyst.context import namespace from catalyst.defaults import (confdefaults, MOUNT_DEFAULTS, PORT_LOGDIR_CLEAN) from catalyst.support import (CatalystError, file_locate, normpath, cmd, read_makeconf, ismount, file_check, @@ -1405,9 +1406,9 @@ class StageBase(TargetBase, ClearBase, GenBase): if not self.run_sequence(self.prepare_sequence): return False - if not self.run_sequence(self.build_sequence): - self.unbind() - return False + with namespace(mount=True): + if not self.run_sequence(self.build_sequence): + return False if not self.run_sequence(self.finish_sequence): return False diff --git a/catalyst/main.py b/catalyst/main.py index 93a4a0d3..5536471a 100644 --- a/catalyst/main.py +++ b/catalyst/main.py @@ -355,7 +355,7 @@ def _main(parser, opts): # use pid & user namespaces, but snakeoil's namespace module has signal # transfer issues (CTRL+C doesn't propagate), and user namespaces need # more work due to Gentoo build process (uses sudo/root/portage). - with namespace(mount=True, uts=True, ipc=True, hostname='catalyst'): + with namespace(uts=True, ipc=True, hostname='catalyst'): # everything is setup, so the build is a go try: success = build_target(addlargs) |