* [PATCH] sanity: allow to compile from root in user namespaces
@ 2019-12-31 8:33 Nikolai Merinov
2019-12-31 9:02 ` ✗ patchtest: failure for " Patchwork
2019-12-31 9:29 ` [PATCH] " Alexander Kanavin
0 siblings, 2 replies; 5+ messages in thread
From: Nikolai Merinov @ 2019-12-31 8:33 UTC (permalink / raw)
To: openembedded-core
New rootless container subsystems rely on the "user namespaces"
Linux feature. In order to create a container from a regular user the
user uid and subuids mapped to the uid space inside of container.
There are different default configurations used for different
container subsystems:
1. Rootless Docker[1] maps the user ID to 0, the subuids to range
starting from 1.
2. Rootless RunC[2] from OCI by default maps the user ID to 0 and
ignores the subuids.
3. LXC[3] maps the subuids to range from 0. UID not participates
in the mapping.
The LXC variant does not allow to work on same files simultaneusly
inside and outside of a container. Variant suggested by other
container susbsystems assumes that files owned by user should be
owned by root in a container environment.
In order to simplify Yocto compilation in such rootless containers I
want to allow to start the bitbake from root user in user namespace
and allow software compilation from root user in the described
configuration. Additionally I want to provide minimal dockerfile
suitable for the core-image-sato image compilation.
--
[1] https://docs.docker.com/engine/security/rootless/
[2] https://github.com/opencontainers/runc#rootless-containers
[3] https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user
---
meta/classes/insane.bbclass | 4 ++--
meta/classes/sanity.bbclass | 10 +++++++-
meta/recipes-core/coreutils/coreutils_8.31.bb | 1 +
scripts/docker/Dockerfile | 19 +++++++++++++++
scripts/docker/oe-rootless-docker | 24 +++++++++++++++++++
5 files changed, 55 insertions(+), 3 deletions(-)
create mode 100644 scripts/docker/Dockerfile
create mode 100755 scripts/docker/oe-rootless-docker
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index 0564f9c2a4..3599ce3e6a 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -876,12 +876,12 @@ def package_qa_check_host_user(path, name, d, elf, messages):
raise
else:
check_uid = int(d.getVar('HOST_USER_UID'))
- if stat.st_uid == check_uid:
+ if check_uid != 0 and stat.st_uid == check_uid:
package_qa_add_message(messages, "host-user-contaminated", "%s: %s is owned by uid %d, which is the same as the user running bitbake. This may be due to host contamination" % (pn, package_qa_clean_path(path, d, name), check_uid))
return False
check_gid = int(d.getVar('HOST_USER_GID'))
- if stat.st_gid == check_gid:
+ if check_gid != 0 and stat.st_gid == check_gid:
package_qa_add_message(messages, "host-user-contaminated", "%s: %s is owned by gid %d, which is the same as the user running bitbake. This may be due to host contamination" % (pn, package_qa_clean_path(path, d, name), check_gid))
return False
return True
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 63ab6cf3df..a1eba62589 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -742,7 +742,15 @@ def check_sanity_everybuild(status, d):
# it makes sense to always run them.
if 0 == os.getuid():
- raise_sanity_error("Do not use Bitbake as root.", d)
+ userns = False
+ with open("/proc/self/uid_map") as f:
+ for line in f:
+ fields = line.split()
+ if fields[0] == "0" and fields[1] != "0":
+ userns = True
+ break
+ if not userns:
+ raise_sanity_error("Do not use Bitbake as root.", d)
# Check the Python version, we now have a minimum of Python 3.4
import sys
diff --git a/meta/recipes-core/coreutils/coreutils_8.31.bb b/meta/recipes-core/coreutils/coreutils_8.31.bb
index 57b2c1bdba..2f8009331a 100644
--- a/meta/recipes-core/coreutils/coreutils_8.31.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.31.bb
@@ -28,6 +28,7 @@ SRC_URI[sha256sum] = "ff7a9c918edce6b4f4b2725e3f9b37b0c4d193531cac49a48b56c4d0d3
EXTRA_OECONF_class-native = "--without-gmp"
EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname"
+EXTRA_OECONF_append = " FORCE_UNSAFE_CONFIGURE=1"
# acl and xattr are not default features
#
diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile
new file mode 100644
index 0000000000..4a143d6aa1
--- /dev/null
+++ b/scripts/docker/Dockerfile
@@ -0,0 +1,19 @@
+FROM ubuntu:18.04
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y update --fix-missing
+
+# Configure locale for Python3
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y install locales ; \
+ DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales && \
+ locale-gen en_US.UTF-8 && \
+ update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
+
+ENV LANG=en_US.UTF-8
+ENV LC_ALL=en_US.UTF-8
+
+# Install Yocto native dependencies
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y install \
+ wget git-core diffstat unzip texinfo gcc-multilib \
+ build-essential chrpath socat cpio python python3 python3-pip python3-pexpect \
+ xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev \
+ pylint3 xterm gawk
diff --git a/scripts/docker/oe-rootless-docker b/scripts/docker/oe-rootless-docker
new file mode 100755
index 0000000000..1efcc82280
--- /dev/null
+++ b/scripts/docker/oe-rootless-docker
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+usage () {
+CMD=$(basename $0)
+cat <<EOF
+Usage: $CMD [docker-build|docker-run]
+ docker-build Build Dockerfile locally
+ docker-run Run rootless docker image suitable for image compilation
+EOF
+}
+
+if ! [ -n "${DOCKER_HOST}" -a "$(stat -c '%U' "${DOCKER_HOST#*://}" 2>/dev/null)" = "$(whoami)" ] ; then
+ echo "Install rootless docker according to the https://docs.docker.com/engine/security/rootless/"
+ exit 1
+fi
+
+if [ "$1" = "docker-build" ]; then
+ docker build -t poky-docker $(dirname $(readlink -f $0))
+elif [ "$1" = "docker-run" ]; then
+ docker run -ti -v ${HOME}:${HOME} -v ${PWD}:${PWD} --workdir ${PWD} -e HOME poky-docker
+else
+ usage
+ exit 0
+fi
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* ✗ patchtest: failure for sanity: allow to compile from root in user namespaces
2019-12-31 8:33 [PATCH] sanity: allow to compile from root in user namespaces Nikolai Merinov
@ 2019-12-31 9:02 ` Patchwork
2019-12-31 9:29 ` [PATCH] " Alexander Kanavin
1 sibling, 0 replies; 5+ messages in thread
From: Patchwork @ 2019-12-31 9:02 UTC (permalink / raw)
To: Andrii Bordunov via Openembedded-core; +Cc: openembedded-core
== Series Details ==
Series: sanity: allow to compile from root in user namespaces
Revision: 1
URL : https://patchwork.openembedded.org/series/21805/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Patch sanity: allow to compile from root in user namespaces
Issue Patch is missing Signed-off-by [test_signed_off_by_presence]
Suggested fix Sign off the patch (either manually or with "git commit --amend -s")
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] sanity: allow to compile from root in user namespaces
2019-12-31 8:33 [PATCH] sanity: allow to compile from root in user namespaces Nikolai Merinov
2019-12-31 9:02 ` ✗ patchtest: failure for " Patchwork
@ 2019-12-31 9:29 ` Alexander Kanavin
2020-01-03 11:15 ` Nikolai Merinov
1 sibling, 1 reply; 5+ messages in thread
From: Alexander Kanavin @ 2019-12-31 9:29 UTC (permalink / raw)
To: Nikolai Merinov; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 7454 bytes --]
I believe it should be possible to create a regular user inside the
container and then run bitbake as that user?
The patch effectively disables the host contamination check, fixes one
recipe that breaks, and likely introduces other issues; the assumption (and
automated testing) throughout the build is that it's run under a regular
user.
Alex
On Tue, 31 Dec 2019 at 11:40, Nikolai Merinov via Openembedded-core <
openembedded-core@lists.openembedded.org> wrote:
> New rootless container subsystems rely on the "user namespaces"
> Linux feature. In order to create a container from a regular user the
> user uid and subuids mapped to the uid space inside of container.
>
> There are different default configurations used for different
> container subsystems:
>
> 1. Rootless Docker[1] maps the user ID to 0, the subuids to range
> starting from 1.
> 2. Rootless RunC[2] from OCI by default maps the user ID to 0 and
> ignores the subuids.
> 3. LXC[3] maps the subuids to range from 0. UID not participates
> in the mapping.
>
> The LXC variant does not allow to work on same files simultaneusly
> inside and outside of a container. Variant suggested by other
> container susbsystems assumes that files owned by user should be
> owned by root in a container environment.
>
> In order to simplify Yocto compilation in such rootless containers I
> want to allow to start the bitbake from root user in user namespace
> and allow software compilation from root user in the described
> configuration. Additionally I want to provide minimal dockerfile
> suitable for the core-image-sato image compilation.
>
> --
> [1] https://docs.docker.com/engine/security/rootless/
> [2] https://github.com/opencontainers/runc#rootless-containers
> [3]
> https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user
> ---
> meta/classes/insane.bbclass | 4 ++--
> meta/classes/sanity.bbclass | 10 +++++++-
> meta/recipes-core/coreutils/coreutils_8.31.bb | 1 +
> scripts/docker/Dockerfile | 19 +++++++++++++++
> scripts/docker/oe-rootless-docker | 24 +++++++++++++++++++
> 5 files changed, 55 insertions(+), 3 deletions(-)
> create mode 100644 scripts/docker/Dockerfile
> create mode 100755 scripts/docker/oe-rootless-docker
>
> diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
> index 0564f9c2a4..3599ce3e6a 100644
> --- a/meta/classes/insane.bbclass
> +++ b/meta/classes/insane.bbclass
> @@ -876,12 +876,12 @@ def package_qa_check_host_user(path, name, d, elf,
> messages):
> raise
> else:
> check_uid = int(d.getVar('HOST_USER_UID'))
> - if stat.st_uid == check_uid:
> + if check_uid != 0 and stat.st_uid == check_uid:
> package_qa_add_message(messages, "host-user-contaminated",
> "%s: %s is owned by uid %d, which is the same as the user running bitbake.
> This may be due to host contamination" % (pn, package_qa_clean_path(path,
> d, name), check_uid))
> return False
>
> check_gid = int(d.getVar('HOST_USER_GID'))
> - if stat.st_gid == check_gid:
> + if check_gid != 0 and stat.st_gid == check_gid:
> package_qa_add_message(messages, "host-user-contaminated",
> "%s: %s is owned by gid %d, which is the same as the user running bitbake.
> This may be due to host contamination" % (pn, package_qa_clean_path(path,
> d, name), check_gid))
> return False
> return True
> diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
> index 63ab6cf3df..a1eba62589 100644
> --- a/meta/classes/sanity.bbclass
> +++ b/meta/classes/sanity.bbclass
> @@ -742,7 +742,15 @@ def check_sanity_everybuild(status, d):
> # it makes sense to always run them.
>
> if 0 == os.getuid():
> - raise_sanity_error("Do not use Bitbake as root.", d)
> + userns = False
> + with open("/proc/self/uid_map") as f:
> + for line in f:
> + fields = line.split()
> + if fields[0] == "0" and fields[1] != "0":
> + userns = True
> + break
> + if not userns:
> + raise_sanity_error("Do not use Bitbake as root.", d)
>
> # Check the Python version, we now have a minimum of Python 3.4
> import sys
> diff --git a/meta/recipes-core/coreutils/coreutils_8.31.bb
> b/meta/recipes-core/coreutils/coreutils_8.31.bb
> index 57b2c1bdba..2f8009331a 100644
> --- a/meta/recipes-core/coreutils/coreutils_8.31.bb
> +++ b/meta/recipes-core/coreutils/coreutils_8.31.bb
> @@ -28,6 +28,7 @@ SRC_URI[sha256sum] =
> "ff7a9c918edce6b4f4b2725e3f9b37b0c4d193531cac49a48b56c4d0d3
> EXTRA_OECONF_class-native = "--without-gmp"
> EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname
> --libexecdir=${libdir}"
> EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname"
> +EXTRA_OECONF_append = " FORCE_UNSAFE_CONFIGURE=1"
>
> # acl and xattr are not default features
> #
> diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile
> new file mode 100644
> index 0000000000..4a143d6aa1
> --- /dev/null
> +++ b/scripts/docker/Dockerfile
> @@ -0,0 +1,19 @@
> +FROM ubuntu:18.04
> +
> +RUN DEBIAN_FRONTEND=noninteractive apt-get -y update --fix-missing
> +
> +# Configure locale for Python3
> +RUN DEBIAN_FRONTEND=noninteractive apt-get -y install locales ; \
> + DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales && \
> + locale-gen en_US.UTF-8 && \
> + update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
> +
> +ENV LANG=en_US.UTF-8
> +ENV LC_ALL=en_US.UTF-8
> +
> +# Install Yocto native dependencies
> +RUN DEBIAN_FRONTEND=noninteractive apt-get -y install \
> + wget git-core diffstat unzip texinfo gcc-multilib \
> + build-essential chrpath socat cpio python python3 python3-pip
> python3-pexpect \
> + xz-utils debianutils iputils-ping python3-git python3-jinja2
> libegl1-mesa libsdl1.2-dev \
> + pylint3 xterm gawk
> diff --git a/scripts/docker/oe-rootless-docker
> b/scripts/docker/oe-rootless-docker
> new file mode 100755
> index 0000000000..1efcc82280
> --- /dev/null
> +++ b/scripts/docker/oe-rootless-docker
> @@ -0,0 +1,24 @@
> +#!/bin/sh
> +
> +usage () {
> +CMD=$(basename $0)
> +cat <<EOF
> +Usage: $CMD [docker-build|docker-run]
> + docker-build Build Dockerfile locally
> + docker-run Run rootless docker image suitable for image compilation
> +EOF
> +}
> +
> +if ! [ -n "${DOCKER_HOST}" -a "$(stat -c '%U' "${DOCKER_HOST#*://}"
> 2>/dev/null)" = "$(whoami)" ] ; then
> + echo "Install rootless docker according to the
> https://docs.docker.com/engine/security/rootless/"
> + exit 1
> +fi
> +
> +if [ "$1" = "docker-build" ]; then
> + docker build -t poky-docker $(dirname $(readlink -f $0))
> +elif [ "$1" = "docker-run" ]; then
> + docker run -ti -v ${HOME}:${HOME} -v ${PWD}:${PWD} --workdir
> ${PWD} -e HOME poky-docker
> +else
> + usage
> + exit 0
> +fi
> --
> 2.17.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 9647 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] sanity: allow to compile from root in user namespaces
2019-12-31 9:29 ` [PATCH] " Alexander Kanavin
@ 2020-01-03 11:15 ` Nikolai Merinov
2020-01-03 11:28 ` Richard Purdie
0 siblings, 1 reply; 5+ messages in thread
From: Nikolai Merinov @ 2020-01-03 11:15 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 9156 bytes --]
Hi Alexander.
I understand all of the concerns. Yes, it's possible to create a regular user inside of containers (at least in case of the rootless LXC and Docker containers), but this is a question of usability.
All existed Docker containers for a Yocto compilation (including tge CROPS described at the yoctoproject wiki) tried to use same UID/GID for files inside and outside of the container in order to allow to work with files both inside and outside of container.
In the case of the main container subsystems (Docker, OCI) same level of a usability for rootless containers can be supported only if we allow compilation from UID == 0 because users own UID mapped to 0 in this containers. In order to support such configuration we, in any case, should modify somehow contamination check, check for a root user in the sanity.bbclass and disable root check from "mknod" module in gnulib (used by coreutils).
Will it be appropriate if we allow such regime of the compilation with the following limitation:
1. Allow compilation only from root user inside of the linux user namespace (not a real root)
2. Allow such compilation only if there is "native_root_user" feature in DISTRO_FEATURES
3. Each modified place will check this two conditions
Will be such design appropriate compromise between safety and usability?
Regards,
Nikolai
From: "Alexander Kanavin" <alex.kanavin@gmail.com>
To: "n merinov" <n.merinov@inango-systems.com>
Cc: "openembedded-core" <openembedded-core@lists.openembedded.org>
Sent: Tuesday, December 31, 2019 9:29:34 AM
Subject: Re: [OE-core] [PATCH] sanity: allow to compile from root in user namespaces
BQ_BEGIN
I believe it should be possible to create a regular user inside the container and then run bitbake as that user?
The patch effectively disables the host contamination check, fixes one recipe that breaks, and likely introduces other issues; the assumption (and automated testing) throughout the build is that it's run under a regular user.
Alex
On Tue, 31 Dec 2019 at 11:40, Nikolai Merinov via Openembedded-core < [ mailto:openembedded-core@lists.openembedded.org | openembedded-core@lists.openembedded.org ] > wrote:
BQ_BEGIN
New rootless container subsystems rely on the "user namespaces"
Linux feature. In order to create a container from a regular user the
user uid and subuids mapped to the uid space inside of container.
There are different default configurations used for different
container subsystems:
1. Rootless Docker[1] maps the user ID to 0, the subuids to range
starting from 1.
2. Rootless RunC[2] from OCI by default maps the user ID to 0 and
ignores the subuids.
3. LXC[3] maps the subuids to range from 0. UID not participates
in the mapping.
The LXC variant does not allow to work on same files simultaneusly
inside and outside of a container. Variant suggested by other
container susbsystems assumes that files owned by user should be
owned by root in a container environment.
In order to simplify Yocto compilation in such rootless containers I
want to allow to start the bitbake from root user in user namespace
and allow software compilation from root user in the described
configuration. Additionally I want to provide minimal dockerfile
suitable for the core-image-sato image compilation.
--
[1] [ https://docs.docker.com/engine/security/rootless/ | https://docs.docker.com/engine/security/rootless/ ]
[2] [ https://github.com/opencontainers/runc#rootless-containers | https://github.com/opencontainers/runc#rootless-containers ]
[3] [ https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user | https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user ]
---
meta/classes/insane.bbclass | 4 ++--
meta/classes/sanity.bbclass | 10 +++++++-
meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ] | 1 +
scripts/docker/Dockerfile | 19 +++++++++++++++
scripts/docker/oe-rootless-docker | 24 +++++++++++++++++++
5 files changed, 55 insertions(+), 3 deletions(-)
create mode 100644 scripts/docker/Dockerfile
create mode 100755 scripts/docker/oe-rootless-docker
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index 0564f9c2a4..3599ce3e6a 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -876,12 +876,12 @@ def package_qa_check_host_user(path, name, d, elf, messages):
raise
else:
check_uid = int(d.getVar('HOST_USER_UID'))
- if stat.st_uid == check_uid:
+ if check_uid != 0 and stat.st_uid == check_uid:
package_qa_add_message(messages, "host-user-contaminated", "%s: %s is owned by uid %d, which is the same as the user running bitbake. This may be due to host contamination" % (pn, package_qa_clean_path(path, d, name), check_uid))
return False
check_gid = int(d.getVar('HOST_USER_GID'))
- if stat.st_gid == check_gid:
+ if check_gid != 0 and stat.st_gid == check_gid:
package_qa_add_message(messages, "host-user-contaminated", "%s: %s is owned by gid %d, which is the same as the user running bitbake. This may be due to host contamination" % (pn, package_qa_clean_path(path, d, name), check_gid))
return False
return True
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 63ab6cf3df..a1eba62589 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -742,7 +742,15 @@ def check_sanity_everybuild(status, d):
# it makes sense to always run them.
if 0 == os.getuid():
- raise_sanity_error("Do not use Bitbake as root.", d)
+ userns = False
+ with open("/proc/self/uid_map") as f:
+ for line in f:
+ fields = line.split()
+ if fields[0] == "0" and fields[1] != "0":
+ userns = True
+ break
+ if not userns:
+ raise_sanity_error("Do not use Bitbake as root.", d)
# Check the Python version, we now have a minimum of Python 3.4
import sys
diff --git a/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ] b/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ]
index 57b2c1bdba..2f8009331a 100644
--- a/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ]
+++ b/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ]
@@ -28,6 +28,7 @@ SRC_URI[sha256sum] = "ff7a9c918edce6b4f4b2725e3f9b37b0c4d193531cac49a48b56c4d0d3
EXTRA_OECONF_class-native = "--without-gmp"
EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname"
+EXTRA_OECONF_append = " FORCE_UNSAFE_CONFIGURE=1"
# acl and xattr are not default features
#
diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile
new file mode 100644
index 0000000000..4a143d6aa1
--- /dev/null
+++ b/scripts/docker/Dockerfile
@@ -0,0 +1,19 @@
+FROM ubuntu:18.04
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y update --fix-missing
+
+# Configure locale for Python3
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y install locales ; \
+ DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales && \
+ locale-gen en_US.UTF-8 && \
+ update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
+
+ENV LANG=en_US.UTF-8
+ENV LC_ALL=en_US.UTF-8
+
+# Install Yocto native dependencies
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y install \
+ wget git-core diffstat unzip texinfo gcc-multilib \
+ build-essential chrpath socat cpio python python3 python3-pip python3-pexpect \
+ xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev \
+ pylint3 xterm gawk
diff --git a/scripts/docker/oe-rootless-docker b/scripts/docker/oe-rootless-docker
new file mode 100755
index 0000000000..1efcc82280
--- /dev/null
+++ b/scripts/docker/oe-rootless-docker
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+usage () {
+CMD=$(basename $0)
+cat <<EOF
+Usage: $CMD [docker-build|docker-run]
+ docker-build Build Dockerfile locally
+ docker-run Run rootless docker image suitable for image compilation
+EOF
+}
+
+if ! [ -n "${DOCKER_HOST}" -a "$(stat -c '%U' "${DOCKER_HOST#*://}" 2>/dev/null)" = "$(whoami)" ] ; then
+ echo "Install rootless docker according to the [ https://docs.docker.com/engine/security/rootless/ | https://docs.docker.com/engine/security/rootless/ ] "
+ exit 1
+fi
+
+if [ "$1" = "docker-build" ]; then
+ docker build -t poky-docker $(dirname $(readlink -f $0))
+elif [ "$1" = "docker-run" ]; then
+ docker run -ti -v ${HOME}:${HOME} -v ${PWD}:${PWD} --workdir ${PWD} -e HOME poky-docker
+else
+ usage
+ exit 0
+fi
--
2.17.1
--
_______________________________________________
Openembedded-core mailing list
[ mailto:Openembedded-core@lists.openembedded.org | Openembedded-core@lists.openembedded.org ]
[ http://lists.openembedded.org/mailman/listinfo/openembedded-core | http://lists.openembedded.org/mailman/listinfo/openembedded-core ]
BQ_END
BQ_END
[-- Attachment #2: Type: text/html, Size: 13943 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] sanity: allow to compile from root in user namespaces
2020-01-03 11:15 ` Nikolai Merinov
@ 2020-01-03 11:28 ` Richard Purdie
0 siblings, 0 replies; 5+ messages in thread
From: Richard Purdie @ 2020-01-03 11:28 UTC (permalink / raw)
To: Nikolai Merinov, Alexander Kanavin; +Cc: openembedded-core
On Fri, 2020-01-03 at 13:15 +0200, Nikolai Merinov via Openembedded-
core wrote:
> Hi Alexander.
>
> I understand all of the concerns. Yes, it's possible to create a
> regular user inside of containers (at least in case of the rootless
> LXC and Docker containers), but this is a question of usability.
> All existed Docker containers for a Yocto compilation (including tge
> CROPS described at the yoctoproject wiki) tried to use same UID/GID
> for files inside and outside of the container in order to allow to
> work with files both inside and outside of container.
>
> In the case of the main container subsystems (Docker, OCI) same level
> of a usability for rootless containers can be supported only if we
> allow compilation from UID == 0 because users own UID mapped to 0 in
> this containers. In order to support such configuration we, in any
> case, should modify somehow contamination check, check for a root
> user in the sanity.bbclass and disable root check from "mknod" module
> in gnulib (used by coreutils).
>
> Will it be appropriate if we allow such regime of the compilation
> with the following limitation:
> 1. Allow compilation only from root user inside of the linux user
> namespace (not a real root)
> 2. Allow such compilation only if there is "native_root_user" feature
> in DISTRO_FEATURES
> 3. Each modified place will check this two conditions
>
> Will be such design appropriate compromise between safety and
> usability?
The problem is this introduces a difference in how two different groups
of people would use the system. A recipe built and tested in one system
may fail in the other environment. This adds significant support
overhead and a determinism problem. That worries me a lot more than any
of the other issues...
Cheers,
Richard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-01-03 11:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-31 8:33 [PATCH] sanity: allow to compile from root in user namespaces Nikolai Merinov
2019-12-31 9:02 ` ✗ patchtest: failure for " Patchwork
2019-12-31 9:29 ` [PATCH] " Alexander Kanavin
2020-01-03 11:15 ` Nikolai Merinov
2020-01-03 11:28 ` Richard Purdie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.