Support running dist compilations in unprivileged scenarios #128
Conversation
Xanewok
force-pushed
the
igor-integration-tests-in-docker-take2
branch
from
fa7e58d
to
7f64b3d
Compare
|
I'll mark this as ready for review to trigger gitlab runs, sorry for the noise. |
|
So far so good, the dist test suite on gitlab is passing 2/4 and we need |
| if !nix::unistd::getuid().is_root() || !nix::unistd::geteuid().is_root() { | ||
| // Not root, or a setuid binary - haven't put enough thought into supporting this, bail | ||
| bail!("not running as root") | ||
| } |
There was a problem hiding this comment.
There was a problem hiding this comment.
I decided to drop that for now, since it wildly depends on the running distro and whatnot
There was a problem hiding this comment.
Could you create a separate issue and paste the link next to this TODO?
|
Merged with latest The rootless feature seems to work, at least locally for me. The So what else has to be done here? |
Xanewok
changed the title
|
I've fixed some of the outstanding issues and leftover debugging bits that I've sprinkled around.
One key point that I wanted to address is that the current approach was a proof of concept. Because we need to unshare the user namespace in the main thread, I opted for a fork here, which is technically not safe (see the note about it not being async-signal-safe), so that I can conveniently call it from a forked process (the forked thread is turned into the child's main thread). I tried to move out some unsafe functions (e.g. anything that allocates) out of the fork-child block but this approach not bullet-proof and more of a best effort. To solve that, I wanted to separate another entrypoint for our compilation (think However, if the test suite agrees, I'd prefer to merge this now and work incrementally from there and possibly do a point release (or an RC, cc @drahnr) to relieve the shipping pressure, which would help unblock me mentally. |
|
I'm getting this error on our GitLab run: which can be parsed to What comes to mind is that we use 5.10 kernel but native overlayfs support in the user namespace was allowed in 5.11 (and 5.13 if we count the SELinux bug fix). @rcny do you think it would be feasible to run these using the slightly newer kernel or should we look towards fuse-overlayfs for the time being? |
|
And it seems that for a change the GHA job does not like us messing with gid_map: but it has no problems if we write to setgroups and uid_map? |
Opened the issue about updating kernel to 5.15.x LTS. Can you go with |
We talked on Element and decided to move with fuse-overlayfs for now until someone updates the kernel to 5.15 in the meantime. |
Xanewok
force-pushed
the
igor-integration-tests-in-docker-take2
branch
from
1a1dbff
to
79f4862
Compare
|
Squashed and rebased on top of now merged #140 to clean up the history; I'll work on the fuse-overlayfs and the run-time switch for the sandbox mentioned above. |
|
I implemented a feature gate behind the I tried to minimize the diff - it might be helpful to run |
|
Okay, this is now really ready to review - I noticed a bug has slipped in and since fixing it in 67bfbee I have managed to get GHA working using user namespaces, so at least we'll have some CI coverage for that feature 🎉
EDIT: Removed GitLab for now, will bring it back once I close #143 |
Don't run relevant test in CI for now; we don't want to mark the test suite as red in GH for the time being
src/bin/cachepot-dist/build.rs
Outdated
| } | ||
|
|
||
| trace!("performing compile"); | ||
| // FIXME: Adapt the notes for the user namespaces |
| if !nix::unistd::getuid().is_root() || !nix::unistd::geteuid().is_root() { | ||
| // Not root, or a setuid binary - haven't put enough thought into supporting this, bail | ||
| bail!("not running as root") | ||
| } |
There was a problem hiding this comment.
Could you create a separate issue and paste the link next to this TODO?
src/bin/cachepot-dist/build.rs
Outdated
| // The reason why we need to fork in the first place is that creating | ||
| // a new user namespace with `CLONE_NEWUSER` is required to be called | ||
| // from a main thread, which fork() separates the calling thread as one. | ||
| // FIXME: Redesign this binary to be re-executable like |
There was a problem hiding this comment.
Also an issue and a link would be appreciated.
src/bin/cachepot-dist/build.rs
Outdated
| Ok(..) => std::process::exit(0), | ||
| Err(..) => std::process::exit(1), |
There was a problem hiding this comment.
Printing the error here might be a good idea.
|
Added links and error log in fd3e3bd |
Closes #114
Closes #10
Closes #9