Re: Dogfooding discussion

From: Javier Jardón <jjardon gnome org>
To: Tristan Van Berkom <tristan vanberkom codethink co uk>
Cc: Richard Maw <richard maw codethink co uk>, buildstream-list gnome org
Subject: Re: Dogfooding discussion
Date: Sat, 30 Jun 2018 23:39:42 +0100

On 29 June 2018 at 19:02, Tristan Van Berkom via Buildstream-list
<buildstream-list gnome org> wrote:

<snip>

3.  We use `bst shell` to test BuildStream.

    Instead of having our container include all the dependencies
    that are necessary to run buildstream.git's test suite,
    we instead include those by defining them in .bst files.

    We use `bst shell` for both running the test suite and test builds,
    using `--mount` to bring the test project and your local caches in.


But as I understand it, this is currently not possible (maybe it will
be possible with future kernel developments ?).

At least there needs to be some research towards whether this is even
possible: as I understand it Flatpak cannot be run in a Flatpak, and as
we use the same container technology, I expect that BuildStream cannot
run a build launched from inside a `bst shell`.


It works if either unprivileged user namespaces are permitted by your kernel
or for the inner invokation of `bwrap` we use `--unshare-user`.

We can emulate the kind of sandbox we use in `bst shell` by running:

    bwrap --unshare-pid --die-with-parent --bind / / --unshare-net \
          --unshare-uts --hostname buildstream --unshare-ipc --chdir / \
          --proc /proc --tmpfs /tmp --dev /dev --dev-bind /dev/full /dev/full \
          --dev-bind /dev/null /dev/null --dev-bind /dev/urandom /dev/urandom \
          --dev-bind /dev/random /dev/random --dev-bind /dev/zero /dev/zero \
          --remount-ro / --unshare-user --uid 0 --gid 0 /bin/sh

Attempting the same command in the created sandbox resulted in:

    bwrap: No permissions to creating new namespace, likely because the kernel does not allow 
non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl 
kernel.unprivileged_userns_clone=1'.

It worked after dropping the `--unshare-user` from the command.


If we can do this in a reliable way, then yeah it would be nice to
build a Flatpak of BuildStream, using BuildStream, this would be the
right amount of dogfooding IMO.


I think this would be a interesting project to work on.

Actually I think there is a flatpak of flatpak-builder, which IIRC

<snip>

If you have a trigger which causes a Docker image to be generated with
each latest/stable version of BuildStream, this would be useful for the
users of `bst-here` yes.


We almost  have that with the the CI at [1]

I'm not sure what it does for dogfooding, unless we have a Docker image
plugin and a BuildStream project which we use to generate the image
using BuildStream.

We'd like to have a Docker image generating plugin... and it would be
helpful to `bst-here` users to automate the image generation as long as
we have to maintain `bst-here`.


The plugin would be [2]. Then it should be easy to change the CI at
[1] to use buildstream instead docker directly

<snip>

Cheers,
Javier

[1] https://gitlab.com/BuildStream/buildstream-docker-images
[2] https://gitlab.com/BuildStream/buildstream/issues/349

References:
- Dogfooding discussion
  - From: Richard Maw
- Re: Dogfooding discussion
  - From: Tristan Van Berkom
- Re: Dogfooding discussion
  - From: Richard Maw
- Re: Dogfooding discussion
  - From: Tristan Van Berkom

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]