HelloI've been looking closely at linux-user-chroot recently (and I think ostree-list is the best place to discuss its development). I'm working on Baserock, so my concern is with creating reproducible sandboxes for building and deployment. The Baserock build tooling has always used linux-user-chroot but up til now has required that builds are run as 'root' anyway. I'm now looking at making builds work for non-root users.
On the linux-user-chroot side of things, this means making it possible to mount more stuff inside the chroot. Previously we would call 'mount' in the build tool, but that obviously requires 'root'. My first step was to allow mounting a tmpfs at /dev/shm. Attached is a patch that adds a --mount-tmpfs option, similar to --mount-proc.
Looking further on, I am going to have to do something about device nodes as well. Currently the build tool expects to be able to create device nodes, which of course needs 'root'. I will use 'fakeroot' but I think that'll only work up until something tries to actually *use* the device nodes. So it would be really handy if linux-user-chroot can handle this.
One option is to bind-mount /dev from the host, which is already possible with --mount-bind. This seems like a hole in build reproducibility, though: a ./configure script could conceivably change its behaviour based on the presence of a file in /dev, or something. I really want to control what is in /dev more tightly.
The way systemd-nspawn operates is to have a fixed set of mounts and device nodes that are always provided. It is described under "Execution Environment" in the "Container Interface": <https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/>. One idea I had was to add a new option like '--standard-mounts' or '--mount-systemd-container-interface' to linux-user-chroot that would do exactly what systemd-nspawn does. It seems good to be aligned with an existing spec.
While I like that idea, it doesn't quite solve the immediate problem for me as currently Baserock definitions are allowed to define arbitrary device nodes. This is actually only used in one place, as far as I know: <http://git.baserock.org/cgi-bin/cgit.cgi/baserock/baserock/fhs-dirs.git/tree/fhs-dirs.morph#n15>. Static device files seem like a thing of the past so I'd like to just get rid of this feature and hardcode the set of devices nodes provided. But that may not be possible immediately. Perhaps I could add a --device-node flag to linux-user-chroot that would create a node in /dev? Or, I could create a separate setuid helper program that created a /dev that could run before linux-user-chroot.
I'd like to hear thoughts on the changes I've proposed above, especially which changes you think would be generally useful if added to linux-user-chroot, and which changes sound like hacks that we might as well keep to ourselves.
Thanks! Sam -- Sam Thursfield, Codethink Ltd. Office telephone: +44 161 236 5575
Attachment:
0001-Add-mount-tmpfs-option.patch
Description: Text Data