[OE-core] [PATCH] sanity: allow to compile from root in user namespaces
Nikolai Merinov
n.merinov at inango-systems.com
Fri Jan 3 11:15:34 UTC 2020
Hi Alexander.
I understand all of the concerns. Yes, it's possible to create a regular user inside of containers (at least in case of the rootless LXC and Docker containers), but this is a question of usability.
All existed Docker containers for a Yocto compilation (including tge CROPS described at the yoctoproject wiki) tried to use same UID/GID for files inside and outside of the container in order to allow to work with files both inside and outside of container.
In the case of the main container subsystems (Docker, OCI) same level of a usability for rootless containers can be supported only if we allow compilation from UID == 0 because users own UID mapped to 0 in this containers. In order to support such configuration we, in any case, should modify somehow contamination check, check for a root user in the sanity.bbclass and disable root check from "mknod" module in gnulib (used by coreutils).
Will it be appropriate if we allow such regime of the compilation with the following limitation:
1. Allow compilation only from root user inside of the linux user namespace (not a real root)
2. Allow such compilation only if there is "native_root_user" feature in DISTRO_FEATURES
3. Each modified place will check this two conditions
Will be such design appropriate compromise between safety and usability?
Regards,
Nikolai
From: "Alexander Kanavin" <alex.kanavin at gmail.com>
To: "n merinov" <n.merinov at inango-systems.com>
Cc: "openembedded-core" <openembedded-core at lists.openembedded.org>
Sent: Tuesday, December 31, 2019 9:29:34 AM
Subject: Re: [OE-core] [PATCH] sanity: allow to compile from root in user namespaces
BQ_BEGIN
I believe it should be possible to create a regular user inside the container and then run bitbake as that user?
The patch effectively disables the host contamination check, fixes one recipe that breaks, and likely introduces other issues; the assumption (and automated testing) throughout the build is that it's run under a regular user.
Alex
On Tue, 31 Dec 2019 at 11:40, Nikolai Merinov via Openembedded-core < [ mailto:openembedded-core at lists.openembedded.org | openembedded-core at lists.openembedded.org ] > wrote:
BQ_BEGIN
New rootless container subsystems rely on the "user namespaces"
Linux feature. In order to create a container from a regular user the
user uid and subuids mapped to the uid space inside of container.
There are different default configurations used for different
container subsystems:
1. Rootless Docker[1] maps the user ID to 0, the subuids to range
starting from 1.
2. Rootless RunC[2] from OCI by default maps the user ID to 0 and
ignores the subuids.
3. LXC[3] maps the subuids to range from 0. UID not participates
in the mapping.
The LXC variant does not allow to work on same files simultaneusly
inside and outside of a container. Variant suggested by other
container susbsystems assumes that files owned by user should be
owned by root in a container environment.
In order to simplify Yocto compilation in such rootless containers I
want to allow to start the bitbake from root user in user namespace
and allow software compilation from root user in the described
configuration. Additionally I want to provide minimal dockerfile
suitable for the core-image-sato image compilation.
--
[1] [ https://docs.docker.com/engine/security/rootless/ | https://docs.docker.com/engine/security/rootless/ ]
[2] [ https://github.com/opencontainers/runc#rootless-containers | https://github.com/opencontainers/runc#rootless-containers ]
[3] [ https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user | https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user ]
---
meta/classes/insane.bbclass | 4 ++--
meta/classes/sanity.bbclass | 10 +++++++-
meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ] | 1 +
scripts/docker/Dockerfile | 19 +++++++++++++++
scripts/docker/oe-rootless-docker | 24 +++++++++++++++++++
5 files changed, 55 insertions(+), 3 deletions(-)
create mode 100644 scripts/docker/Dockerfile
create mode 100755 scripts/docker/oe-rootless-docker
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index 0564f9c2a4..3599ce3e6a 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -876,12 +876,12 @@ def package_qa_check_host_user(path, name, d, elf, messages):
raise
else:
check_uid = int(d.getVar('HOST_USER_UID'))
- if stat.st_uid == check_uid:
+ if check_uid != 0 and stat.st_uid == check_uid:
package_qa_add_message(messages, "host-user-contaminated", "%s: %s is owned by uid %d, which is the same as the user running bitbake. This may be due to host contamination" % (pn, package_qa_clean_path(path, d, name), check_uid))
return False
check_gid = int(d.getVar('HOST_USER_GID'))
- if stat.st_gid == check_gid:
+ if check_gid != 0 and stat.st_gid == check_gid:
package_qa_add_message(messages, "host-user-contaminated", "%s: %s is owned by gid %d, which is the same as the user running bitbake. This may be due to host contamination" % (pn, package_qa_clean_path(path, d, name), check_gid))
return False
return True
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 63ab6cf3df..a1eba62589 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -742,7 +742,15 @@ def check_sanity_everybuild(status, d):
# it makes sense to always run them.
if 0 == os.getuid():
- raise_sanity_error("Do not use Bitbake as root.", d)
+ userns = False
+ with open("/proc/self/uid_map") as f:
+ for line in f:
+ fields = line.split()
+ if fields[0] == "0" and fields[1] != "0":
+ userns = True
+ break
+ if not userns:
+ raise_sanity_error("Do not use Bitbake as root.", d)
# Check the Python version, we now have a minimum of Python 3.4
import sys
diff --git a/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ] b/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ]
index 57b2c1bdba..2f8009331a 100644
--- a/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ]
+++ b/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ]
@@ -28,6 +28,7 @@ SRC_URI[sha256sum] = "ff7a9c918edce6b4f4b2725e3f9b37b0c4d193531cac49a48b56c4d0d3
EXTRA_OECONF_class-native = "--without-gmp"
EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname"
+EXTRA_OECONF_append = " FORCE_UNSAFE_CONFIGURE=1"
# acl and xattr are not default features
#
diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile
new file mode 100644
index 0000000000..4a143d6aa1
--- /dev/null
+++ b/scripts/docker/Dockerfile
@@ -0,0 +1,19 @@
+FROM ubuntu:18.04
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y update --fix-missing
+
+# Configure locale for Python3
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y install locales ; \
+ DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales && \
+ locale-gen en_US.UTF-8 && \
+ update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
+
+ENV LANG=en_US.UTF-8
+ENV LC_ALL=en_US.UTF-8
+
+# Install Yocto native dependencies
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y install \
+ wget git-core diffstat unzip texinfo gcc-multilib \
+ build-essential chrpath socat cpio python python3 python3-pip python3-pexpect \
+ xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev \
+ pylint3 xterm gawk
diff --git a/scripts/docker/oe-rootless-docker b/scripts/docker/oe-rootless-docker
new file mode 100755
index 0000000000..1efcc82280
--- /dev/null
+++ b/scripts/docker/oe-rootless-docker
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+usage () {
+CMD=$(basename $0)
+cat <<EOF
+Usage: $CMD [docker-build|docker-run]
+ docker-build Build Dockerfile locally
+ docker-run Run rootless docker image suitable for image compilation
+EOF
+}
+
+if ! [ -n "${DOCKER_HOST}" -a "$(stat -c '%U' "${DOCKER_HOST#*://}" 2>/dev/null)" = "$(whoami)" ] ; then
+ echo "Install rootless docker according to the [ https://docs.docker.com/engine/security/rootless/ | https://docs.docker.com/engine/security/rootless/ ] "
+ exit 1
+fi
+
+if [ "$1" = "docker-build" ]; then
+ docker build -t poky-docker $(dirname $(readlink -f $0))
+elif [ "$1" = "docker-run" ]; then
+ docker run -ti -v ${HOME}:${HOME} -v ${PWD}:${PWD} --workdir ${PWD} -e HOME poky-docker
+else
+ usage
+ exit 0
+fi
--
2.17.1
--
_______________________________________________
Openembedded-core mailing list
[ mailto:Openembedded-core at lists.openembedded.org | Openembedded-core at lists.openembedded.org ]
[ http://lists.openembedded.org/mailman/listinfo/openembedded-core | http://lists.openembedded.org/mailman/listinfo/openembedded-core ]
BQ_END
BQ_END
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200103/a1a2e86b/attachment-0001.html>
More information about the Openembedded-core
mailing list