[OE-core] [PATCH] sanity: allow to compile from root in user namespaces

Nikolai Merinov n.merinov at inango-systems.com
Fri Jan 3 11:15:34 UTC 2020

Hi Alexander. 

I understand all of the concerns. Yes, it's possible to create a regular user inside of containers (at least in case of the rootless LXC and Docker containers), but this is a question of usability. 
All existed Docker containers for a Yocto compilation (including tge CROPS described at the yoctoproject wiki) tried to use same UID/GID for files inside and outside of the container in order to allow to work with files both inside and outside of container. 

In the case of the main container subsystems (Docker, OCI) same level of a usability for rootless containers can be supported only if we allow compilation from UID == 0 because users own UID mapped to 0 in this containers. In order to support such configuration we, in any case, should modify somehow contamination check, check for a root user in the sanity.bbclass and disable root check from "mknod" module in gnulib (used by coreutils). 

Will it be appropriate if we allow such regime of the compilation with the following limitation: 
1. Allow compilation only from root user inside of the linux user namespace (not a real root) 
2. Allow such compilation only if there is "native_root_user" feature in DISTRO_FEATURES 
3. Each modified place will check this two conditions 

Will be such design appropriate compromise between safety and usability? 


From: "Alexander Kanavin" <alex.kanavin at gmail.com> 
To: "n merinov" <n.merinov at inango-systems.com> 
Cc: "openembedded-core" <openembedded-core at lists.openembedded.org> 
Sent: Tuesday, December 31, 2019 9:29:34 AM 
Subject: Re: [OE-core] [PATCH] sanity: allow to compile from root in user namespaces 


I believe it should be possible to create a regular user inside the container and then run bitbake as that user? 

The patch effectively disables the host contamination check, fixes one recipe that breaks, and likely introduces other issues; the assumption (and automated testing) throughout the build is that it's run under a regular user. 


On Tue, 31 Dec 2019 at 11:40, Nikolai Merinov via Openembedded-core < [ mailto:openembedded-core at lists.openembedded.org | openembedded-core at lists.openembedded.org ] > wrote: 

New rootless container subsystems rely on the "user namespaces" 
Linux feature. In order to create a container from a regular user the 
user uid and subuids mapped to the uid space inside of container. 

There are different default configurations used for different 
container subsystems: 

1. Rootless Docker[1] maps the user ID to 0, the subuids to range 
starting from 1. 
2. Rootless RunC[2] from OCI by default maps the user ID to 0 and 
ignores the subuids. 
3. LXC[3] maps the subuids to range from 0. UID not participates 
in the mapping. 

The LXC variant does not allow to work on same files simultaneusly 
inside and outside of a container. Variant suggested by other 
container susbsystems assumes that files owned by user should be 
owned by root in a container environment. 

In order to simplify Yocto compilation in such rootless containers I 
want to allow to start the bitbake from root user in user namespace 
and allow software compilation from root user in the described 
configuration. Additionally I want to provide minimal dockerfile 
suitable for the core-image-sato image compilation. 

[1] [ https://docs.docker.com/engine/security/rootless/ | https://docs.docker.com/engine/security/rootless/ ] 
[2] [ https://github.com/opencontainers/runc#rootless-containers | https://github.com/opencontainers/runc#rootless-containers ] 
[3] [ https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user | https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user ] 
meta/classes/insane.bbclass | 4 ++-- 
meta/classes/sanity.bbclass | 10 +++++++- 
meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ] | 1 + 
scripts/docker/Dockerfile | 19 +++++++++++++++ 
scripts/docker/oe-rootless-docker | 24 +++++++++++++++++++ 
5 files changed, 55 insertions(+), 3 deletions(-) 
create mode 100644 scripts/docker/Dockerfile 
create mode 100755 scripts/docker/oe-rootless-docker 

diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass 
index 0564f9c2a4..3599ce3e6a 100644 
--- a/meta/classes/insane.bbclass 
+++ b/meta/classes/insane.bbclass 
@@ -876,12 +876,12 @@ def package_qa_check_host_user(path, name, d, elf, messages): 
check_uid = int(d.getVar('HOST_USER_UID')) 
- if stat.st_uid == check_uid: 
+ if check_uid != 0 and stat.st_uid == check_uid: 
package_qa_add_message(messages, "host-user-contaminated", "%s: %s is owned by uid %d, which is the same as the user running bitbake. This may be due to host contamination" % (pn, package_qa_clean_path(path, d, name), check_uid)) 
return False 

check_gid = int(d.getVar('HOST_USER_GID')) 
- if stat.st_gid == check_gid: 
+ if check_gid != 0 and stat.st_gid == check_gid: 
package_qa_add_message(messages, "host-user-contaminated", "%s: %s is owned by gid %d, which is the same as the user running bitbake. This may be due to host contamination" % (pn, package_qa_clean_path(path, d, name), check_gid)) 
return False 
return True 
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass 
index 63ab6cf3df..a1eba62589 100644 
--- a/meta/classes/sanity.bbclass 
+++ b/meta/classes/sanity.bbclass 
@@ -742,7 +742,15 @@ def check_sanity_everybuild(status, d): 
# it makes sense to always run them. 

if 0 == os.getuid(): 
- raise_sanity_error("Do not use Bitbake as root.", d) 
+ userns = False 
+ with open("/proc/self/uid_map") as f: 
+ for line in f: 
+ fields = line.split() 
+ if fields[0] == "0" and fields[1] != "0": 
+ userns = True 
+ break 
+ if not userns: 
+ raise_sanity_error("Do not use Bitbake as root.", d) 

# Check the Python version, we now have a minimum of Python 3.4 
import sys 
diff --git a/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ] b/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ] 
index 57b2c1bdba..2f8009331a 100644 
--- a/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ] 
+++ b/meta/recipes-core/coreutils/ [ http://coreutils_8.31.bb/ | coreutils_8.31.bb ] 
@@ -28,6 +28,7 @@ SRC_URI[sha256sum] = "ff7a9c918edce6b4f4b2725e3f9b37b0c4d193531cac49a48b56c4d0d3 
EXTRA_OECONF_class-native = "--without-gmp" 
EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}" 
EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname" 

# acl and xattr are not default features 
diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile 
new file mode 100644 
index 0000000000..4a143d6aa1 
--- /dev/null 
+++ b/scripts/docker/Dockerfile 
@@ -0,0 +1,19 @@ 
+FROM ubuntu:18.04 
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y update --fix-missing 
+# Configure locale for Python3 
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y install locales ; \ 
+ DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales && \ 
+ locale-gen en_US.UTF-8 && \ 
+ update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 
+# Install Yocto native dependencies 
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y install \ 
+ wget git-core diffstat unzip texinfo gcc-multilib \ 
+ build-essential chrpath socat cpio python python3 python3-pip python3-pexpect \ 
+ xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev \ 
+ pylint3 xterm gawk 
diff --git a/scripts/docker/oe-rootless-docker b/scripts/docker/oe-rootless-docker 
new file mode 100755 
index 0000000000..1efcc82280 
--- /dev/null 
+++ b/scripts/docker/oe-rootless-docker 
@@ -0,0 +1,24 @@ 
+usage () { 
+CMD=$(basename $0) 
+cat <<EOF 
+Usage: $CMD [docker-build|docker-run] 
+ docker-build Build Dockerfile locally 
+ docker-run Run rootless docker image suitable for image compilation 
+if ! [ -n "${DOCKER_HOST}" -a "$(stat -c '%U' "${DOCKER_HOST#*://}" 2>/dev/null)" = "$(whoami)" ] ; then 
+ echo "Install rootless docker according to the [ https://docs.docker.com/engine/security/rootless/ | https://docs.docker.com/engine/security/rootless/ ] " 
+ exit 1 
+if [ "$1" = "docker-build" ]; then 
+ docker build -t poky-docker $(dirname $(readlink -f $0)) 
+elif [ "$1" = "docker-run" ]; then 
+ docker run -ti -v ${HOME}:${HOME} -v ${PWD}:${PWD} --workdir ${PWD} -e HOME poky-docker 
+ usage 
+ exit 0 

Openembedded-core mailing list 
[ mailto:Openembedded-core at lists.openembedded.org | Openembedded-core at lists.openembedded.org ] 
[ http://lists.openembedded.org/mailman/listinfo/openembedded-core | http://lists.openembedded.org/mailman/listinfo/openembedded-core ] 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200103/a1a2e86b/attachment-0001.html>

More information about the Openembedded-core mailing list