[OE-core] [PATCH] sanity: allow to compile from root in user namespaces

Richard Purdie richard.purdie at linuxfoundation.org
Fri Jan 3 11:28:28 UTC 2020

On Fri, 2020-01-03 at 13:15 +0200, Nikolai Merinov via Openembedded-
core wrote:
> Hi Alexander.
> I understand all of the concerns. Yes, it's possible to create a
> regular user inside of containers (at least in case of the rootless
> LXC and Docker containers), but this is a question of usability.
> All existed Docker containers for a Yocto compilation (including tge
> CROPS described at the yoctoproject wiki) tried to use same UID/GID
> for files inside and outside of the container in order to allow to
> work with files both inside and outside of container. 
> In the case of the main container subsystems (Docker, OCI) same level
> of a usability for rootless containers can be supported only if we
> allow compilation from UID == 0 because users own UID mapped to 0 in
> this containers. In order to support such configuration we, in any
> case, should modify somehow contamination check, check for a root
> user in the sanity.bbclass and disable root check from "mknod" module
> in gnulib (used by coreutils).
> Will it be appropriate if we allow such regime of the compilation
> with the following limitation:
> 1. Allow compilation only from root user inside of the linux user
> namespace (not a real root)
> 2. Allow such compilation only if there is "native_root_user" feature
> 3. Each modified place will check this two conditions
> Will be such design appropriate compromise between safety and
> usability?

The problem is this introduces a difference in how two different groups
of people would use the system. A recipe built and tested in one system
may fail in the other environment. This adds significant support
overhead and a determinism problem. That worries me a lot more than any
of the other issues...



More information about the Openembedded-core mailing list