Skip to content

Experiment with using rootlesskit instead of fakeroot + native solbuild container/network code#106

Draft
ermo wants to merge 4 commits intomainfrom
feat/use-rootlesskit
Draft

Experiment with using rootlesskit instead of fakeroot + native solbuild container/network code#106
ermo wants to merge 4 commits intomainfrom
feat/use-rootlesskit

Conversation

@ermo
Copy link
Contributor

@ermo ermo commented Aug 28, 2024
edited
Loading

Just for the heck of it, this PoC PR disables the native solbuild namespace and networking setup, and calls ypkg via a rootlesskit chroot invocation directly instead of calling fakeroot as the 'build' user in a solbuild managed container.

This commit assumes the a priori existence of the solbuild user/group on the host system and assumes that this user has been set up with subuids and subgids.

NB: The current draft does not support networking (but rootlesskit has facilities for turning it on).

To enable networking support, the build command will need to be something like rootlesskit --net=slirp4netns --copy-up=/etc --disable-host-loopback ypkg-build (...).

This implies that the build executable command could perhaps be set from builder/manager.go (which is where networking is enabled currently).

Current status (as of e128f7e):

rootlesskit-chroot-ypkg-build

@ermo
manager: Make namespace functions noops
af53724 
This is intended to support solbuild being run with rootlesskit in a user
namespace (instead of solbuild itself handling namespaces).

Signed-off-by: Rune Morling <ermo@serpentos.com>
@ermo ermo force-pushed the feat/use-rootlesskit branch from 1e3e8c8 to 96f2a14 Compare August 28, 2024 16:14
ermo added 3 commits August 29, 2024 13:47
@ermo
build: Use rootlesskit instead of fatfakeroot
78f18ed 
Signed-off-by: Rune Morling <ermo@serpentos.com>
@ermo
util+build: Add and use RootlesskitExec function
55ee9ff 
This commit assumes the a priori existence of the solbuild user/group on
the host system and assumes that this user has been set up with subuids
and subgids.

Building still fails, but now it fails on su authentication in the inner
rootlesskit-owned chroot:

```
[BuildDep] Checking build-deps for lzip-1.24-7
[BuildDep] All build deps satisfied
 ✓  Now starting build package=lzip
 ✓  Build command="/bin/su build --command='ypkg-build -D /home/build/work /home/build/work/package.yml'"
 ✓  RootlesskitExec command="/bin/su solbuild -c rootlesskit chroot /var/cache/solbuild/unstable-x86_64/lzip/union /bin/su build --command='ypkg-build -D /home/build/work /home/build/work/package.yml'"
su: Authentication service cannot retrieve authentication info
[rootlesskit:child ] error: command [chroot /var/cache/solbuild/unstable-x86_64/lzip/union /bin/su build --command=ypkg-build -D /home/build/work /home/build/work/package.yml] exited: exit status 1
[rootlesskit:parent] error: child exited: exit status 1
 ✗  Failed to build packages err="Failed to start build of package, reason: exit status 1\n"
```

... rather than on failing on attempting to even _invoke_ rootlesskit.

Signed-off-by: Rune Morling <ermo@serpentos.com>
@ermo
build: Might as well try building as "root"
28a5940 
Keeping in mind that rootlesskit runs as the host 'solbuild' user, this
seems as good as anything; do note that this means that there will be
host permission issues that probably need fixing.

This commit is for @joebonrichie to work off of

Signed-off-by: Rune Morling <ermo@serpentos.com>
@ermo ermo force-pushed the feat/use-rootlesskit branch from e128f7e to 28a5940 Compare August 29, 2024 11:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ermo