Use chroots for all derivations
If ‘build-use-chroot’ is set to ‘true’, fixed-output derivations are now also chrooted. However, unlike normal derivations, they don't get a private network namespace, so they can still access the network. Also, the use of the ‘__noChroot’ derivation attribute is no longer allowed. Setting ‘build-use-chroot’ to ‘relaxed’ gives the old behaviour. Note for Guix: unlike Nix commit 99897f6, we keep 'settings.useChroot'.
This commit is contained in:
parent
638f3675e1
commit
67af480244
|
@ -1752,19 +1752,8 @@ void DerivationGoal::startBuilder()
|
|||
throw SysError(format("cannot change ownership of '%1%'") % tmpDir);
|
||||
}
|
||||
|
||||
|
||||
/* Are we doing a chroot build? Note that fixed-output
|
||||
derivations are never done in a chroot, mainly so that
|
||||
functions like fetchurl (which needs a proper /etc/resolv.conf)
|
||||
work properly. Purity checking for fixed-output derivations
|
||||
is somewhat pointless anyway. */
|
||||
useChroot = settings.useChroot;
|
||||
|
||||
if (fixedOutput) useChroot = false;
|
||||
|
||||
/* Hack to allow derivations to disable chroot builds. */
|
||||
if (get(drv.env, "__noChroot") == "1") useChroot = false;
|
||||
|
||||
if (useChroot) {
|
||||
#if CHROOT_ENABLED
|
||||
/* Create a temporary directory in which we set up the chroot
|
||||
|
@ -1805,7 +1794,8 @@ void DerivationGoal::startBuilder()
|
|||
% (buildUser.enabled() ? buildUser.getGID() : getgid())).str());
|
||||
|
||||
/* Create /etc/hosts with localhost entry. */
|
||||
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n");
|
||||
if (!fixedOutput)
|
||||
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n");
|
||||
|
||||
/* Bind-mount a user-configurable set of directories from the
|
||||
host file system. */
|
||||
|
@ -1938,9 +1928,12 @@ void DerivationGoal::startBuilder()
|
|||
*/
|
||||
#if CHROOT_ENABLED
|
||||
if (useChroot) {
|
||||
char stack[32 * 1024];
|
||||
pid = clone(childEntry, stack + sizeof(stack) - 8,
|
||||
CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD, this);
|
||||
char stack[32 * 1024];
|
||||
int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD;
|
||||
if (!fixedOutput) flags |= CLONE_NEWNET;
|
||||
pid = clone(childEntry, stack + sizeof(stack) - 8, flags, this);
|
||||
if (pid == -1)
|
||||
throw SysError("cloning builder process");
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
|
@ -2026,10 +2019,10 @@ void DerivationGoal::runChild()
|
|||
|
||||
/* Set up a nearly empty /dev, unless the user asked to
|
||||
bind-mount the host /dev. */
|
||||
Strings ss;
|
||||
if (dirsInChroot.find("/dev") == dirsInChroot.end()) {
|
||||
createDirs(chrootRootDir + "/dev/shm");
|
||||
createDirs(chrootRootDir + "/dev/pts");
|
||||
Strings ss;
|
||||
ss.push_back("/dev/full");
|
||||
#ifdef __linux__
|
||||
if (pathExists("/dev/kvm"))
|
||||
|
@ -2040,13 +2033,24 @@ void DerivationGoal::runChild()
|
|||
ss.push_back("/dev/tty");
|
||||
ss.push_back("/dev/urandom");
|
||||
ss.push_back("/dev/zero");
|
||||
foreach (Strings::iterator, i, ss) dirsInChroot[*i] = *i;
|
||||
createSymlink("/proc/self/fd", chrootRootDir + "/dev/fd");
|
||||
createSymlink("/proc/self/fd/0", chrootRootDir + "/dev/stdin");
|
||||
createSymlink("/proc/self/fd/1", chrootRootDir + "/dev/stdout");
|
||||
createSymlink("/proc/self/fd/2", chrootRootDir + "/dev/stderr");
|
||||
}
|
||||
|
||||
/* Fixed-output derivations typically need to access the
|
||||
network, so give them access to /etc/resolv.conf and so
|
||||
on. */
|
||||
if (fixedOutput) {
|
||||
ss.push_back("/etc/resolv.conf");
|
||||
ss.push_back("/etc/nsswitch.conf");
|
||||
ss.push_back("/etc/services");
|
||||
ss.push_back("/etc/hosts");
|
||||
}
|
||||
|
||||
for (auto & i : ss) dirsInChroot[i] = i;
|
||||
|
||||
/* Bind-mount all the directories from the "host"
|
||||
filesystem that we want in the chroot
|
||||
environment. */
|
||||
|
|
Loading…
Reference in New Issue