Dne 30.9.2016 v 15:15 Miroslav Suchý napsal(a):
I am investigating
and honestly I'm not sure what is the right solution.
Right now we use unshare() for CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWIPC.
I can detect if mock is running inside of container and then skip those unshare.
But... What if I am running there some application *and* mock. In the same container.
That can be risky. However we can
just document it and let the user shoot into its own leg.
Or we can just document that you need to gave the containter privileges to run
Or we can just leave it as it is and do not support run inside of container.
So, the unshare()-skipping is working. But I got stuck on
/bin/mount -n -t proc proc /var/lib/mock/fedora-24-x86_64/root/proc
This fails in unprivileged containers. And I cannot skip it, because lots of RPMs will
The only way is to run docker with --cap-add=SYS_ADMIN. However according to
this is very similar to running privileged container, which is very similar to running
that code without container as root.
Miroslav Suchy, RHCA
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys