Dne 30.9.2016 v 15:15 Miroslav Suchý napsal(a):
Hi,
I am investigating
https://bugzilla.redhat.com/show_bug.cgi?id=1336750
and honestly I'm not sure what is the right solution.
Right now we use unshare() for CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWIPC.
I can detect if mock is running inside of container and then skip those unshare.
But... What if I am running there some application *and* mock. In the same container.
That can be risky. However we can
just document it and let the user shoot into its own leg.
Or we can just document that you need to gave the containter privileges to run
unshare().
Or we can just leave it as it is and do not support run inside of container.
Any thoughts?
So, the unshare()-skipping is working. But I got stuck on
/bin/mount -n -t proc proc /var/lib/mock/fedora-24-x86_64/root/proc
This fails in unprivileged containers. And I cannot skip it, because lots of RPMs will
miss it.
The only way is to run docker with --cap-add=SYS_ADMIN. However according to
http://lwn.net/Articles/486306/
this is very similar to running privileged container, which is very similar to running
that code without container as root.
Any thoughts?
--
Miroslav Suchy, RHCA
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys