msuchy at redhat.com
Mon Sep 2 08:54:11 UTC 2013
On 08/30/2013 05:59 PM, Daniel P. Berrange wrote:
> On Fri, Aug 30, 2013 at 11:52:05AM -0400, Colin Walters wrote:
>> On Fri, 2013-08-30 at 09:01 -0400, Colin Walters wrote:
>> Also, wow, I just followed and read the link:
>> I know this is old code and stuff, but writing the data to the swap
>> partition sounds very Rube Goldberg.
It sounds complicated. But the reason is:
since during build, the code is run under root, you must assume very hostile environment.
The packager can do on builder *anything*. Even modify file system. Directly on block device.
And if you mount the guestfs as whole FS, there is potential to exploit kernel FS. In past there were problems where
kernel oopsed because FS was damaged. So OBS team decided that this has potential for exploit and
into swap data is written number of blocks where the files reside and from that guest FS are read just those blocks
Using virtio-serial can be used for that, but I guess that it was not available at that time (and AFAIK it will not work
no s390 zVM).
Also reading that directly (instead of tar-ing) will save some time for big results (1.1 GB texlive or 9GB DVD image).
But personally I think this is just implementation detail. Not the biggest question on this decision.
> Now that virtio-serial exists,
>> it's easy to set up arbitrary private guest-host communication channels
>> without involving networking/TCP.
>> Were OBS to use mock in a VM I'd expect it to basically do:
>> tar cf /dev/virtio-ports/org.fedoraproject.mock /var/lib/mock/result
>> and then the host could read that tar file.
> Or you could just map a directory on the host into /var/lib/mock/result
> in the guest, using the virtio-9p filesystem feature of KVM. Basically
> this gives you shared filesystem, but without any TCP/networking involved.
> NB, works with KVM in Fedora hosts, but not RHEL which does not ship 9p
Thanks for pointing me to these two technologies, I was not aware of them.
Miroslav Suchy, RHCE, RHCDS
Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
More information about the devel