unify /proc mounting between root and unshare mode and fall back to rbind-mounting

This makes unshare mode work on salsaci and debci.
This commit is contained in:
Johannes Schauer Marin Rodrigues 2023-02-09 10:19:51 +01:00
parent d9e6d62328
commit 9ebb3d07ac
Signed by: josch
GPG key ID: F2CBA5C78FBD83E1

View file

@ -1417,12 +1417,13 @@ sub setup_mounts {
&& !-d "/proc") { && !-d "/proc") {
warning("skipping bind-mounting /proc because" warning("skipping bind-mounting /proc because"
. " /proc on the outside is not a directory"); . " /proc on the outside is not a directory");
} elsif ($options->{mode} eq 'root') { } elsif (any { $_ eq $options->{mode} } ('root', 'unshare')) {
# we don't know whether we run in root mode inside an unshared # we don't know whether we run in root mode inside an unshared
# user namespace or as real root so we first try the real mount and # user namespace or as real root so we first try the real mount and
# then fall back to mounting in a way that works in unshared # then fall back to mounting in a way that works in unshared
if ( if (
0 == system( $options->{mode} eq 'root'
&& 0 == system(
'mount', '-t', 'proc', '-o', 'ro', 'proc', 'mount', '-t', 'proc', '-o', 'ro', 'proc',
"$options->{root}/proc" "$options->{root}/proc"
) )
@ -1451,22 +1452,23 @@ sub setup_mounts {
0 == system('umount', '--no-mtab', "$options->{root}/proc") 0 == system('umount', '--no-mtab', "$options->{root}/proc")
or warning("umount /proc failed: $?"); or warning("umount /proc failed: $?");
}; };
} else { } elsif (
error "mount /proc failed: $?"; # if mounting proc failed, try bind-mounting it read-only as a
} # last resort
} elsif ($options->{mode} eq 'unshare') { 0 == system(
# naturally we have to clean up after ourselves in sudo mode where 'mount', '-o',
# we do a real mount. But we also need to unmount in unshare mode 'rbind', '/proc',
# because otherwise, even with the --one-file-system tar option, "$options->{root}/proc"
# the permissions of the mount source will be stored and not the )
# mount target (the directory) ) {
push @cleanup_tasks, sub { push @cleanup_tasks, sub {
# since we cannot write to /etc/mtab we need --no-mtab # since we cannot write to /etc/mtab we need --no-mtab
0 == system('umount', '--no-mtab', "$options->{root}/proc") 0 == system('umount', '--no-mtab', "$options->{root}/proc")
or warning("umount /proc failed: $?"); or warning("umount /proc failed: $?");
}; };
0 == system('mount', '-t', 'proc', 'proc', "$options->{root}/proc") } else {
or error "mount /proc failed: $?"; error "mount /proc failed: $?";
}
} elsif (any { $_ eq $options->{mode} } ('fakechroot', 'chrootless')) { } elsif (any { $_ eq $options->{mode} } ('fakechroot', 'chrootless')) {
# we cannot mount in fakechroot mode # we cannot mount in fakechroot mode
} else { } else {