Compare commits

..

2 commits

Author SHA1 Message Date
8b982e82d2
In unshare mode, make all mounts private recursively
This emulates what what unshare(1) does by default or by passing
--propagation=private explicitly. Mounting and unmounting filesystems
will affect mounts outside the namespace which are marked as shared (see
last column of `findmnt -o+PROPAGATION`). Since mmdebstrap's goal is to
isolate the mounts in the new namespace, we perform the equivalent of

    mount(NULL, "/", MS_REC | MS_PRIVATE, NULL);

from util-linux/sys-utils/unshare.c:set_propagation() which is in shell:

    mount --make-rprivate /

See mount_namespaces(7) for details. Without setting this, unmounting
/sys (and its sub-mounts) in unshare mode as root user will also unmount
the sub-mounts of /sys on the outside of the namespace. This breaks
tests/unshare-as-root-user which will fail to shut down with the following
errors in the log:

[FAILED] Failed unmounting mnt.mount - /mnt.
[FAILED] Failed unmounting run-lock.mount - Legacy Locks Directory /run/lock.
[...]
[  OK  ] Reached target poweroff.target - System Power Off.

Afterwards it will stall indefinitely. Stopping mmdebstrap from messing
with the /sys mounts on the outside stops this behaviour and allows to
cleanly shut down the virtual machine.

Thanks: Helmut Grohne
2024-06-02 07:44:28 +02:00
84f80673f4
Revert "attempt diagnosing skip-tar-in-mknod failure 'file changed as we read it' using auditd"
This reverts commit 726fc38d1d.
2024-05-15 00:23:56 +02:00
4 changed files with 5 additions and 5 deletions

View file

@ -433,4 +433,4 @@ Test: skip-output-mknod
Modes: root unshare
Test: skip-tar-in-mknod
Modes: root
Modes: unshare

View file

@ -457,7 +457,6 @@ if [ "$HAVE_QEMU" = "yes" ]; then
if [ ! -e ./mmdebstrap ]; then
pkgs="$pkgs,mmdebstrap"
fi
pkgs="$pkgs,auditd"
arches=$HOSTARCH
if [ "$RUN_MA_SAME_TESTS" = "yes" ]; then
case "$HOSTARCH" in

View file

@ -1177,6 +1177,8 @@ sub setup_mounts {
eval {
if (any { $_ eq $options->{mode} } ('root', 'unshare')) {
0 == system('mount', "--make-rprivate", "/")
or warning("mount --make-rprivate / failed: $?");
# if more than essential should be installed, make the system look
# more like a real one by creating or bind-mounting the device
# nodes

View file

@ -3,7 +3,7 @@ set -eu
export LC_ALL=C.UTF-8
export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
#[ {{ MODE }} = "unshare" ]
[ {{ MODE }} = "unshare" ]
trap "rm -f /tmp/debian-chroot.tar" EXIT INT TERM
@ -22,8 +22,7 @@ fi
$prefix {{ CMD }} --mode={{ MODE }} --variant=custom \
--skip=update,setup,cleanup,tar-in/mknod \
--setup-hook='tar-in ./cache/mmdebstrap-{{ DIST }}-apt.tar /' \
--setup-hook='/sbin/auditctl -w "$1" -p wxa -k mykey' \
'' /tmp/debian-chroot.tar || /sbin/ausearch --format text -k mykey
'' /tmp/debian-chroot.tar
cmp ./cache/mmdebstrap-{{ DIST }}-apt.tar /tmp/debian-chroot.tar \
|| diffoscope ./cache/mmdebstrap-{{ DIST }}-apt.tar /tmp/debian-chroot.tar