According to Debian bug #978742, mmtarfilter has a slow performance with
many path exclusions. The execution can be speed up if the regular
expression is only compiled once instead of every time in the hot loop.
Signed-off-by: Benjamin Drung <benjamin.drung@cloud.ionos.com>
- even if the user is root, they might not have permission to mount
- check for CAP_SYS_ADMIN and unshare --mount before proceeding
- allow one to disable the check with --skip=check/canmount
- this is useful in container environments like docker
- this is useful when you are already root and want the benefits of
unsharing the mount namespace to prevent messing up your system
- if the unshare mode is used as root, the user namespace is not unshared
anymore and newuidmap, setuid and friends are not called anymore
- if the unshare mode is used as non-root test if the user namespace can be
unshared, otherwise test if the mount namespace can be unshared
mmtarfilter uses fnmatch to handle path exclusions and inclusions.
Python's fnmatch handles shell patterns by translating them to regular
expressions, with a 256-entry LRU cache. With more than 256 path
exclusions or inclusions, this LRU cache no longer works, and every
invocation of fnmatch on every file in every package will re-translate
and re-compile a regular expression, resulting in much worse
performance.
Translate all the shell patterns to regular expressions once. For an
mmdebstrap invocation with around 500 path filters, this speeds up
mmdebstrap by more than a minute.
- systemd didn't get fixed but somehow the order matches again (bug #963788)
- python is installable again (bug #968217)
- apt immediate configure was not fixed but src:glibc changed to not
trigger the bug anymore (bugs #973305, #973325 and #972552)