Reexecute stacker build inside lxc-usernsexec, do not reexecute inter…#137
Conversation
cmd/build.go
Outdated
| return err | ||
| } | ||
|
|
||
| cmd := []string{ |
There was a problem hiding this comment.
Here instead of duplicating all the arguments, can we replace os.Args[0] and add --internal-userns as Args[1] instead? This way when people add new arguments they won't also have to change this code.
There was a problem hiding this comment.
Sure, haven't thought about this way. Thanks!
| return err | ||
| } | ||
| builder := stacker.NewBuilder(&args) | ||
| return builder.BuildMultiple([]string{ctx.String("stacker-file")}) |
There was a problem hiding this comment.
How does this work if someone invokes recursive-build?
There was a problem hiding this comment.
Yes, I forgot about recursive builds. Thank you!
container/container.go
Outdated
| return nil | ||
| } | ||
|
|
||
| func Run(userCmd []string, msg string) error { |
There was a problem hiding this comment.
Will remove it, thanks
|
Overall this looks great, thanks for working on it. If nothing else, it lets us get rid of 150 lines of terrible re-exec code! A couple of small nits above and unfortunately, I added another re-exec command today, so this will need a rebase to account for that too. Finally, it seems like we could split this into two commits: 1. adding the global re-exec and 2. removing the use of internal_go.go which may be easier for future readers/reviewers. |
eusebiu-constantin-petu-dbk
force-pushed
the
111
branch
6 times, most recently
from
dd1080b to
5847040
Compare
|
Thanks for the review, I have updated it according to your review, I hope I understand correctly the split commit part, if not, I can update it again. Also, I'm not sure if I have to remove the whole internal-go.go file, or we leave the test commands there, like I did. Thanks again, |
|
The code itself looks good, but I'm not seeing it actually use the --internal-userns flag anywhere as far as I can tell: with the stacker file: I would expect to see another subprocess in the middle there with an It might be useful to add the testcase from #116 (comment) in another commit in this series, I think that will ensure that things work correctly. |
|
One other nit: the subject line of the commits is pretty long (and thus rendered strangely by github); I find it is generally worth following the 50 character limit (with a 72 char limit for the message body). More details here: https://chris.beams.io/posts/git-commit/ |
|
Hello, this is my output, I can't understand why it behaves like this on your machine: I will add the test and modify the comment. Thanks. |
eusebiu-constantin-petu-dbk
force-pushed
the
111
branch
from
5847040 to
52959e5
Compare
|
Can you please run @test "clean of unpriv overlay works", because I don't have a >5.8 kernel, and I'm not sure it ran in the CI: |
|
Yeah, I think the check for overlay kernels is actually broken by this patch somehow. I'll take a look. I think it's worth adding the clean test in a separate commit (or perhaps the first commit, with a closes #xyz for the bug it came from) since hopefully does fix that bug. |
Looks like it's this hunk: This test still needs to be run inside a userns, as only root in a userns owning the mountns can do a |
Before running stacker builds commands, setup a user namespace with lxc-usernsexec and rerun the stacker builds commands given on the command line. This way everything will run in a user namespace therefore we can reexec internal-go commands without setting up a user namespace.
No need to reexec internal-go functions as they are already run in the global user namespace. Refactored them into their corresponding files. Added a test case for cleaning overlay builds.
|
Ok, I pushed the fix for the testsuite-check-overlay command (and also dropped some unused stuff from the first patch). I also dropped the clean test from the series, since it doesn't actually fix things right now. I'm working on that now, though. |
|
Ok, I think with this last commit this is ready to go. @peusebiu thoughts? Assuming it looks good to you, we can go ahead and merge and see what happens :) |
tych0
force-pushed
the
111
branch
2 times, most recently
from
0cb543b to
387c392
Compare
Various operations stacker can do (e.g. clean) rely on modifying/deleting files which are potentially owned by users in the current user's subuid allocation, which cannot be modified outside of a user namespace. To fix this, let's run all operations inside a user namespace, so that root in that userns can do whatever modifications it needs to do. Since we're now running chroot in a userns, we need to propagate stdin to the inner execution, hence that chunk of the diff. We can also drop the wrapper testsuite-check-overlay/check-overlay wrapper, since things are automatically run in a userns for us now. Closes: project-stacker#116 Closes: project-stacker#111 Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
|
Nice, I missed some obvious things, thanks for patching them :D. |
|
No problem, thanks for your work on this! |
2 participants
…nal go commands, closes #111