commit 90c077db1d398041c75e6e4ebc56fb80570eb027 Author: Nicolas Vigier boklm@torproject.org Date: Tue Jun 16 20:03:56 2020 +0200
Bug 23631: Use rootless containers --- README | 20 +- README.HACKING | 23 ++ projects/common/runc-config.json | 267 --------------------- projects/container-image/config | 4 +- projects/debootstrap-image/config | 80 ------ .../{debootstrap-image => mmdebstrap-image}/build | 0 projects/mmdebstrap-image/config | 59 +++++ .../mmdebstrap-image/mmdebstrap-no-user-ns.patch | 30 +++ projects/mmdebstrap/build | 8 + projects/mmdebstrap/config | 5 + rbm | 2 +- rbm.conf | 92 +++---- 12 files changed, 172 insertions(+), 418 deletions(-)
diff --git a/README b/README index e37f20d..8ebccf6 100644 --- a/README +++ b/README @@ -4,12 +4,10 @@ Tor Browser Build Installing build dependencies -----------------------------
-To build Tor Browser, you need a Linux distribution that has support -for runc (such as Debian Buster, Ubuntu 16.04, Fedora 30, etc ...). - -Your user account should have sudo access, which is required to be able -to extract container file systems, start containers and copy files to and -from containers. +To build Tor Browser, you need a recent Linux distribution with support +for user_namespaces(7) (such as Debian Buster, Ubuntu 16.04, Fedora 30, +etc ...). You will need to install the uidmap package, providing the +newuidmap and newgidmap commands.
The sources of most components are downloaded using git, which needs to be installed. @@ -40,12 +38,20 @@ If you are running Debian or Ubuntu, you can install them with: libio-captureoutput-perl libjson-perl libpath-tiny-perl \ libstring-shellquote-perl libsort-versions-perl \ libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \ - libfile-copy-recursive-perl libfile-slurp-perl git runc + libfile-copy-recursive-perl libfile-slurp-perl git \ + uidmap
The build system is based on rbm, which is included as a git submodule in the rbm/ directory. You can fetch the rbm git submodule by running 'make submodule-update'.
+The build uses user_namespaces(7), which are disabled by default on Debian. +To enable them you can use the following command as root: + + # sysctl -w kernel.unprivileged_userns_clone=1 + +You can enable them permanently by adding the setting to /etc/sysctl.d/ +
Starting a build ---------------- diff --git a/README.HACKING b/README.HACKING index 0d3eeb8..506502d 100644 --- a/README.HACKING +++ b/README.HACKING @@ -305,6 +305,29 @@ The path to the container should be printed on the screen in case you want to backup its rootfs to be able to look at it later.
+Manually removing old containers +-------------------------------- + +When a build finishes or when you exit a debugging shell, the old +container should automatically be removed. In some cases however, for +example your computer is rebooted in the middle of a build, some old +container directories may be left in the tmp directory. Some of the +files in the container directories are owned by subordinate user ids +(see the subuid man page), which will prevent you from removing them +with your normal user id. To remove them you can open a container +shell (a new User namespace) using the following command: + + $ ./rbm/container run -- /bin/bash + +From this shell you should be able to remove the old containers +directories in the tmp directory. + +It is also possible to pass the rm command directly without opening a +shell: + + $ ./rbm/container run -- rm -Rf ./tmp/rbm-* + + Testing an rbm patch --------------------
diff --git a/projects/common/runc-config.json b/projects/common/runc-config.json deleted file mode 100644 index b078b97..0000000 --- a/projects/common/runc-config.json +++ /dev/null @@ -1,267 +0,0 @@ -{ - "ociVersion": "1.0.0[% IF !c("var_p/runc_spec100") %]-rc1[% END %]", - "platform": { - "os": "linux", - "arch": "amd64" - }, - "process": { - "terminal": [% IF c("interactive") %]true[% ELSE %]false[% END %], - "user": { - "uid": 0, - "gid": 0 - }, - "args": [ - "/rbm/run" - ], - "env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "TERM=xterm" - ], - "cwd": "/", -[% IF c("var_p/runc_spec100") -%] - "capabilities": { - "bounding": [ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - "CAP_SETGID", - "CAP_SETUID", - "CAP_MKNOD", - "CAP_SYS_CHROOT", -[% IF c("var/container/CAP_SYS_ADMIN") -%] - "CAP_SYS_ADMIN", -[% END -%] - "CAP_FSETID", - "CAP_FOWNER", - "CAP_DAC_OVERRIDE", - "CAP_CHOWN" - ], - "effective": [ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - "CAP_SETGID", - "CAP_SETUID", - "CAP_MKNOD", - "CAP_SYS_CHROOT", -[% IF c("var/container/CAP_SYS_ADMIN") -%] - "CAP_SYS_ADMIN", -[% END -%] - "CAP_FSETID", - "CAP_FOWNER", - "CAP_DAC_OVERRIDE", - "CAP_CHOWN" - ], - "inheritable": [ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - "CAP_SETGID", - "CAP_SETUID", - "CAP_MKNOD", - "CAP_SYS_CHROOT", -[% IF c("var/container/CAP_SYS_ADMIN") -%] - "CAP_SYS_ADMIN", -[% END -%] - "CAP_FSETID", - "CAP_FOWNER", - "CAP_DAC_OVERRIDE", - "CAP_CHOWN" - ], - "permitted": [ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - "CAP_SETGID", - "CAP_SETUID", - "CAP_MKNOD", - "CAP_SYS_CHROOT", -[% IF c("var/container/CAP_SYS_ADMIN") -%] - "CAP_SYS_ADMIN", -[% END -%] - "CAP_FSETID", - "CAP_FOWNER", - "CAP_DAC_OVERRIDE", - "CAP_CHOWN" - ], - "ambient": [ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - "CAP_SETGID", - "CAP_SETUID", - "CAP_MKNOD", - "CAP_SYS_CHROOT", -[% IF c("var/container/CAP_SYS_ADMIN") -%] - "CAP_SYS_ADMIN", -[% END -%] - "CAP_FSETID", - "CAP_FOWNER", - "CAP_DAC_OVERRIDE", - "CAP_CHOWN" - ] - }, -[% ELSE -%] - "capabilities": [ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - "CAP_SETGID", - "CAP_SETUID", - "CAP_MKNOD", - "CAP_SYS_CHROOT", -[% IF c("var/container/CAP_SYS_ADMIN") -%] - "CAP_SYS_ADMIN", -[% END -%] - "CAP_FSETID", - "CAP_FOWNER", - "CAP_DAC_OVERRIDE", - "CAP_CHOWN" - ], -[% END -%] - "noNewPrivileges": true - }, - "root": { - "path": "rootfs", - "readonly": false - }, - "hostname": "runc", - "mounts": [ - { - "destination": "/proc", - "type": "proc", - "source": "proc" - }, - { - "type": "bind", - "source": "/etc/resolv.conf", - "destination": "/etc/resolv.conf", - "options": [ - "rbind", - "ro" - ] - }, - { - "destination": "/dev", - "type": "tmpfs", - "source": "tmpfs", - "options": [ - "nosuid", - "strictatime", - "mode=755", - "size=65536k" - ] - }, - { - "destination": "/dev/pts", - "type": "devpts", - "source": "devpts", - "options": [ - "nosuid", - "noexec", - "newinstance", - "ptmxmode=0666", - "mode=0620", - "gid=5" - ] - }, - { - "destination": "/dev/shm", - "type": "tmpfs", - "source": "shm", - "options": [ - "nosuid", - "noexec", - "nodev", - "mode=1777", - "size=65536k" - ] - }, - { - "destination": "/dev/mqueue", - "type": "mqueue", - "source": "mqueue", - "options": [ - "nosuid", - "noexec", - "nodev" - ] - }, - { - "destination": "/sys", - "type": "sysfs", - "source": "sysfs", - "options": [ - "nosuid", - "noexec", - "nodev", - "ro" - ] - }, - { - "destination": "/sys/fs/cgroup", - "type": "cgroup", - "source": "cgroup", - "options": [ - "nosuid", - "noexec", - "nodev", - "relatime", - "ro" - ] - } - ], - "hooks": {}, - "linux": { - "resources": { - "devices": [ - { - "allow": false, - "access": "rwm" - } - ] - }, - "namespaces": [ - { - "type": "pid" - }, - { - "type": "ipc" - }, - { - "type": "uts" - }, -[% IF c("var/container/disable_network/" _ c("exec_name")) -%] - { - "type": "network", - "path": "/var/run/netns/rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]" - }, -[% END -%] - { - "type": "mount" - } - ], - "maskedPaths": [ - "/proc/kcore", - "/proc/latency_stats", - "/proc/timer_stats", -[% IF c("var_p/runc_spec100") -%] - "/proc/timer_list", - "/sys/firmware", -[% END -%] - "/proc/sched_debug" - ], - "readonlyPaths": [ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger" - ] - }, - "solaris": { - "cappedCPU": {}, - "cappedMemory": {} - } -} diff --git a/projects/container-image/config b/projects/container-image/config index 7520b8e..e0b8b13 100644 --- a/projects/container-image/config +++ b/projects/container-image/config @@ -70,9 +70,9 @@ remote_get: | SET dst = shell_quote(c('get_dst', { error_if_undef => 1 })); -%] mkdir -p "[% dst %]" - sudo tar -C "[% c("var/container/dir") %]/rootfs" -czf "[% dst %]/[% c("filename") %]" . + [% c("rbmdir") %]/container archive '[% c("var/container/dir") %]' "[% dst %]/[% c("filename") %]"
input_files: - - project: debootstrap-image + - project: mmdebstrap-image target: - '[% c("var/container/suite") %]-[% c("var/container/arch") %]' diff --git a/projects/debootstrap-image/config b/projects/debootstrap-image/config deleted file mode 100644 index 5098e29..0000000 --- a/projects/debootstrap-image/config +++ /dev/null @@ -1,80 +0,0 @@ -# vim: filetype=yaml sw=2 -filename: 'container-image_[% c("var/container/suite") %]-[% c("var/container/arch") %]-[% c("version") %].tar.gz' -version: 3 -pkg_type: build - -var: - ubuntu_version: 20.04.1 - - container: - use_container: 1 - # We need CAP_SYS_ADMIN for debootstrap to work - CAP_SYS_ADMIN: 1 - -pre: | - #!/bin/sh - set -e - export DEBIAN_FRONTEND=noninteractive - apt-get update -y -q - apt-get install -y -q debian-archive-keyring ubuntu-keyring debootstrap - debootstrap --arch=[% c("var/container/arch") %] [% c("var/container/debootstrap_opt") %] [% c("var/container/suite") %] base-image [% c("var/container/debootstrap_mirror") %] - [% IF c("var/apt_package_filename") || c("var/apt_utils_package_filename") || c("var/libapt_inst_package_filename") || c("var/libapt_pkg_package_filename") -%] - mkdir ./base-image/apt-update - mv [% c("var/apt_package_filename") %] [% c("var/apt_utils_package_filename") %] \ - [% c("var/libapt_inst_package_filename") %] [% c("var/libapt_pkg_package_filename") %] \ - ./base-image/apt-update - mount proc ./base-image/proc -t proc - mount sysfs ./base-image/sys -t sysfs - chroot ./base-image dpkg -i -R /apt-update - umount ./base-image/proc - umount ./base-image/sys - [% END -%] - [% IF c("var/minimal_apt_version") -%] - apt_version=$(dpkg --admindir=$(pwd)/base-image/var/lib/dpkg -s apt | grep '^Version: ' | cut -d ' ' -f 2) - echo "apt version: $apt_version" - dpkg --compare-versions "$apt_version" ge '[% c("var/minimal_apt_version") %]' - [% END -%] - tar -C ./base-image -czf [% dest_dir %]/[% c("filename") %] . - -targets: - jessie-amd64: - var: - minimal_apt_version: 1.0.9.8.7 - # CVE-2020-27350 - apt_packages_baseurl: https://deb.freexian.com/extended-lts/pool/main/a/apt - apt_package_filename: apt_1.0.9.8.7_amd64.deb - apt_package_sha256sum: 02d5c6240e3410234e91facd4279c1acdce1523b583e05fac7ad64bdc75db7c7 - apt_utils_package_filename: apt-utils_1.0.9.8.7_amd64.deb - apt_utils_package_sha256sum: aa6f0cc7cf2e7cc6e5c56782019cd651d26b01d280aef4d25288587e198ff2d3 - libapt_inst_package_filename: libapt-inst1.5_1.0.9.8.7_amd64.deb - libapt_inst_package_sha256sum: a85c99a64f3d6cdde5bf0849649c2d5f21c7513987854628659ea014bc3eb214 - libapt_pkg_package_filename: libapt-pkg4.12_1.0.9.8.7_amd64.deb - libapt_pkg_package_sha256sum: 0db2410376516f3420594647afc72dc99b48a44877eae4e8c79444a8244e988f - - container: - suite: jessie - arch: amd64 - - buster-amd64: - var: - minimal_apt_version: 1.8.2 - container: - suite: buster - arch: amd64 - -input_files: - - URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/%5B% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz' - filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz' - sha256sum: 97f6cbcf41f39272c84e32b6f926ed5d6906c6e463a557025181f4aa191ad667 - - URL: '[% c("var/apt_packages_baseurl") %]/[% c("var/apt_package_filename") %]' - sha256sum: '[% c("var/apt_package_sha256sum") %]' - enable: '[% c("var/apt_package_filename") %]' - - URL: '[% c("var/apt_packages_baseurl") %]/[% c("var/apt_utils_package_filename") %]' - sha256sum: '[% c("var/apt_utils_package_sha256sum") %]' - enable: '[% c("var/apt_utils_package_filename") %]' - - URL: '[% c("var/apt_packages_baseurl") %]/[% c("var/libapt_inst_package_filename") %]' - sha256sum: '[% c("var/libapt_inst_package_sha256sum") %]' - enable: '[% c("var/libapt_inst_package_filename") %]' - - URL: '[% c("var/apt_packages_baseurl") %]/[% c("var/libapt_pkg_package_filename") %]' - sha256sum: '[% c("var/libapt_pkg_package_sha256sum") %]' - enable: '[% c("var/libapt_pkg_package_filename") %]' diff --git a/projects/debootstrap-image/build b/projects/mmdebstrap-image/build similarity index 100% rename from projects/debootstrap-image/build rename to projects/mmdebstrap-image/build diff --git a/projects/mmdebstrap-image/config b/projects/mmdebstrap-image/config new file mode 100644 index 0000000..102053d --- /dev/null +++ b/projects/mmdebstrap-image/config @@ -0,0 +1,59 @@ +# vim: filetype=yaml sw=2 +filename: 'container-image_[% c("var/container/suite") %]-[% c("var/container/arch") %]-[% c("version") %].tar.gz' +version: 1 +pkg_type: build + +var: + ubuntu_version: 20.04.1 + + container: + use_container: 1 + +pre: | + #!/bin/sh + set -e + rootdir=$(pwd) + export DEBIAN_FRONTEND=noninteractive + apt-get update -y -q + apt-get install -y -q debian-archive-keyring ubuntu-keyring mmdebstrap gnupg patch + + export SOURCE_DATE_EPOCH='[% c("timestamp") %]' + tar -xf [% c('input_files_by_name/mmdebstrap') %] + # As a user namespace inside an other user namespace doesn't seem to work, + # we patch mmdebstrap to avoid creating a new user namespace + patch -d mmdebstrap -p1 < mmdebstrap-no-user-ns.patch + ./mmdebstrap/mmdebstrap --mode=unshare [% c("var/container/mmdebstrap_opt") %] [% c("var/container/suite") %] output.tar.gz [% c("var/container/debian_mirror") %] + + [% IF c("var/minimal_apt_version") -%] + mkdir base-image + tar -C base-image -xf output.tar.gz ./var/lib/dpkg + apt_version=$(dpkg --admindir=$rootdir/base-image/var/lib/dpkg -s apt | grep '^Version: ' | cut -d ' ' -f 2) + echo "apt version: $apt_version" + dpkg --compare-versions "$apt_version" ge '[% c("var/minimal_apt_version") %]' + [% END -%] + + mv output.tar.gz [% dest_dir %]/[% c("filename") %] + +targets: + jessie-amd64: + var: + minimal_apt_version: 1.0.9.8.6 + + container: + suite: jessie + arch: amd64 + + buster-amd64: + var: + minimal_apt_version: 1.8.2 + container: + suite: buster + arch: amd64 + +input_files: + - project: mmdebstrap + name: mmdebstrap + - URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/%5B% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz' + filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz' + sha256sum: 97f6cbcf41f39272c84e32b6f926ed5d6906c6e463a557025181f4aa191ad667 + - filename: mmdebstrap-no-user-ns.patch diff --git a/projects/mmdebstrap-image/mmdebstrap-no-user-ns.patch b/projects/mmdebstrap-image/mmdebstrap-no-user-ns.patch new file mode 100644 index 0000000..15c547e --- /dev/null +++ b/projects/mmdebstrap-image/mmdebstrap-no-user-ns.patch @@ -0,0 +1,30 @@ +diff --git a/mmdebstrap b/mmdebstrap +index 9b7d892..5d85a74 100755 +--- a/mmdebstrap ++++ b/mmdebstrap +@@ -204,6 +204,7 @@ sub get_tar_compressor { + } + + sub test_unshare { ++ return 1; + my $verbose = shift; + if ($EFFECTIVE_USER_ID == 0) { + my $msg = "cannot use unshare mode when executing as root"; +@@ -382,7 +383,7 @@ sub get_unshare_cmd { + my $idmap = shift; + + my $unshare_flags +- = $CLONE_NEWUSER | $CLONE_NEWNS | $CLONE_NEWPID | $CLONE_NEWUTS ++ = $CLONE_NEWNS | $CLONE_NEWPID | $CLONE_NEWUTS + | $CLONE_NEWIPC; + + if (0) { +@@ -457,6 +458,8 @@ sub get_unshare_cmd { + $gidmapcmd .= " $hostid $nsid $range"; + } + } ++ $uidmapcmd = ""; ++ $gidmapcmd = ""; + my $idmapcmd = ''; + if ($uidmapcmd ne "") { + 0 == system "newuidmap $ppid $uidmapcmd" diff --git a/projects/mmdebstrap/build b/projects/mmdebstrap/build new file mode 100644 index 0000000..ac0f21b --- /dev/null +++ b/projects/mmdebstrap/build @@ -0,0 +1,8 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +tar xf [% project %]-[% c("version") %].tar.gz +mv [% project %]-[% c("version") %] [% project %] +[% c('tar', { + tar_src => [ project ], + tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), + }) %] diff --git a/projects/mmdebstrap/config b/projects/mmdebstrap/config new file mode 100644 index 0000000..8fbfc97 --- /dev/null +++ b/projects/mmdebstrap/config @@ -0,0 +1,5 @@ +# vim: filetype=yaml sw=2 +version: 655857e5259436755f34b908d07a6ebd4c8b0303 +git_url: http://gitlab.mister-muffin.de/josch/mmdebstrap.git +git_hash: '[% c("version") %]' +filename: '[% project %]-src-[% c("version") %]-[% c("var/build_id") %].tar.gz' diff --git a/rbm b/rbm index 15c8476..cfb4018 160000 --- a/rbm +++ b/rbm @@ -1 +1 @@ -Subproject commit 15c84760ebe3f2677d1212aa00ef6f7485446a69 +Subproject commit cfb4018d34400e43837e77754519b3c2761b7ae6 diff --git a/rbm.conf b/rbm.conf index 14a55a6..ba13cc0 100644 --- a/rbm.conf +++ b/rbm.conf @@ -495,13 +495,13 @@ gpg_wrapper: | exec [% c('gpg_bin') %] [% c('gpg_args') %] --with-fingerprint [% gpg_kr %] "$@" fi
-remote_start: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_start") %][% END %]' -remote_exec: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_exec") %][% END %]' -remote_put: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_put") %][% END %]' -remote_get: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_get") %][% END %]' -remote_finish: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_finish") %][% END %]' +remote_start: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("container/remote_start") %][% END %]' +remote_exec: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("container/remote_exec") %][% END %]' +remote_put: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("container/remote_put") %][% END %]' +remote_get: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("container/remote_get") %][% END %]' +remote_finish: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("container/remote_finish") %][% END %]'
-runc: +container: remote_start: | #!/bin/sh set -e @@ -511,11 +511,9 @@ runc: ls -l '[% c("remote_srcdir") %]' >&2 exit 1 fi - mkdir -p '[% c("var/container/dir") %]'/rootfs/rbm - sudo tar -C '[% c("var/container/dir") %]'/rootfs -xf $(ls -1 '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'*) - [% SET user = c("var/container/user") -%] - [% c("remote_exec", { exec_as_root => 1, exec_cmd => 'id ' _ user - _ ' >/dev/null 2>&1 || adduser -m ' _ user _ ' || useradd -m ' _ user }) %] + [% c("rbmdir") %]/container extract '[% c("var/container/dir") %]' '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'* + test -d '[% c("var/container/dir") %]'/home/rbm || \ + [% c("rbmdir") %]/container run --chroot='[% c("var/container/dir") %]' -- /usr/sbin/useradd -m [% c("var/container/user") %]
remote_exec: | #!/bin/sh @@ -523,26 +521,27 @@ runc: [% IF c("interactive") -%] echo Container directory: [% shell_quote(c("var/container/dir")) %] [% END -%] - mkdir -p '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs/rbm - echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rootfs/rbm/cmd - echo [% shell_quote(c('exec_cmd')) %] >> '[% c("var/container/dir") %]'/rootfs/rbm/cmd - echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rootfs/rbm/run - [% IF c('exec_as_root'); SET user = 'root'; ELSE; SET user = c("var/container/user", { error_if_undef => 1 }); END; %] - echo 'su - [% user %] -c /rbm/cmd' >> '[% c("var/container/dir") %]'/rootfs/rbm/run - chmod +x '[% c("var/container/dir") %]'/rootfs/rbm/cmd - chmod +x '[% c("var/container/dir") %]'/rootfs/rbm/run - cat > '[% c("var/container/dir") %]'/config.json << EOF - [% INCLUDE 'runc-config.json' %] - EOF - [% IF c("var/container/disable_network/" _ c("exec_name")) -%] - sudo ip netns add 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]' - # make sure the lo interface is up (see bug 31293) - sudo ip netns exec 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]' ip link set lo up - [% END -%] - sudo runc [% IF c("var_p/runc100") %]run[% ELSE %]start[% END %] -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %] [% IF c("runc_hide_stderr") %]2>/dev/null[% END %] + mkdir -p '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rbm + echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rbm/cmd + echo [% shell_quote(c('exec_cmd')) %] >> '[% c("var/container/dir") %]'/rbm/cmd + echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rbm/run [% IF c("var/container/disable_network/" _ c("exec_name")) -%] - sudo ip netns delete 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]' + # Some programs such as gradle need the lo interface to be up. + # See for example tor-browser#31293 + echo 'ip link set lo up' >> '[% c("var/container/dir") %]'/rbm/run [% END -%] + [% IF c('exec_as_root'); SET user = 'root'; ELSE; SET user = c("var/container/user", { error_if_undef => 1 }); END; %] + echo 'su - [% user %] -c /rbm/cmd' >> '[% c("var/container/dir") %]'/rbm/run + chmod +x '[% c("var/container/dir") %]'/rbm/cmd + chmod +x '[% c("var/container/dir") %]'/rbm/run + [% + IF c("var/container/disable_network/" _ c("exec_name")); + SET disable_network = '--disable-network'; + ELSE; + SET disable_network = ''; + END; + -%] + [% c("rbmdir") %]/container run [% disable_network %] --chroot='[% c("var/container/dir") %]' -- /rbm/run
remote_put: | #!/bin/sh @@ -551,12 +550,7 @@ runc: SET src = shell_quote(c('put_src', { error_if_undef => 1 })); SET dst = shell_quote(c('put_dst', { error_if_undef => 1 })); -%] - sudo mkdir -p '[% c("var/container/dir") %]'/rootfs/[% dst %] - sudo cp -aP [% src %] '[% c("var/container/dir") %]'/rootfs/[% dst %] - # On Ubuntu, the /root/.profile file contains a `mesg n` line which is - # producing some `stdin: is not a tty` messages. To hide them, we hide - # stderr from this part by setting runc_hide_stderr. - [% c("remote_exec", { exec_as_root => 1, exec_cmd => 'chown -R ' _ c("var/container/user") _ ' ' _ dst, runc_hide_stderr => 1 }) %] + [% c("rbmdir") %]/container put '[% c("var/container/dir") %]' [% src %] [% dst %] [% c("var/container/user") %]
remote_get: | #!/bin/sh @@ -565,24 +559,12 @@ runc: SET src = shell_quote(c('get_src', { error_if_undef => 1 })); SET dst = shell_quote(c('get_dst', { error_if_undef => 1 })); -%] - mkdir -p [% dst %] - srcdir='[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs/[% src %] - sudo chown -R $(whoami) "$srcdir" - if [ $(ls -1 "$srcdir"/* 2> /dev/null | wc -l) -gt 0 ] - then - for file in "$srcdir"/* - do - bname="$(basename "$file")" - test -e [% dst %]/"$bname" && rm -Rf [% dst %]/"$bname" - mv -f "$file" [% dst %]/ - done - fi + [% c("rbmdir") %]/container get '[% c("var/container/dir") %]' [% src %] [% dst %]
remote_finish: | #!/bin/sh set -e - sudo rm -Rf '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs '[% c("var/container/dir", { error_if_undef => 1 }) %]'/config.json - rmdir '[% c("var/container/dir") %]' + [% c("rbmdir") %]/container remove '[% c("var/container/dir") %]'
ENV: TZ: UTC @@ -592,18 +574,6 @@ ENV: use IO::CaptureOutput qw(capture_exec); ( var_p => { - # runc100 is true if we are using runc >= 1.0.0 - # we assume that any version that is not 0.1.1 is >= 1.0.0 - runc100 => sub { - my ($out) = capture_exec('sudo', 'runc', '--version'); - return !($out =~ m/^runc version 0.1.1/); - }, - # runc_spec100 is true if runc spec is at least 1.0.0 - # We will need to update this when there is a new spec version available - runc_spec100 => sub { - my ($out) = capture_exec('sudo', 'runc', '--version'); - return $out =~ m/^.*spec: 1.[0-9]+.[0-9]+(?:-dev)?$/m; - }, nightly_torbrowser_version => sub { state $version = ''; return $version if $version;