commit 56ba67b3b6345fc70d42567d03b0ff841fe38d3e
Author: Nicolas Vigier <boklm(a)torproject.org>
Date: Wed Mar 13 13:20:33 2019 +0100
Bug 25623: Disable network during build
---
projects/common/how-to-create-gradle-dependencies-list.txt | 3 ++-
projects/common/runc-config.json | 6 ++++++
rbm.conf | 9 +++++++++
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/projects/common/how-to-create-gradle-dependencies-list.txt b/projects/common/how-to-create-gradle-dependencies-list.txt
index ef816d0..d980ba2 100644
--- a/projects/common/how-to-create-gradle-dependencies-list.txt
+++ b/projects/common/how-to-create-gradle-dependencies-list.txt
@@ -6,7 +6,8 @@ file:
export GRADLE_MAVEN_REPOSITORIES="file://$rootdir/[% c('input_files_by_name/gradle-dependencies') %]"
-and rerun the build.
+then allow network access during the build by setting
+var/container/disable_network/build to 0 in rbm.conf, and rerun the build.
Dependent artifacts will show up as downloads in the logs. You can pull out
these dependencies into a list with the following command (replacing
diff --git a/projects/common/runc-config.json b/projects/common/runc-config.json
index e75c13d..60dfa6c 100644
--- a/projects/common/runc-config.json
+++ b/projects/common/runc-config.json
@@ -238,6 +238,12 @@
{
"type": "uts"
},
+[% IF c("var/container/disable_network/" _ c("exec_name")) -%]
+ {
+ "type": "network",
+ "path": "/var/run/netns/rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]"
+ },
+[% END -%]
{
"type": "mount"
}
diff --git a/rbm.conf b/rbm.conf
index 32b1f37..f31e5db 100644
--- a/rbm.conf
+++ b/rbm.conf
@@ -51,6 +51,9 @@ var:
container:
dir: '[% c("rbm_tmp_dir") %]/rbm-containers/[% sha256(c("build_id")) %]'
user: rbm
+ disable_network:
+ # disable network in the build scripts
+ build: 1
input_files_list: |
[% FOREACH file IN c("input_files_by_name").keys.sort -%]
[% c("input_files_by_name/" _ file) %]
@@ -408,7 +411,13 @@ runc:
cat > '[% c("var/container/dir") %]'/config.json << EOF
[% INCLUDE 'runc-config.json' %]
EOF
+ [% IF c("var/container/disable_network/" _ c("exec_name")) -%]
+ sudo ip netns add 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]'
+ [% END -%]
sudo runc [% IF c("var_p/runc100") %]run[% ELSE %]start[% END %] -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %] [% IF c("runc_hide_stderr") %]2>/dev/null[% END %]
+ [% IF c("var/container/disable_network/" _ c("exec_name")) -%]
+ sudo ip netns delete 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]'
+ [% END -%]
remote_put: |
#!/bin/sh