[builders/rbm] branch master updated: Bug 40029: Add default remote_* options for containers - tor-commits

8 Jul 2022

This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch master
in repository builders/rbm.
The following commit(s) were added to refs/heads/master by this push:
     new e93302b  Bug 40029: Add default remote_* options for containers
e93302b is described below
commit e93302bd80b80dd498a91cd018bcb4c81638b546
Author: Nicolas Vigier boklm@torproject.org
AuthorDate: Fri Jul 1 12:05:14 2022 +0200
Bug 40029: Add default remote_* options for containers
---
 doc/rbm_remote.asc       |  31 +++++++++++++
 lib/RBM/DefaultConfig.pm | 110 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 141 insertions(+)

diff --git a/doc/rbm_remote.asc b/doc/rbm_remote.asc
index 7f4c3d8..07d2f61 100644
--- a/doc/rbm_remote.asc
+++ b/doc/rbm_remote.asc
@@ -59,6 +59,37 @@ The +remote_*+ options can access the +build_id+ option which is a
 unique identifier of the current build.
+REMOTE BUILD WITH ROOTLESS CONTAINERS
+-------------------------------------
+
+rbm includes a `container` script which allows creating rootless
+containers (ie. creating some Linux namespaces, without requiring root
+priviledges).
+
+It requires the +newuidmap+ and +newgidmap+ commands. On Debian systems
+this means installing the +uidmap+ package.
+
+Some predefined +remote_*+ options to use containers are available.
+They can be enabled by setting +container/use_container+ to true.
+
+When the use of containers is enabled, the +input_files+ of your build
+should include a chroot tarball, with a filename starting with
++container-image_+. When starting a build, this chroot tarball will be
+extracted to a temporary directory, and the build script will be run
+chrooted in this directory.
+
+The following options can be used:
+
+container/disable_network/script_name::
+        Disable the use of network when running +script_name+ (replace it with
+        the name of the script). By default network is disabled in the
+        +build+ script and enabled in all other scripts.
+
+container/global_disable::
+        When this option is set, +container/use_container+ and containers are
+        not used.
+
+
 REMOTE BUILD WITH DOCKER
 ------------------------
diff --git a/lib/RBM/DefaultConfig.pm b/lib/RBM/DefaultConfig.pm
index e28642f..b60d5c2 100644
--- a/lib/RBM/DefaultConfig.pm
+++ b/lib/RBM/DefaultConfig.pm
@@ -217,6 +217,10 @@ OPT_END
 ####
     remote_exec => <<OPT_END,
 [%
+    IF c("container/use_container") && !c("container/global_disable");
+        GET c("container/remote_exec");
+        RETURN;
+    END;
     IF c('remote_docker');
         GET c('docker_remote_exec');
         RETURN;
@@ -236,6 +240,10 @@ OPT_END
 ####
     remote_get => <<OPT_END,
 [%
+    IF c("container/use_container") && !c("container/global_disable");
+        GET c("container/remote_get");
+        RETURN;
+    END;
     IF c('remote_docker');
         GET c('docker_remote_get');
         RETURN;
@@ -260,6 +268,10 @@ OPT_END
 ####
     remote_put => <<OPT_END,
 [%
+    IF c("container/use_container") && !c("container/global_disable");
+        GET c("container/remote_put");
+        RETURN;
+    END;
     IF c('remote_docker');
         GET c('docker_remote_put');
         RETURN;
@@ -285,6 +297,10 @@ OPT_END
 ####
     remote_start => <<OPT_END,
 [%
+    IF c("container/use_container") && !c("container/global_disable");
+        GET c("container/remote_start");
+        RETURN;
+    END;
     IF c('remote_docker');
         GET c('docker_remote_start');
         RETURN;
@@ -296,6 +312,10 @@ OPT_END
 ####
     remote_finish => <<OPT_END,
 [%
+    IF c("container/use_container") && !c("container/global_disable");
+        GET c("container/remote_finish");
+        RETURN;
+    END;
     IF c('remote_docker');
         GET c('docker_remote_finish');
         RETURN;
@@ -408,6 +428,96 @@ rm -Rf $tmpdir
 OPT_END
 ####
 ####
+####
+    container => {
+        remote_start => <<OPT_END,
+#!/bin/sh
+set -e
+if [ $(ls -1 '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'* | wc -l) -ne 1 ]
+then
+  echo "Can't find container image in input files" >&2
+  ls -l '[% c("remote_srcdir") %]' >&2
+  exit 1
+fi
+[% c("rbmdir") %]/container extract '[% c("container/dir") %]' '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'*
+test -d '[% c("container/dir") %]'/home/rbm || \
+  [% c("rbmdir") %]/container run --chroot='[% c("container/dir") %]' -- /usr/sbin/useradd -m [% c("container/user") %]
+OPT_END
+####
+####
+####
+        remote_exec => <<OPT_END,
+#!/bin/sh
+set -e
+[% IF c("interactive") -%]
+  echo Container directory: [% shell_quote(c("container/dir")) %]
+[% END -%]
+mkdir -p '[% c("container/dir", { error_if_undef => 1 }) %]'/rbm
+echo '#!/bin/sh' > '[% c("container/dir") %]'/rbm/cmd
+echo [% shell_quote(c('exec_cmd')) %] >> '[% c("container/dir") %]'/rbm/cmd
+echo '#!/bin/sh' > '[% c("container/dir") %]'/rbm/run
+[% IF c("container/disable_network/" _ c("exec_name")) -%]
+  # Some programs such as gradle need the lo interface to be up.
+  # See for example tor-browser#31293
+  echo 'ip link set lo up' >> '[% c("container/dir") %]'/rbm/run
+[% END -%]
+[% IF c('exec_as_root'); SET user = 'root'; ELSE; SET user = c("container/user", { error_if_undef => 1 }); END; %]
+echo 'su - [% user %] -c /rbm/cmd' >> '[% c("container/dir") %]'/rbm/run
+chmod +x '[% c("container/dir") %]'/rbm/cmd
+chmod +x '[% c("container/dir") %]'/rbm/run
+[%
+  IF c("container/disable_network/" _ c("exec_name"));
+    SET disable_network = '--disable-network';
+  ELSE;
+    SET disable_network = '';
+  END;
+-%]
+[% c("rbmdir") %]/container run [% disable_network %] --chroot='[% c("container/dir") %]' -- /rbm/run
+OPT_END
+####
+####
+####
+        remote_put => <<OPT_END,
+#!/bin/sh
+set -e
+[%
+  SET src = shell_quote(c('put_src', { error_if_undef => 1 }));
+  SET dst = shell_quote(c('put_dst', { error_if_undef => 1 }));
+-%]
+[% c("rbmdir") %]/container put '[% c("container/dir") %]' [% src %] [% dst %] [% c("container/user") %]
+OPT_END
+####
+####
+####
+        remote_get => <<OPT_END,
+#!/bin/sh
+set -e
+[%
+  SET src = shell_quote(c('get_src', { error_if_undef => 1 }));
+  SET dst = shell_quote(c('get_dst', { error_if_undef => 1 }));
+-%]
+[% c("rbmdir") %]/container get '[% c("container/dir") %]' [% src %] [% dst %]
+OPT_END
+####
+####
+####
+        remote_finish => <<OPT_END,
+#!/bin/sh
+set -e
+[% c("rbmdir") %]/container remove '[% c("container/dir") %]'
+OPT_END
+####
+####
+####
+        dir => '[% c("rbm_tmp_dir") %]/rbm-containers/[% sha256(c("build_id")) %]',
+        user =>  'rbm',
+        disable_network => {
+            # disable network in the build scripts
+            build => '1',
+        },
+    },
+####
+####
 ####
     lsb_release => &lsb_release,
     install_package => sub {
-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

    