[tor-commits] [tor-browser-build/master] Bug 25623: Disable network during build

Mon Apr 1 06:49:08 UTC 2019

commit 56ba67b3b6345fc70d42567d03b0ff841fe38d3e
Author: Nicolas Vigier <boklm at torproject.org>
Date:   Wed Mar 13 13:20:33 2019 +0100

    Bug 25623: Disable network during build
---
 projects/common/how-to-create-gradle-dependencies-list.txt | 3 ++-
 projects/common/runc-config.json                           | 6 ++++++
 rbm.conf                                                   | 9 +++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/projects/common/how-to-create-gradle-dependencies-list.txt b/projects/common/how-to-create-gradle-dependencies-list.txt
index ef816d0..d980ba2 100644
--- a/projects/common/how-to-create-gradle-dependencies-list.txt
+++ b/projects/common/how-to-create-gradle-dependencies-list.txt
@@ -6,7 +6,8 @@ file:
 
    export GRADLE_MAVEN_REPOSITORIES="file://$rootdir/[% c('input_files_by_name/gradle-dependencies') %]"
 
-and rerun the build.
+then allow network access during the build by setting
+var/container/disable_network/build to 0 in rbm.conf, and rerun the build.
 
 Dependent artifacts will show up as downloads in the logs. You can pull out
 these dependencies into a list with the following command (replacing
diff --git a/projects/common/runc-config.json b/projects/common/runc-config.json
index e75c13d..60dfa6c 100644
--- a/projects/common/runc-config.json
+++ b/projects/common/runc-config.json
@@ -238,6 +238,12 @@
 			{
 				"type": "uts"
 			},
+[% IF c("var/container/disable_network/" _ c("exec_name")) -%]
+			{
+				"type": "network",
+				"path": "/var/run/netns/rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]"
+			},
+[% END -%]
 			{
 				"type": "mount"
 			}
diff --git a/rbm.conf b/rbm.conf
index 32b1f37..f31e5db 100644
--- a/rbm.conf
+++ b/rbm.conf
@@ -51,6 +51,9 @@ var:
   container:
     dir: '[% c("rbm_tmp_dir") %]/rbm-containers/[% sha256(c("build_id")) %]'
     user: rbm
+    disable_network:
+      # disable network in the build scripts
+      build: 1
   input_files_list: |
     [% FOREACH file IN c("input_files_by_name").keys.sort -%]
     [% c("input_files_by_name/" _ file) %]
@@ -408,7 +411,13 @@ runc:
     cat > '[% c("var/container/dir") %]'/config.json << EOF
     [% INCLUDE 'runc-config.json' %]
     EOF
+    [% IF c("var/container/disable_network/" _ c("exec_name")) -%]
+      sudo ip netns add 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]'
+    [% END -%]
     sudo runc [% IF c("var_p/runc100") %]run[% ELSE %]start[% END %] -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %] [% IF c("runc_hide_stderr") %]2>/dev/null[% END %]
+    [% IF c("var/container/disable_network/" _ c("exec_name")) -%]
+      sudo ip netns delete 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]'
+    [% END -%]
 
   remote_put: |
     #!/bin/sh



