From 90ec2fa8021209557e1845c8eb7ce39152d1ecf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 14 Dec 2020 12:53:57 +0100 Subject: [PATCH 1/4] rootfs: Don't fallthrough in the docker_extra_args() switch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Falling through the switch cases in docker_extra_args() looks like a typo and causes issues when building with podman, as `--security-opt apparmor=unconfinded" shouldn't be passed if Apparmor is no enable on the system. Fixes: #1241 Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/rootfs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index dc902f57b0..a10907bc08 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -200,7 +200,7 @@ docker_extra_args() args+=" --cap-add SYS_CHROOT" # debootstrap needs to create device nodes to properly function args+=" --cap-add MKNOD" - ;& + ;; suse) # Required to mount inside a container args+=" --cap-add SYS_ADMIN" From bbeebcdbba11fc1a328b73748f83c5352d22d627 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 8 Jan 2021 20:07:24 +0100 Subject: [PATCH 2/4] rootfs: Always add SYS_ADMIN, CHROOT, and MKNOD caps to docker cmdline MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We use those, independently of the distro. Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/rootfs.sh | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index a10907bc08..6f627d14ec 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -181,29 +181,22 @@ docker_extra_args() { local args="" + # Required to mount inside a container + args+=" --cap-add SYS_ADMIN" + # Requred to chroot + args+=" --cap-add SYS_CHROOT" + # debootstrap needs to create device nodes to properly function + args+=" --cap-add MKNOD" + case "$1" in gentoo) - # Requred to chroot - args+=" --cap-add SYS_CHROOT" - # debootstrap needs to create device nodes to properly function - args+=" --cap-add MKNOD" - # Required to mount inside a container - args+=" --cap-add SYS_ADMIN" # Required to build glibc args+=" --cap-add SYS_PTRACE" # mount portage volume args+=" -v ${gentoo_local_portage_dir}:/usr/portage/packages" args+=" --volumes-from ${gentoo_portage_container}" ;; - ubuntu | debian) - # Requred to chroot - args+=" --cap-add SYS_CHROOT" - # debootstrap needs to create device nodes to properly function - args+=" --cap-add MKNOD" - ;; suse) - # Required to mount inside a container - args+=" --cap-add SYS_ADMIN" # When AppArmor is enabled, mounting inside a container is blocked with docker-default profile. # See https://github.com/moby/moby/issues/16429 args+=" --security-opt apparmor=unconfined" From 8879f9a09b19f46affaada45a597bca5b6fb99dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 8 Jan 2021 21:24:24 +0100 Subject: [PATCH 3/4] rootfs: apparmor=unconfined is needed for non Red Hat host OSes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is not needed for Fedora, RHEL, and CentOS, but it is required when using any other host OS. Having --security-opt apparmor=unconfined used unconditionally is a no go as it'd break podman. The reason this was only added when building for SUSE (as target distro) was because debian and ubuntu condition would fall-through the switch to the suse case (which makes me think that the fall-through was not accidental). Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/rootfs.sh | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 6f627d14ec..dc53653212 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -196,10 +196,23 @@ docker_extra_args() args+=" -v ${gentoo_local_portage_dir}:/usr/portage/packages" args+=" --volumes-from ${gentoo_portage_container}" ;; - suse) - # When AppArmor is enabled, mounting inside a container is blocked with docker-default profile. - # See https://github.com/moby/moby/issues/16429 - args+=" --security-opt apparmor=unconfined" + debian | ubuntu | suse) + source /etc/os-release + + case "$ID" in + fedora | centos | rhel) + # Depending on the podman version, we'll face issues when passing + # `--security-opt apparmor=unconfined` on a system where not apparmor is not installed. + # Because of this, let's just avoid adding this option when the host OS comes from Red Hat. + + # A explict check for podman, at least for now, can be avoided. + ;; + *) + # When AppArmor is enabled, mounting inside a container is blocked with docker-default profile. + # See https://github.com/moby/moby/issues/16429 + args+=" --security-opt apparmor=unconfined" + ;; + esac ;; *) ;; From b329a74f1812def748fe01dc63a0d553f5a4b7a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 8 Jan 2021 21:29:51 +0100 Subject: [PATCH 4/4] rootfs: Fix indentation inside a switch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While touching this part of the code, let's help my OCD. Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/rootfs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index dc53653212..4d69e89d94 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -189,7 +189,7 @@ docker_extra_args() args+=" --cap-add MKNOD" case "$1" in - gentoo) + gentoo) # Required to build glibc args+=" --cap-add SYS_PTRACE" # mount portage volume