-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello!
I am currently working on integrating the various qubes components with oss-fuzz (as part of my GSoC project). That requires the components to be built inside a docker container. I have successfully been able to write the Dockerfile (the travis builds helped) and with a few tweaks, am able to build the individual components locally through the qubes-builder running inside the container. However, the regular build process requires the containers to be run with the "--privileged" option because the qubes-builder uses commands like mount while interacting with the chroot. Running the containers in privileged mode doesn't seem to be an option in oss-fuzz [1]. @jpo gave some suggestions: 1. Using proot [2] instead of chroot and mount. I still have to try it out. Basically that would involve changing all the chroot commands with "proot -r" and the mount commands with "proot - -b", right? Also, we'll have to take care of handling umount while cleaning the build. 2. Ignoring the mounts and see what breaks: I removed all the mount instructions from the qubes-builder (and the builder plugin) to test this. The dependencies for the component do not get installed and so it doesn't get built. This is the error I get: Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-3-primary [Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-3-primary] The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. /home/user/qubes-builder/qubes-src/builder-fedora/Makefile.fedora:106: recipe for target 'dist-build-dep' failed make[2]: *** [dist-build-dep] Error 1 - --> build failed! Makefile.generic:147: recipe for target 'packages' failed make[1]: *** [packages] Error 1 Makefile:209: recipe for target 'linux-utils-vm' failed make: *** [linux-utils-vm] Error 1 Is it possible to circumvent the mounts somehow? 3. Drop the chroot entirely. If it is possible to build the components directly, I think it would be best considering what I know of the oss-fuzz environment. @marmarek, how do you think we should go ahead with this? Regards, Paras Chetal [1]: https://github.com/google/oss-fuzz/blob/master/infra/helper.py#L215 [2]: https://github.com/proot-me/PRoot -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJZMJ32AAoJEA4SQJU2s0ILkmoIAJs4Xwx2lNn7fyMuM6q+ZDY8 0FQSUZTAd6718bapjVJsphWgpc2mRp45PMcwLWGdBjTH1gvqYktLdXx6ilZIo/kP vew1WMvP2EyJlqUsZikdsxeqrF0SfM+6xpdU/aMMUo1C49YO5YKoCwWov9nF3RHg pm+Bpoa2yZ/VOGeqCUDl7N44HBWfSFPF9CtVzuCBjfPWxi+WWMijCwaxuasdkUI6 v+oNeHj+2q4ARAn0qbR38ABAlW/W2ohMURoNZMgURbKmq/4R2hQ5EG5C2TgNRAOC N+mpmV75lzphofjOCpP0owuJC7Fb8YBGB9bNGKXXZ6IWI3N5dcYdoodK39TBgPI= =AINe -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/70e49fd5-e385-2dd2-41dd-ffa900d4b39c%40gmail.com. For more options, visit https://groups.google.com/d/optout.
