Re: x32 builder has network access
On 18.01.2023 16:48, Jakub Bogusz wrote: > On Wed, Jan 18, 2023 at 01:02:34PM +0100, Arkadiusz Miśkiewicz via > pld-devel-en wrote: > > On 18.01.2023 09:56, Jan Palus wrote: > > >On 18.01.2023 07:54, Arkadiusz Miśkiewicz via pld-devel-en wrote: > > >>On 17.01.2023 12:23, Jan Palus wrote: > > >>>Noticed during build of kodi-addon-inputstream-adaptive that contrary to > > >>>x86_64 and i686, x32 builder downloaded external sources successfully: > > >> > > >>bind was installed there and seems that even if there is no access to > > >>/etc/resolv.conf glibc fallbacks to querying 127.0.0.1:53 > > >> > > >>Uninstalled. > > >> > > >>The best would be to change UID of "builder" user used inside of chroot > > >>and drop all outgoing packets coming from it at iptables level. > > > > > >Or perhaps modify pld-builder to make each rpmbuild invocation in a new > > >network namespace via `unshare -n -c`. That would effectively cut whole > > >network for the process. > > > > We can try that... commited. > > i686 and x86_64 say: > "unshare: unshare failed: Operation not permitted" Unfortunately it appears it's not possible to create user namespaces in a chroot: EPERM (since Linux 3.9) CLONE_NEWUSER was specified in flags and the caller is in a chroot environment (i.e., the caller's root directory does not match the root directory of the mount namespace in which it resides). ___ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
Re: x32 builder has network access
On Wed, Jan 18, 2023 at 01:02:34PM +0100, Arkadiusz Miśkiewicz via pld-devel-en wrote: > On 18.01.2023 09:56, Jan Palus wrote: > >On 18.01.2023 07:54, Arkadiusz Miśkiewicz via pld-devel-en wrote: > >>On 17.01.2023 12:23, Jan Palus wrote: > >>>Noticed during build of kodi-addon-inputstream-adaptive that contrary to > >>>x86_64 and i686, x32 builder downloaded external sources successfully: > >> > >>bind was installed there and seems that even if there is no access to > >>/etc/resolv.conf glibc fallbacks to querying 127.0.0.1:53 > >> > >>Uninstalled. > >> > >>The best would be to change UID of "builder" user used inside of chroot > >>and drop all outgoing packets coming from it at iptables level. > > > >Or perhaps modify pld-builder to make each rpmbuild invocation in a new > >network namespace via `unshare -n -c`. That would effectively cut whole > >network for the process. > > We can try that... commited. i686 and x86_64 say: "unshare: unshare failed: Operation not permitted" Still waiting for x32 (seems busy with openjdks). -- Jakub Boguszhttp://qboosh.pl/ ___ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
Re: x32 builder has network access
On 18.01.2023 09:56, Jan Palus wrote: On 18.01.2023 07:54, Arkadiusz Miśkiewicz via pld-devel-en wrote: On 17.01.2023 12:23, Jan Palus wrote: Noticed during build of kodi-addon-inputstream-adaptive that contrary to x86_64 and i686, x32 builder downloaded external sources successfully: bind was installed there and seems that even if there is no access to /etc/resolv.conf glibc fallbacks to querying 127.0.0.1:53 Uninstalled. The best would be to change UID of "builder" user used inside of chroot and drop all outgoing packets coming from it at iptables level. Or perhaps modify pld-builder to make each rpmbuild invocation in a new network namespace via `unshare -n -c`. That would effectively cut whole network for the process. We can try that... commited. -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org ) ___ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
Re: x32 builder has network access
On 18.01.2023 07:54, Arkadiusz Miśkiewicz via pld-devel-en wrote: > On 17.01.2023 12:23, Jan Palus wrote: > > Noticed during build of kodi-addon-inputstream-adaptive that contrary to > > x86_64 and i686, x32 builder downloaded external sources successfully: > > bind was installed there and seems that even if there is no access to > /etc/resolv.conf glibc fallbacks to querying 127.0.0.1:53 > > Uninstalled. > > The best would be to change UID of "builder" user used inside of chroot > and drop all outgoing packets coming from it at iptables level. Or perhaps modify pld-builder to make each rpmbuild invocation in a new network namespace via `unshare -n -c`. That would effectively cut whole network for the process. ___ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
Re: x32 builder has network access
On 17.01.2023 12:23, Jan Palus wrote: Noticed during build of kodi-addon-inputstream-adaptive that contrary to x86_64 and i686, x32 builder downloaded external sources successfully: bind was installed there and seems that even if there is no access to /etc/resolv.conf glibc fallbacks to querying 127.0.0.1:53 Uninstalled. The best would be to change UID of "builder" user used inside of chroot and drop all outgoing packets coming from it at iptables level. -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org ) ___ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
x32 builder has network access
Noticed during build of kodi-addon-inputstream-adaptive that contrary to x86_64 and i686, x32 builder downloaded external sources successfully: [ 2%] Performing download step (download, verify and extract) for 'bento4' cd /tmp/B.77a99ah0/BUILD/inputstream.adaptive-20.3.2-Nexus/build/bento4/src && /usr/bin/cmake -P /tmp/B.77a99ah0/BUILD/inputstream.adaptive-20.3.2-Nexus/build/bento4/src/bento4-stamp/download-bento4.cmake -- Downloading... dst='/tmp/B.77a99ah0/BUILD/inputstream.adaptive-20.3.2-Nexus/build/download/1.6.0-639-5-Nexus.tar.gz' timeout='none' inactivity timeout='none' -- Using src='https://github.com/xbmc/Bento4/archive/refs/tags/1.6.0-639-5-Nexus.tar.gz' -- Downloading... done ___ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
