Skip to content

Commit

Permalink
enable loopback adapter in hermetic unshare namespace
Browse files Browse the repository at this point in the history 
Bazel uses a client server architecture to execute even when
performing network isolated builds.It works fine as long as there
is any adapter, even a loopback addapter. The default unshare env
has a loopback device [lo] but it is DOWN by default. This PR
brings lo UP in the unshare environment so that hermetic Bazel
builds will work.
  • Loading branch information
@brianwcook
brianwcook committed Oct 23, 2024
1 parent 7170872 commit 9816995
Show file tree
Hide file tree
Showing 4 changed files with 112 additions and 48 deletions.
40 changes: 28 additions & 12 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -350,10 +350,12 @@ spec:
)
BUILDAH_ARGS=()
UNSHARE_ARGS=()
if [ "${HERMETIC}" == "true" ]; then
BUILDAH_ARGS+=("--pull=never")
UNSHARE_ARGS="--net"
UNSHARE_ARGS+=("--net")
for image in $BASE_IMAGES; do
unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
done
Expand All @@ -378,10 +380,12 @@ spec:
BUILDAH_ARGS+=("--skip-unused-stages=false")
fi
VOLUME_MOUNTS=()
if [ -f "/var/workdir/cachi2/cachi2.env" ]; then
cp -r "/var/workdir/cachi2" /tmp/
chmod -R go+rwX /tmp/cachi2
VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)
# Read in the whole file (https://unix.stackexchange.com/questions/533277), then
# for each RUN ... line insert the cachi2.env command *after* any options like --mount
sed -E -i \
Expand All @@ -408,7 +412,7 @@ spec:
if [ -d "${YUM_REPOS_D_FETCHED}" ]; then
chmod -R go+rwX ${YUM_REPOS_D_FETCHED}
mount_point=$(realpath ${YUM_REPOS_D_FETCHED})
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume ${mount_point}:${YUM_REPOS_D_TARGET}"
VOLUME_MOUNTS+=(--volume "${mount_point}:${YUM_REPOS_D_TARGET}")
fi
DEFAULT_LABELS=(
Expand All @@ -432,12 +436,12 @@ spec:
if [ -e /activation-key/org ]; then
cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
mkdir /shared/rhsm-tmp
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z"
VOLUME_MOUNTS+=(--volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z)
echo "Adding activation key to the build"
elif find /entitlement -name "*.pem" >>null; then
cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement"
VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)
echo "Adding the entitlement to the build"
fi
Expand All @@ -454,13 +458,25 @@ spec:
# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.
declare IMAGE
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
"${LABELS[@]}" \
--tls-verify=$TLSVERIFY --no-cache \
--ulimit nofile=4096:4096 \
-f "$dockerfile_copy" -t "$IMAGE" .
buildah_cmd_array=(
buildah build
"${VOLUME_MOUNTS[@]}"
"${BUILDAH_ARGS[@]}"
"${LABELS[@]}"
--tls-verify="$TLSVERIFY" --no-cache
--ulimit nofile=4096:4096
-f "$dockerfile_copy" -t "$IMAGE" .
)
buildah_cmd=$(printf "%q " "${buildah_cmd_array[@]}")
if [ "${HERMETIC}" == "true" ]; then
# enabling loopback adapter enables Bazel builds to work in hermetic mode.
command="ip link set lo up && $buildah_cmd"
else
command="$buildah_cmd"
fi
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
Expand Down
40 changes: 28 additions & 12 deletions task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -384,10 +384,12 @@ spec:
)
BUILDAH_ARGS=()
UNSHARE_ARGS=()
if [ "${HERMETIC}" == "true" ]; then
BUILDAH_ARGS+=("--pull=never")
UNSHARE_ARGS="--net"
UNSHARE_ARGS+=("--net")
for image in $BASE_IMAGES; do
unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
done
Expand All @@ -412,10 +414,12 @@ spec:
BUILDAH_ARGS+=("--skip-unused-stages=false")
fi
VOLUME_MOUNTS=()
if [ -f "/var/workdir/cachi2/cachi2.env" ]; then
cp -r "/var/workdir/cachi2" /tmp/
chmod -R go+rwX /tmp/cachi2
VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)
# Read in the whole file (https://unix.stackexchange.com/questions/533277), then
# for each RUN ... line insert the cachi2.env command *after* any options like --mount
sed -E -i \
Expand All @@ -442,7 +446,7 @@ spec:
if [ -d "${YUM_REPOS_D_FETCHED}" ]; then
chmod -R go+rwX ${YUM_REPOS_D_FETCHED}
mount_point=$(realpath ${YUM_REPOS_D_FETCHED})
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume ${mount_point}:${YUM_REPOS_D_TARGET}"
VOLUME_MOUNTS+=(--volume "${mount_point}:${YUM_REPOS_D_TARGET}")
fi
DEFAULT_LABELS=(
Expand All @@ -466,12 +470,12 @@ spec:
if [ -e /activation-key/org ]; then
cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
mkdir /shared/rhsm-tmp
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z"
VOLUME_MOUNTS+=(--volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z)
echo "Adding activation key to the build"
elif find /entitlement -name "*.pem" >>null; then
cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement"
VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)
echo "Adding the entitlement to the build"
fi
Expand All @@ -488,13 +492,25 @@ spec:
# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.
declare IMAGE
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
"${LABELS[@]}" \
--tls-verify=$TLSVERIFY --no-cache \
--ulimit nofile=4096:4096 \
-f "$dockerfile_copy" -t "$IMAGE" .
buildah_cmd_array=(
buildah build
"${VOLUME_MOUNTS[@]}"
"${BUILDAH_ARGS[@]}"
"${LABELS[@]}"
--tls-verify="$TLSVERIFY" --no-cache
--ulimit nofile=4096:4096
-f "$dockerfile_copy" -t "$IMAGE" .
)
buildah_cmd=$(printf "%q " "${buildah_cmd_array[@]}")
if [ "${HERMETIC}" == "true" ]; then
# enabling loopback adapter enables Bazel builds to work in hermetic mode.
command="ip link set lo up && $buildah_cmd"
else
command="$buildah_cmd"
fi
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
Expand Down
40 changes: 28 additions & 12 deletions task/buildah-remote/0.2/buildah-remote.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -360,10 +360,12 @@ spec:
)
BUILDAH_ARGS=()
UNSHARE_ARGS=()
if [ "${HERMETIC}" == "true" ]; then
BUILDAH_ARGS+=("--pull=never")
UNSHARE_ARGS="--net"
UNSHARE_ARGS+=("--net")
for image in $BASE_IMAGES; do
unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
done
Expand All @@ -388,10 +390,12 @@ spec:
BUILDAH_ARGS+=("--skip-unused-stages=false")
fi
VOLUME_MOUNTS=()
if [ -f "$(workspaces.source.path)/cachi2/cachi2.env" ]; then
cp -r "$(workspaces.source.path)/cachi2" /tmp/
chmod -R go+rwX /tmp/cachi2
VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)
# Read in the whole file (https://unix.stackexchange.com/questions/533277), then
# for each RUN ... line insert the cachi2.env command *after* any options like --mount
sed -E -i \
Expand All @@ -418,7 +422,7 @@ spec:
if [ -d "${YUM_REPOS_D_FETCHED}" ]; then
chmod -R go+rwX ${YUM_REPOS_D_FETCHED}
mount_point=$(realpath ${YUM_REPOS_D_FETCHED})
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume ${mount_point}:${YUM_REPOS_D_TARGET}"
VOLUME_MOUNTS+=(--volume "${mount_point}:${YUM_REPOS_D_TARGET}")
fi
DEFAULT_LABELS=(
Expand All @@ -442,12 +446,12 @@ spec:
if [ -e /activation-key/org ]; then
cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
mkdir /shared/rhsm-tmp
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z"
VOLUME_MOUNTS+=(--volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z)
echo "Adding activation key to the build"
elif find /entitlement -name "*.pem" >> null; then
cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement"
VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)
echo "Adding the entitlement to the build"
fi
Expand All @@ -464,13 +468,25 @@ spec:
# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.
declare IMAGE
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
"${LABELS[@]}" \
--tls-verify=$TLSVERIFY --no-cache \
--ulimit nofile=4096:4096 \
-f "$dockerfile_copy" -t "$IMAGE" .
buildah_cmd_array=(
buildah build
"${VOLUME_MOUNTS[@]}"
"${BUILDAH_ARGS[@]}"
"${LABELS[@]}"
--tls-verify="$TLSVERIFY" --no-cache
--ulimit nofile=4096:4096
-f "$dockerfile_copy" -t "$IMAGE" .
)
buildah_cmd=$(printf "%q " "${buildah_cmd_array[@]}")
if [ "${HERMETIC}" == "true" ]; then
# enabling loopback adapter enables Bazel builds to work in hermetic mode.
command="ip link set lo up && $buildah_cmd"
else
command="$buildah_cmd"
fi
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
Expand Down
40 changes: 28 additions & 12 deletions task/buildah/0.2/buildah.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,10 +281,12 @@ spec:
)
BUILDAH_ARGS=()
UNSHARE_ARGS=()
if [ "${HERMETIC}" == "true" ]; then
BUILDAH_ARGS+=("--pull=never")
UNSHARE_ARGS="--net"
UNSHARE_ARGS+=("--net")
for image in $BASE_IMAGES; do
unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
done
Expand All @@ -309,10 +311,12 @@ spec:
BUILDAH_ARGS+=("--skip-unused-stages=false")
fi
VOLUME_MOUNTS=()
if [ -f "$(workspaces.source.path)/cachi2/cachi2.env" ]; then
cp -r "$(workspaces.source.path)/cachi2" /tmp/
chmod -R go+rwX /tmp/cachi2
VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)
# Read in the whole file (https://unix.stackexchange.com/questions/533277), then
# for each RUN ... line insert the cachi2.env command *after* any options like --mount
sed -E -i \
Expand All @@ -339,7 +343,7 @@ spec:
if [ -d "${YUM_REPOS_D_FETCHED}" ]; then
chmod -R go+rwX ${YUM_REPOS_D_FETCHED}
mount_point=$(realpath ${YUM_REPOS_D_FETCHED})
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume ${mount_point}:${YUM_REPOS_D_TARGET}"
VOLUME_MOUNTS+=(--volume "${mount_point}:${YUM_REPOS_D_TARGET}")
fi
DEFAULT_LABELS=(
Expand All @@ -363,12 +367,12 @@ spec:
if [ -e /activation-key/org ]; then
cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
mkdir /shared/rhsm-tmp
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z"
VOLUME_MOUNTS+=(--volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z)
echo "Adding activation key to the build"
elif find /entitlement -name "*.pem" >> null; then
cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement"
VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)
echo "Adding the entitlement to the build"
fi
Expand All @@ -385,13 +389,25 @@ spec:
# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.
declare IMAGE
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
"${LABELS[@]}" \
--tls-verify=$TLSVERIFY --no-cache \
--ulimit nofile=4096:4096 \
-f "$dockerfile_copy" -t "$IMAGE" .
buildah_cmd_array=(
buildah build
"${VOLUME_MOUNTS[@]}"
"${BUILDAH_ARGS[@]}"
"${LABELS[@]}"
--tls-verify="$TLSVERIFY" --no-cache
--ulimit nofile=4096:4096
-f "$dockerfile_copy" -t "$IMAGE" .
)
buildah_cmd=$(printf "%q " "${buildah_cmd_array[@]}")
if [ "${HERMETIC}" == "true" ]; then
# enabling loopback adapter enables Bazel builds to work in hermetic mode.
command="ip link set lo up && $buildah_cmd"
else
command="$buildah_cmd"
fi
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
Expand Down

0 comments on commit 9816995

Please sign in to comment.