search

rpm-software-management / mock

Mock is a tool for a reproducible build of RPM packages.
GNU General Public License v2.0
383 stars 231 forks source link

Cannot --init in a Docker container with --new-chroot #192

Open oogali opened 6 years ago

oogali commented 6 years ago

Short description of the problem

@xsuchy I have a similar issue to #96, if not the same issue, despite adding the SYS_ADMIN capabilitiy. However, I have not tried the --old-chroot option that @shanemcd mentioned in that issue.

Output of rpm -q mock

[root@85f189912d69 /]# rpm -q mock
mock-1.4.10-1.el7.noarch

Steps to reproduce issue

  1. Build a Docker image
  2. Run mock ... --init
  3. Pout at the computer screen

Do not forget to mention full commandline with the mock command you executed.

Any additional notes

I'll jump to the core of the issue (rather than including several hundred lines of mock/yum installing packages).

[root@24b9a6033d5d /]# capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=

[root@24b9a6033d5d /]# /usr/bin/systemd-nspawn -q -M 1a1b2bafa6594d95a7345238c6630c8a -D /var/lib/mock/epel-7-x86_64/root --setenv=LANG=en_US.UTF-8 --setenv=TERM=vt100 --setenv=SHELL=/bin/bash --setenv=HOSTNAME=mock --setenv=PROMPT_COMMAND=printf "\033]0;<mock-chroot>\007" --setenv=HOME=/builddir --setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin --setenv=PS1='<mock-chroot> \s-\v\$'  /usr/sbin/groupadd -g 135 mock
Not running on a systemd system.

And this is the Dockerfile I'm using to build my image:

FROM centos:7

RUN yum install -y epel-release && \
    yum install -y lbzip2 mock mock-scm nosync pigz && \
    yum clean all && \
    rm -rf /var/cache/yum

COPY site-defaults.cfg /etc/mock/

RUN useradd -m -G mock -s /bin/bash builder

VOLUME ["/var/lib/mock"]

COPY docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]

USER builder

The entrypoint is nothing fancy, just this:

#!/bin/sh

set -eu

exec 2>&1

exec mock -r ${TARGET_PLATFORM} $@
[root@85f189912d69 /]# mock --debug-config
INFO: mock.py version 1.4.10 starting (python version = 2.7.5)...
Start: init plugins
INFO: selinux disabled
Finish: init plugins
Start: run
config_opts['backup_base_dir'] = '/var/lib/mock/backup'
config_opts['backup_on_clean'] = False
config_opts['basedir'] = '/var/lib/mock'
config_opts['build_log_fmt_name'] = 'unadorned'
config_opts['build_log_fmt_str'] = '%(message)s'
config_opts['cache_alterations'] = False
config_opts['cache_topdir'] = '/var/cache/mock'
config_opts['check'] = True
config_opts['chroot_name'] = 'default'
config_opts['chroot_setup_cmd'] = 'install @buildsys-build'
config_opts['chrootgid'] = 135
config_opts['chrootgroup'] = 'mock'
config_opts['chroothome'] = '/builddir'
config_opts['chrootuid'] = 0
config_opts['clean'] = True
config_opts['cleanup_on_failure'] = False
config_opts['cleanup_on_success'] = False
config_opts['config_file'] = '/etc/mock/default.cfg'
config_opts['config_paths'] = ['/etc/mock/site-defaults.cfg',
 '/etc/mock/site-defaults.cfg',
 '/etc/mock/default.cfg',
 '/etc/mock/epel-7-x86_64.cfg']
config_opts['createrepo_command'] = '/usr/bin/createrepo_c -d -q -x *.src.rpm'
config_opts['createrepo_on_rpms'] = False
config_opts['dist'] = 'el7'
config_opts['dnf_command'] = '/usr/bin/dnf'
config_opts['dnf_install_command'] = 'install dnf dnf-plugins-core distribution-gpg-keys'
config_opts['enable_disable_repos'] = []
config_opts['environment'] = {'HOME': '/builddir',
 'HOSTNAME': 'mock',
 'LANG': 'en_US.UTF-8',
 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin',
 'PROMPT_COMMAND': 'printf "\\033]0;<mock-chroot>\\007"',
 'PS1': '<mock-chroot> \\s-\\v\\$ ',
 'SHELL': '/bin/bash',
 'TERM': 'vt100'}
config_opts['exclude_from_homedir_cleanup'] = ['build/SOURCES', '.bash_history', '.bashrc']
config_opts['extra_chroot_dirs'] = []
config_opts['files'] = {'etc/hosts': '127.0.0.1 localhost localhost.localdomain\n::1       localhost localhost.localdomain localhost6 localhost6.localdomain6\n'}
config_opts['hostname'] = None
config_opts['internal_dev_setup'] = True
config_opts['legal_host_arches'] = ('x86_64',)
config_opts['log_config_file'] = 'logging.ini'
config_opts['macros'] = {'%__bzip2': '/usr/bin/lbzip2',
 '%__gzip': '/usr/bin/pigz',
 '%_buildhost': '85f189912d69',
 '%_rpmfilename': '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm',
 '%_smp_mflags': '-j2',
 '%_topdir': '/builddir/build'}
config_opts['module_enable'] = []
config_opts['module_install'] = []
config_opts['more_buildreqs'] = {}
config_opts['no_root_shells'] = False
config_opts['nosync'] = False
config_opts['nosync_force'] = False
config_opts['nspawn_args'] = []
config_opts['online'] = True
config_opts['opstimeout'] = 0
config_opts['package_manager'] = 'yum'
config_opts['plugin_conf'] = {'bind_mount_enable': True,
 'bind_mount_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                     'cache_topdir': '/var/cache/mock',
                     'cachedir': '/var/cache/mock/epel-7-x86_64',
                     'create_dirs': False,
                     'dirs': [],
                     'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                     'root': 'epel-7-x86_64'},
 'ccache_enable': False,
 'ccache_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                 'cache_topdir': '/var/cache/mock',
                 'cachedir': '/var/cache/mock/epel-7-x86_64',
                 'compress': None,
                 'dir': '%(cache_topdir)s/%(root)s/ccache/u%(chrootuid)s/',
                 'max_cache_size': '4G',
                 'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                 'root': 'epel-7-x86_64'},
 'chroot_scan_enable': False,
 'chroot_scan_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                      'cache_topdir': '/var/cache/mock',
                      'cachedir': '/var/cache/mock/epel-7-x86_64',
                      'only_failed': True,
                      'regexes': ['^[^k]?core(\\.\\d+)?$', '\\.log$'],
                      'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                      'root': 'epel-7-x86_64'},
 'hw_info_enable': True,
 'hw_info_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                  'cache_topdir': '/var/cache/mock',
                  'cachedir': '/var/cache/mock/epel-7-x86_64',
                  'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                  'root': 'epel-7-x86_64'},
 'lvm_root_enable': False,
 'lvm_root_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                   'cache_topdir': '/var/cache/mock',
                   'cachedir': '/var/cache/mock/epel-7-x86_64',
                   'pool_name': 'mockbuild',
                   'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                   'root': 'epel-7-x86_64'},
 'mount_enable': False,
 'mount_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                'cache_topdir': '/var/cache/mock',
                'cachedir': '/var/cache/mock/epel-7-x86_64',
                'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                'root': 'epel-7-x86_64'},
 'overlayfs_enable': False,
 'overlayfs_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                    'cache_topdir': '/var/cache/mock',
                    'cachedir': '/var/cache/mock/epel-7-x86_64',
                    'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                    'root': 'epel-7-x86_64'},
 'package_state_enable': False,
 'package_state_opts': {'available_pkgs': False,
                        'basedir': '/var/lib/mock/epel-7-x86_64',
                        'cache_topdir': '/var/cache/mock',
                        'cachedir': '/var/cache/mock/epel-7-x86_64',
                        'installed_pkgs': True,
                        'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                        'root': 'epel-7-x86_64'},
 'pm_request_enable': False,
 'pm_request_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                     'cache_topdir': '/var/cache/mock',
                     'cachedir': '/var/cache/mock/epel-7-x86_64',
                     'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                     'root': 'epel-7-x86_64'},
 'root_cache_enable': True,
 'root_cache_opts': {'age_check': True,
                     'basedir': '/var/lib/mock/epel-7-x86_64',
                     'cache_topdir': '/var/cache/mock',
                     'cachedir': '/var/cache/mock/epel-7-x86_64',
                     'compress_program': 'pigz',
                     'dir': '%(cache_topdir)s/%(root)s/root_cache/',
                     'exclude_dirs': ['./proc',
                                      './sys',
                                      './dev',
                                      './tmp/ccache',
                                      './var/cache/yum',
                                      './var/cache/dnf'],
                     'extension': '.gz',
                     'max_age_days': 15,
                     'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                     'root': 'epel-7-x86_64'},
 'selinux_enable': True,
 'selinux_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                  'cache_topdir': '/var/cache/mock',
                  'cachedir': '/var/cache/mock/epel-7-x86_64',
                  'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                  'root': 'epel-7-x86_64'},
 'sign_enable': False,
 'sign_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
               'cache_topdir': '/var/cache/mock',
               'cachedir': '/var/cache/mock/epel-7-x86_64',
               'cmd': 'rpmsign',
               'opts': '--addsign %(rpms)s',
               'resultdir': '/var/lib/mock/epel-7-x86_64/result',
               'root': 'epel-7-x86_64'},
 'tmpfs_enable': False,
 'tmpfs_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                'cache_topdir': '/var/cache/mock',
                'cachedir': '/var/cache/mock/epel-7-x86_64',
                'keep_mounted': False,
                'max_fs_size': None,
                'mode': '0755',
                'required_ram_mb': 900,
                'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                'root': 'epel-7-x86_64'},
 'yum_cache_enable': True,
 'yum_cache_opts': {'basedir': '/var/lib/mock/epel-7-x86_64',
                    'cache_topdir': '/var/cache/mock',
                    'cachedir': '/var/cache/mock/epel-7-x86_64',
                    'dir': '%(cache_topdir)s/%(root)s/%(package_manager)s_cache/',
                    'max_age_days': 30,
                    'max_metadata_age_days': 30,
                    'online': True,
                    'package_manager': 'yum',
                    'resultdir': '/var/lib/mock/epel-7-x86_64/result',
                    'root': 'epel-7-x86_64',
                    'target_dir': '/var/cache/%(package_manager)s/'}}
config_opts['plugin_dir'] = '/usr/lib/python2.7/site-packages/mockbuild/plugins'
config_opts['plugins'] = ['tmpfs',
 'root_cache',
 'yum_cache',
 'bind_mount',
 'ccache',
 'selinux',
 'package_state',
 'chroot_scan',
 'lvm_root',
 'compress_logs',
 'sign',
 'pm_request',
 'hw_info',
 'mount',
 'overlayfs']
config_opts['post_install'] = False
config_opts['print_main_output'] = True
config_opts['priorities.conf'] = '\n[main]\nenabled=0'
config_opts['releasever'] = '7'
config_opts['resultdir'] = '%(basedir)s/%(root)s/result'
config_opts['rhnplugin.conf'] = '\n[main]\nenabled=0'
config_opts['root'] = 'epel-7-x86_64'
config_opts['root_log_fmt_name'] = 'detailed'
config_opts['root_log_fmt_str'] = '%(levelname)s %(filename)s:%(lineno)d:  %(message)s'
config_opts['rpm_command'] = '/bin/rpm'
config_opts['rpmbuild_arch'] = 'x86_64'
config_opts['rpmbuild_command'] = '/usr/bin/rpmbuild'
config_opts['rpmbuild_networking'] = False
config_opts['rpmbuild_timeout'] = 0
config_opts['scm'] = False
config_opts['scm_opts'] = {'cvs_get': 'cvs -d /srv/cvs co SCM_BRN SCM_PKG',
 'distgit_get': 'rpkg clone -a --branch SCM_BRN SCM_PKG SCM_PKG',
 'distgit_src_get': 'rpkg sources',
 'exclude_vcs': True,
 'ext_src_dir': '/dev/null',
 'git_get': 'git clone SCM_BRN git://localhost/SCM_PKG.git SCM_PKG',
 'git_timestamps': False,
 'method': 'git',
 'spec': 'SCM_PKG.spec',
 'svn_get': 'svn co file:///srv/svn/SCM_PKG/SCM_BRN SCM_PKG',
 'write_tar': False}
config_opts['state_log_fmt_name'] = 'state'
config_opts['state_log_fmt_str'] = '%(asctime)s - %(message)s'
config_opts['subscription-manager.conf'] = ''
config_opts['system_dnf_command'] = '/usr/bin/dnf'
config_opts['system_yum_command'] = '/usr/bin/yum'
config_opts['target_arch'] = 'x86_64'
config_opts['update_before_build'] = True
config_opts['use_bootstrap_container'] = False
config_opts['use_container_host_hostname'] = True
config_opts['use_host_resolv'] = False
config_opts['use_nspawn'] = True
config_opts['useradd'] = '/usr/sbin/useradd -o -m -u %(uid)s -g %(gid)s -d %(home)s -n %(user)s'
config_opts['verbose'] = 1
config_opts['version'] = '1.4.10'
config_opts['yum.conf'] = '\n[main]\nkeepcache=1\ndebuglevel=2\nreposdir=/dev/null\nlogfile=/var/log/yum.log\nretries=20\nobsoletes=1\ngpgcheck=0\nassumeyes=1\nsyslog_ident=mock\nsyslog_device=\nmdpolicy=group:primary\nbest=1\n\n# repos\n[base]\nname=BaseOS\nmirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os\nfailovermethod=priority\ngpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-7\ngpgcheck=1\nskip_if_unavailable=False\n\n[updates]\nname=updates\nenabled=1\nmirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=updates\nfailovermethod=priority\ngpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-7\ngpgcheck=1\nskip_if_unavailable=False\n\n[epel]\nname=epel\nmirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-7&arch=x86_64\nfailovermethod=priority\ngpgkey=file:///usr/share/distribution-gpg-keys/epel/RPM-GPG-KEY-EPEL-7\ngpgcheck=1\nskip_if_unavailable=False\n\n[extras]\nname=extras\nmirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=extras\nfailovermethod=priority\ngpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-7\ngpgcheck=1\nskip_if_unavailable=False\n\n[sclo]\nname=sclo\nbaseurl=http://mirror.centos.org/centos/7/sclo/x86_64/sclo/\ngpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-SIG-SCLo\ngpgcheck=1\nincludepkgs=devtoolset*\nskip_if_unavailable=False\n\n[sclo-rh]\nname=sclo-rh\nbaseurl=http://mirror.centos.org/centos/7/sclo/x86_64/rh/\ngpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-SIG-SCLo\ngpgcheck=1\nincludepkgs=devtoolset*\nskip_if_unavailable=False\n\n[testing]\nname=epel-testing\nenabled=0\nmirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel7&arch=x86_64\nfailovermethod=priority\nskip_if_unavailable=False\n\n[local]\nname=local\nbaseurl=https://kojipkgs.fedoraproject.org/repos/epel7-build/latest/x86_64/\ncost=2000\nenabled=0\nskip_if_unavailable=False\n\n[epel-debuginfo]\nname=epel-debug\nmirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-7&arch=x86_64\nfailovermethod=priority\nenabled=0\nskip_if_unavailable=False\n'
config_opts['yum_builddep_command'] = '/usr/bin/yum-builddep'
config_opts['yum_builddep_opts'] = []
config_opts['yum_command'] = '/usr/bin/yum'
config_opts['yum_common_opts'] = []
config_opts['yum_install_command'] = 'install yum yum-utils shadow-utils distribution-gpg-keys'
Finish: run
oneumyvakin commented 6 years ago

I've faced with same issue and found solution with disabling spawn in config like this: echo "config_opts['use_nspawn'] = False" >> /etc/mock/site-defaults.cfg

It will be nice to describe this in docs in Docker section.

praiskup commented 5 years ago

Yes, we don't know how to run systemd-nspawn in container, yet. See pull request #337 which should lower the pain. Otherwise this is known problem.

praiskup commented 5 years ago

Since this is about making systemd-nspawn work in docker, I'm flagging it as RFE.