unshare causes breakage in docker

Justin Cattle j at ocado.com
Tue Apr 27 22:05:37 CEST 2021 

Hi,


We build FAI images in docker.

It seems like this change has broken that workflow:

commit 5bc6385471b2b8b625c3bbaba76488b3127aebf1
Author: Thomas Lange <lange at debian.org>
Date:   Thu Sep 24 20:29:08 2020 +0200

    Use unshare when calling chroot

    Bug report : Daemonized processes inside the chroot cause image
building to hang indefinitely
    See https://salsa.debian.org/cloud-team/debian-cloud-images/-/issues/9

diff --git a/bin/fai b/bin/fai
index 433e7eb5..13cddec8 100755
--- a/bin/fai
+++ b/bin/fai
@@ -87,7 +87,7 @@ fai_init() {
       [ $do_init_tasks -eq 1 ] && FAI_ROOT=/target || FAI_ROOT=/
     fi
     # executed command in the environment of the new system
-    ROOTCMD="chroot $FAI_ROOT"
+    ROOTCMD="unshare --pid --fork --kill-child --mount-proc chroot
$FAI_ROOT"
     # no chroot needed
     [ "$FAI_ROOT" = '/' ] && ROOTCMD=
     target=$FAI_ROOT
diff --git a/bin/fai-make-nfsroot b/bin/fai-make-nfsroot
index 9ac4c367..588a62c0 100755
--- a/bin/fai-make-nfsroot
+++ b/bin/fai-make-nfsroot
@@ -152,7 +152,7 @@ cfdir=$(readlink -f $cfdir) # canonicalize path
 oldnfsroot=$NFSROOT
 deldir=$NFSROOT

-ROOTCMD="chroot $NFSROOT"
+ROOTCMD="unshare --pid --fork --kill-child --mount-proc chroot $NFSROOT"
 export DEBIAN_FRONTEND=noninteractive

 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I haven't dug into it in great detail yet, but this produces the following
error during fai-make-nfsroot, even running as root user in a container
in privileged mode:


I: Base system installed successfully.
1227
<https://gitlab.ocado.tech/osp-platform-engineering/site-bootstrap/sites/onprem.truganina.coles.cfc.osp.tech/-/jobs/52361133#L1227>unshare:
umount /proc failed: Invalid argument
1228
<https://gitlab.ocado.tech/osp-platform-engineering/site-bootstrap/sites/onprem.truganina.coles.cfc.osp.tech/-/jobs/52361133#L1228>mount:
failed to read mtab: No such file or directory
1229
<https://gitlab.ocado.tech/osp-platform-engineering/site-bootstrap/sites/onprem.truganina.coles.cfc.osp.tech/-/jobs/52361133#L1229>mount:
failed to read mtab: No such file or directory
1230
<https://gitlab.ocado.tech/osp-platform-engineering/site-bootstrap/sites/onprem.truganina.coles.cfc.osp.tech/-/jobs/52361133#L1230>Log
file written to /var/log/fai/fai-make-nfsroot.log and
/srv/fai/nfsroot/filesystem.dir/var/tmp
1231
<https://gitlab.ocado.tech/osp-platform-engineering/site-bootstrap/sites/onprem.truganina.coles.cfc.osp.tech/-/jobs/52361133#L1231>ERROR
when calling fai-make-nfsroot.
1232
<https://gitlab.ocado.tech/osp-platform-engineering/site-bootstrap/sites/onprem.truganina.coles.cfc.osp.tech/-/jobs/52361133#L1232>Log
file written to /var/log/fai/fai-setup.log


If I revert that change, it all works again.

Can we somehow make unshare vs chroot an option ?  Or, even better perhaps,
detect docker and don't use unshare in that case ?




Cheers,
Just

-- 


Notice: 
This email is confidential and may contain copyright material of 
members of the Ocado Group. Opinions and views expressed in this message 
may not necessarily reflect the opinions and views of the members of the 
Ocado Group.

If you are not the intended recipient, please notify us 
immediately and delete all copies of this message. Please note that it is 
your responsibility to scan this message for viruses.

References to the 
"Ocado Group" are to Ocado Group plc (registered in England and Wales with 
number 7098618) and its subsidiary undertakings (as that expression is 
defined in the Companies Act 2006) from time to time. The registered office 
of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, 
Hatfield, Hertfordshire, AL10 9UL.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20210427/c1c47ea6/attachment.html>

More information about the linux-fai mailing list