[buildd-tools-devel] Bug#637870: Bug#637870: Provide more isolation than just chroot

Roger Leigh rleigh at codelibre.net
Mon Aug 15 13:18:00 UTC 2011 

On Mon, Aug 15, 2011 at 12:46:31PM +0200, Vincent Bernat wrote:
> Recent Linux kernels allow more advanced isolation than just
> chrooting. From clone(2) manpage, those possibilities exist:
> 
>  - CLONE_NEWPID: new PID namespace, including the fact that when the
>    initial process dies (in case of schroot, this could be the shell),
>    all other processes start die as well. This would be a very cool
>    feature when starting daemons in the chroot.
>  - CLONE_NEWNS: mentioned in bug #488225.
>  - CLONE_NEWIPC: new IPC namespace, with complete destruction on exit
>  - CLONE_NEWNET: new network namespace, maybe could be done later
>    since it needs to be configured properly to be useful.
>  - CLONE_NEWUTS: not sure when it is useful
> 
> CLONE_NEWPID + CLONE_NEWNS + CLONE_NEWIPC would be great!
> 
> I am unsure if this can be done into setup scripts but I will look at
> it. Maybe with an helper?

This has been something we have wanted to do for some time--at least
for CLONE_NEWPID and CLONE_NEWNS.

The main problem preventing its use is the current architecture of
schroot, particularly when using sessions.  When a session is created,
it's created by one schroot invocation, used in a separate invocation
and then deleted in yet another.  This means that we can't use
CLONE_NEWNS since we want to use the namespace created in an
unrelated process.  To do that we need a persistent process to
"own" the namespace to which we can then attach to to run commands--
but this needs having a client-server protocol AFAICT, though I may
be overcomplicating things.

We currently run programs with a fork()/chroot()/exec() sequence.
I have started work on modularising the session code in
sbuild/sbuild-session.cc which would make this logic pluggable, and
allow the use of linux-specific logic on Linux, and the standard
method otherwise (and would also provide a means to use kvm/cgroups/
lxc/vservers etc. via custom modules).  This would permit CLONE_NEWPID
to be used, but AFAICT we still need a daemon-like setup to use
CLONE_NEWNS.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20110815/1d79f033/attachment.pgp>

More information about the Buildd-tools-devel mailing list