[buildd-tools-devel] Bug#802849: Bug#802849: schroot: please allow to unshare the network
Roger Leigh
rleigh at codelibre.net
Sat Oct 24 08:31:06 UTC 2015
On 24/10/2015 09:02, Johannes Schauer wrote:
> Package: schroot
> Version: 1.6.10-2
> Severity: wishlist
>
> Hi,
>
> Debian packages must be buildable without network access. For this
> purpose it would be extremely useful if schroot would add an option that
> unshares the network namespace before entering the chroot and executing
> dpkg-buildpackage.
>
> The unsharing has to be done by schroot itself and cannot be done
> earlier because sbuild is usually run as non-root. Non-root users don't
> have the privileges to unshare the network namespace, so they would
> first have to create a new user namespace as well. But after having done
> so, schroot refuses to work because it requires that
> /etc/schroot/schroot.conf is owned by the root user (which it is not
> anymore for a process that unshared the user namespace).
>
> So could schroot instead get an option like --unshare-net which, while
> schroot still has root privileges makes an unshare(CLONE_NEWNET) and
> then runs `ip link set lo up` to activate the loopback interface?
The code already exists on the master branch.
https://github.com/codelibre-net/schroot/blob/master/lib/schroot/chroot/facet/unshare.cc
https://github.com/codelibre-net/schroot/blob/master/etc/setup.d/60unshare
You just run with "-o unshare.net=true" and it will be done.
Unfortunately I don't think the master branch is quite ready for release
yet, and it's not a current priority for me. Primarily it requires
testing, but if you wanted to give it a try this feature should be working.
Regards,
Roger
More information about the Buildd-tools-devel
mailing list