Mailinglist Archive: opensuse-buildservice (256 mails)
| < Previous | Next > |
Re: [opensuse-buildservice] HowTo build with LXC for OBS
- From: "Bernhard M. Wiedemann" <bernhardout@xxxxxxxx>
- Date: Mon, 01 Aug 2011 07:25:23 +0200
- Message-id: <4E3638C3.5080905@lsmod.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/28/2011 12:33 PM, Bernhard M. Wiedemann wrote:
I did some more researching.
The first lines are secure:
lxc-start -n build-root -- /bin/mknod /tmp/devnode c 199 199
lxc-start -n build-root -- /bin/cat /tmp/devnode
/bin/cat: /tmp/devnode: Operation not permitted
the pts devs did get to the host, so could be problematic, but this
stopped when I added to lxc.conf:
lxc.pts = 1024
but since I am not much into LXC, this might break other things.
I also noticed that when building with LXC, the live log stops early after
copying packages...
reordering...
and when you click "Start Refresh" you see that a new log was started at:
processing specfile /.build-srcdir/binutils.spec
Ciao
Bernhard M.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAk42OMMACgkQSTYLOx37oWTZggCg2MTFImB9kG6Uy7nsuyFzWAai
YEgAnAgySnMP0kj2JY7rhh+/289mEInd
=cecq
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx
Hash: SHA1
On 07/28/2011 12:33 PM, Bernhard M. Wiedemann wrote:
On 07/28/2011 11:59 AM, Dinar Valeev wrote:
/usr/lib/build/lxc.conf :
# allow to create any device nodes - but not access
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rw
lxc.tty = 1
Is this secure?
I understood the lxc config format to have "rw" for read+write access
to devices but the top two lines only have the "m" flag to allow only
mknod - unluckily man lxc.conf does not tell.
The lower two lines _could_ allow access to the host's pseudo
terminals. Not sure how dangerous that is.
I did some more researching.
The first lines are secure:
lxc-start -n build-root -- /bin/mknod /tmp/devnode c 199 199
lxc-start -n build-root -- /bin/cat /tmp/devnode
/bin/cat: /tmp/devnode: Operation not permitted
the pts devs did get to the host, so could be problematic, but this
stopped when I added to lxc.conf:
lxc.pts = 1024
but since I am not much into LXC, this might break other things.
I also noticed that when building with LXC, the live log stops early after
copying packages...
reordering...
and when you click "Start Refresh" you see that a new log was started at:
processing specfile /.build-srcdir/binutils.spec
Ciao
Bernhard M.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAk42OMMACgkQSTYLOx37oWTZggCg2MTFImB9kG6Uy7nsuyFzWAai
YEgAnAgySnMP0kj2JY7rhh+/289mEInd
=cecq
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx
| < Previous | Next > |