Mailinglist Archive: opensuse-buildservice (120 mails)

< Previous Next >
Re: [opensuse-buildservice] HowTo build with LXC for OBS
  • From: Ramez Hanna <rhanna@xxxxxxxxxxxxxx>
  • Date: Thu, 28 Jul 2011 13:15:59 +0300
  • Message-id: <CAFBTH1=zmq25QD9Kr6B2yqzQUuZizhbA1BGPBYsj-EkL5Cx8Fg@mail.gmail.com>
On Thu, Jul 28, 2011 at 12:59 PM, Dinar Valeev <dinarv@xxxxxxxxx> wrote:
On Thu, Jul 28, 2011 at 11:49 AM, Bernhard M. Wiedemann
<bernhardout@xxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi OBSers,

Last week I played with the current obs unstable version and used the
LXC build backend.
In this course I was stumbling over some problems, so to make it easier
for people, I document my findings in this OBS LXC HowTo

Hint: to build with LXC without all the OBS magic, you just run
osc build --vm-type=lxc
on any OBS checkout. Good for testing & debugging.


First, when you just install the obs-worker package or the
worker-appliance, it lacks the LXC user-space tools, complaing about not
finding lxc-create.
That's could be added to OBS Worker appliance. (Done for ppc appliance)

LXC also needs the special cgroup pseudo-fs mounted to work.
So you need to run once as root:

zypper -n install lxc
mkdir -p /var/lib/lxc /cgroup
echo none /cgroup cgroup defaults 2 0 >> /etc/fstab
mount /cgroup
echo mount /cgroup >> /etc/init.d/boot.local

# note: openSUSE's /etc/init.d/boot.cgroup did not help for me
I'm not yet found a way how to put it in appliance.


To make OBS build with it, you then
edit /etc/sysconfig/obs-worker
OBS_VM_TYPE="lxc"


This allows to build most (>95%) packages alright and if it works for
you or if you are reading this after below fix went upstream, you can
stop here.


However I found some packages failing for two different reasons.
One reason is that packages like udev and mdadm contain device nodes and
the /usr/lib/build/lxc.conf forbids most operations on devices.
This results in failure messages like
Preparing packages for installation...
mdadm-3.0.3-0.22.4
error: unpacking of archive failed on file
/lib/udev/devices/md0;4e311c7f: cpio: mknod failed - Operation not permitted


The other problem I encountered is with packages like yast2-core and
perl-IO-Tty that run testsuites as part of their build script and
complain about openpty failing.
Good catch!

To fix both those problems, I needed to add these lines to
/usr/lib/build/lxc.conf :

# allow to create any device nodes - but not access
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rw
lxc.tty = 1
Is this secure?
i beleive this could be very dangerous allowing container to modify all devices
you should figure out which devices are commonly needed and decide based on that


but since this file would be replaced on next update of the "build" rpm,
those need to be added to the package by the maintainer.

I also added this line to lxc.conf:
# forbid dangerous operations
lxc.cap.drop = sys_module sys_boot sys_rawio sys_time net_raw

but I am not sure if all of them are needed.


Finally I want to thank Dinar for his work on LXC and to Adrian and all
the others making OBS as good as it already is.

Ciao
Bernhard M.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk4xMI0ACgkQSTYLOx37oWTpVgCgh2UaE9gCjPt7Ysh8nWJiTtgm
L6QAoOAx1MrXMgogXHTZQwnG/AurYEJZ
=X9g/
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx


--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx


--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >