Mailinglist Archive: opensuse-buildservice (54 mails)

< Previous Next >
Re: [opensuse-buildservice] packages keeps in scheduled state in private OBS instance
Am 02.10.2017 um 15:00 schrieb Adrian Schröter:
On Montag, 2. Oktober 2017, 14:53:48 CEST wrote Stefan Seyfried:
Hi Hans-Peter

I can at least answer one of the questions ;-)

On 22.09.2017 13:09, Hans-Peter Jansen wrote:
Do workers really need swap?

Yes, the build result is extracted from the worker via the swap volume
(after finishing, the build process writes the
results into the swap device inside the VM, then the obsworker extracts them
from "outside" the VM).

minor pitnick, we write the blocklist to the swap device to extract the files
directly from the root device.

Ok, but this is somewhat new (in "newer than a few years" ;-)), right?
Because IIRC I had to add big swap devices to VMS building large KIWI
images some time ago (probably around OBS 2.6).
But maybe I did not even *have to* but just *thought, I'd have to* ;-)

Anyway, I'm happy if that's not (or no longer) true (actually the swap
devices are on real SSDs right now instead of ramdisks, just to not
waste too much memory on those workers).

The reason for this is (at least I believe so), that the process is file
system agnostic (you could in theory run a
totally new VM with a fancy file system for building on a pretty old host
with a kernel that does not understand that
file system) and you don't have to mess around with loop devices,
partitioning etc.

the reason behind is that we don't trust the kernel FS layer for not being
exploitable. Esp.
because the package build can be configured with any file system.

So we want to avoid to mount the root fs and extract directly from the block
layer.

Yes, security is an even better reason ;-)
I did not think of that, but it's pretty obvious once you know it.

Thanks for the explanation,

seife
--
Stefan Seyfried

"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups