Am 02.10.2017 um 15:00 schrieb Adrian Schröter:
On Montag, 2. Oktober 2017, 14:53:48 CEST wrote Stefan Seyfried:
Hi Hans-Peter
I can at least answer one of the questions ;-)
On 22.09.2017 13:09, Hans-Peter Jansen wrote:
Do workers really need swap?
Yes, the build result is extracted from the worker via the swap volume (after finishing, the build process writes the results into the swap device inside the VM, then the obsworker extracts them from "outside" the VM).
minor pitnick, we write the blocklist to the swap device to extract the files directly from the root device.
Ok, but this is somewhat new (in "newer than a few years" ;-)), right? Because IIRC I had to add big swap devices to VMS building large KIWI images some time ago (probably around OBS 2.6). But maybe I did not even *have to* but just *thought, I'd have to* ;-) Anyway, I'm happy if that's not (or no longer) true (actually the swap devices are on real SSDs right now instead of ramdisks, just to not waste too much memory on those workers).
The reason for this is (at least I believe so), that the process is file system agnostic (you could in theory run a totally new VM with a fancy file system for building on a pretty old host with a kernel that does not understand that file system) and you don't have to mess around with loop devices, partitioning etc.
the reason behind is that we don't trust the kernel FS layer for not being exploitable. Esp. because the package build can be configured with any file system.
So we want to avoid to mount the root fs and extract directly from the block layer.
Yes, security is an even better reason ;-) I did not think of that, but it's pretty obvious once you know it. Thanks for the explanation, seife -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org