[opensuse-buildservice] Debootstrap as a replacement of debian chroot creation in obs
Hi Since we're starting to experiment full OBS build of a debian derivative distro, we detected some faults in the chroot creation related sometimes to scripting and post script runs as order of package install too. So, for our personal test, we decided to replace the internal parts related to dpkg in init_buildsystem ( obs-build ), for a single one common solution to debian and ubuntu, which is debootstrap. First difficulty i found was the lack of debian tools in RPM distros, rendering workers unnefective, so i made a proper rpm for debootstrap, debhelper, autotools-dev and apt ( which i called apt-debian ) to both Fedora and openSUSE. openSUSE need less tools than Fedora, since have package deb which contains dpkg + debhelper. Having this, i was able to replace many parts of init_buildsystem script for two steps: - Generate a proper debian repos locally using apt-ftparchive - Execute debootstrap First step uses an script, that now is limited to test i386 and armhf for our purposes Second uses the buildd option of debootsrap, looking in local already downloaded packages. We already are using it as default in our internal OBS and so far so good, the process shown some progress. It's working in both deb and rpm workers I'm open to opinions, ideas of how far we can go, improve the script and if maybe we can adapt this to upstream in future. You can see the branch of obs-build here: https://github.com/heliocastro/obs-build And all packages in my home:heliochissini on build.opensuse.org https://build.opensuse.org/project/show?project=home%3Aheliochissini []'s -- Helio Chissini de Castro Collabora -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Dienstag, 6. März 2012, 08:17:27 schrieb Helio Chissini de Castro: ...
I'm open to opinions, ideas of how far we can go, improve the script and if maybe we can adapt this to upstream in future.
Having a first look, it seems you do not install VMINSTALL packages, but do install all packages in preinstall phase. Also, are you sure that debootstrap is really never executing scripts during this phase ? I doubt that. But when it is executing scripts this approach is actually a security problem, because you can take over the worker. Also, I think you can not enforce anymore to ignore dependencies or to downgrade versions which is required in some situations. bye adrian
You can see the branch of obs-build here: https://github.com/heliocastro/obs-build
And all packages in my home:heliochissini on build.opensuse.org https://build.opensuse.org/project/show?project=home%3Aheliochissini
[]'s
-- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hello On Wednesday 07 March 2012 09:43:08 Adrian Schröter wrote:
Am Dienstag, 6. März 2012, 08:17:27 schrieb Helio Chissini de Castro:
...
I'm open to opinions, ideas of how far we can go, improve the script and if maybe we can adapt this to upstream in future.
Having a first look, it seems you do not install VMINSTALL packages, but do install all packages in preinstall phase.
Fr the first test, i ignored VMINSTALL, since we're using only chroot based installs, but as soon this progress, of course VMINSTALL will be put in the lop. Is just i just not handled that yet
Also, are you sure that debootstrap is really never executing scripts during this phase ? I doubt that. But when it is executing scripts this approach is actually a security problem, because you can take over the worker.
debootstrap is an old reliable tool in debian, andd is a single shell script that can easily been read. I understand your security concerns, but debootstrap puts everything inside chroot from doenloaded packages and then i return the control for init_buildsystem. The proper way would be debootstrap download packages itself, making the my life easier, but this would ignore completly the cache system of obs, which is not desired.
Also, I think you can not enforce anymore to ignore dependencies or to downgrade versions which is required in some situations.
The packages to install is passed by init_buildsystem list, so debootstrap knows how to handle this. If not works, the error is in the packaging, not the tool. If in the package list provided by init_buildsystem we have dowgraded packages, it supposes to work. []'s -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Mittwoch, 7. März 2012, 07:52:01 schrieb Helio Chissini de Castro:
Hello
On Wednesday 07 March 2012 09:43:08 Adrian Schröter wrote:
Am Dienstag, 6. März 2012, 08:17:27 schrieb Helio Chissini de Castro:
...
I'm open to opinions, ideas of how far we can go, improve the script and if maybe we can adapt this to upstream in future.
Having a first look, it seems you do not install VMINSTALL packages, but do install all packages in preinstall phase.
Fr the first test, i ignored VMINSTALL, since we're using only chroot based installs, but as soon this progress, of course VMINSTALL will be put in the lop. Is just i just not handled that yet
Also, are you sure that debootstrap is really never executing scripts during this phase ? I doubt that. But when it is executing scripts this approach is actually a security problem, because you can take over the worker. debootstrap is an old reliable tool in debian, andd is a single shell script that can easily been read. I understand your security concerns, but debootstrap puts everything inside chroot from doenloaded packages and then i return the control for init_buildsystem.
chroot is not enough to be secure.
The proper way would be debootstrap download packages itself, making the my life easier, but this would ignore completly the cache system of obs, which is not desired.
But does it call dpkg to install the packages and that calls the scripts from the package ? There is no way how you can make that secure. It always means as consequence that any user from any project as full control over your worker easily. That means also as consequence that he can deliver build results for any project/repo and you can't even trace it from where it comes.
Also, I think you can not enforce anymore to ignore dependencies or to downgrade versions which is required in some situations.
The packages to install is passed by init_buildsystem list, so debootstrap knows how to handle this. If not works, the error is in the packaging, not the tool. If in the package list provided by init_buildsystem we have dowgraded packages, it supposes to work.
It does no dependency resolution on its own ?
[]'s -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Wed, Mar 07, 2012 at 12:07:21PM +0100, Adrian Schröter wrote:
Am Mittwoch, 7. März 2012, 07:52:01 schrieb Helio Chissini de Castro:
Hello
On Wednesday 07 March 2012 09:43:08 Adrian Schröter wrote:
Am Dienstag, 6. März 2012, 08:17:27 schrieb Helio Chissini de Castro:
...
I'm open to opinions, ideas of how far we can go, improve the script and if maybe we can adapt this to upstream in future.
Having a first look, it seems you do not install VMINSTALL packages, but do install all packages in preinstall phase.
Fr the first test, i ignored VMINSTALL, since we're using only chroot based installs, but as soon this progress, of course VMINSTALL will be put in the lop. Is just i just not handled that yet
Also, are you sure that debootstrap is really never executing scripts during this phase ? I doubt that. But when it is executing scripts this approach is actually a security problem, because you can take over the worker. debootstrap is an old reliable tool in debian, andd is a single shell script that can easily been read. I understand your security concerns, but debootstrap puts everything inside chroot from doenloaded packages and then i return the control for init_buildsystem.
chroot is not enough to be secure.
What Adrian means that it's ok to use debootstrap *after* the preinstall phase, thus in the virtual machine. It mustn't be done outside the virtual machine for security reasons. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (3)
-
Adrian Schröter -
Helio Chissini de Castro -
Michael Schroeder