[opensuse-packaging] newbie alert - why do I have to be root to run a build?
Earlier today, I asked for a contributors howto, and Andreas very kindly pointed me to this: http://lizards.opensuse.org/2009/06/20/opensuse-factory-fixing-packages/ Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary). /Per Jessen, Zürich -- Per Jessen, Zürich (15.6°C) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On 2011-03-14 14:33:05 +0100, Per Jessen wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
you build inside a chroot, to call chroot you need root permissions. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Marcus Rueckert wrote:
On 2011-03-14 14:33:05 +0100, Per Jessen wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
you build inside a chroot, to call chroot you need root permissions.
darix
Okay, thanks. For me it's not a probem, but I could easily imagine someone on a workstation without root access - I guess there are plenty of reasons for not using fakechroot? -- Per Jessen, Zürich (15.3°C) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Am Montag, 14. März 2011, 14:46:12 schrieb Per Jessen:
Marcus Rueckert wrote:
On 2011-03-14 14:33:05 +0100, Per Jessen wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
you build inside a chroot, to call chroot you need root permissions.
darix
Okay, thanks. For me it's not a probem, but I could easily imagine someone on a workstation without root access - I guess there are plenty of reasons for not using fakechroot?
A safe build can anyway only be done via virtualization. So it is thinkable that you grant a user all permissions to run a xen or kvm instance, so he would not need root permission anymore. It would be safer anyway, since chroot is not really a security feature if you run stuff as root inside. -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Adrian Schröter wrote:
Am Montag, 14. März 2011, 14:46:12 schrieb Per Jessen:
Marcus Rueckert wrote:
On 2011-03-14 14:33:05 +0100, Per Jessen wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary). you build inside a chroot, to call chroot you need root permissions.
darix Okay, thanks. For me it's not a probem, but I could easily imagine someone on a workstation without root access - I guess there are plenty of reasons for not using fakechroot?
A safe build can anyway only be done via virtualization.
So it is thinkable that you grant a user all permissions to run a xen or kvm instance, so he would not need root permission anymore.
Yes, I think that's quite likely to be the solution. /Per -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On Mon, Mar 14, 2011 at 11:31 AM, Per Jessen <per@opensuse.org> wrote:
Adrian Schröter wrote:
Am Montag, 14. März 2011, 14:46:12 schrieb Per Jessen:
Marcus Rueckert wrote:
On 2011-03-14 14:33:05 +0100, Per Jessen wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
you build inside a chroot, to call chroot you need root permissions.
darix
Okay, thanks. For me it's not a probem, but I could easily imagine someone on a workstation without root access - I guess there are plenty of reasons for not using fakechroot?
A safe build can anyway only be done via virtualization.
So it is thinkable that you grant a user all permissions to run a xen or kvm instance, so he would not need root permission anymore.
Yes, I think that's quite likely to be the solution.
/Per
That's what the OBS Appliance does I assume. So if someone wants to setup a truly secure local build setup for their users, can't they just install the appliance? Greg -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
El 14/03/11 10:33, Per Jessen escribió:
Earlier today, I asked for a contributors howto, and Andreas very kindly pointed me to this:
http://lizards.opensuse.org/2009/06/20/opensuse-factory-fixing-packages/
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
You need CAP_SYS_CHROOT , only root has that capability by default. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On Mar 14, 11 10:47:27 -0300, Cristian Rodríguez wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
You need CAP_SYS_CHROOT , only root has that capability by default.
fakechroot(1) comes to mind. Would that help? cheers, Jw- -- o \ Juergen Weigert paint it green! __/ _=======.=======_ <V> | jw@suse.de back to ascii! __/ _---|____________\/ \ | 0911 74053-508 __/ (____/ /\ (/) | _____________________________/ _/ \_ vim:set sw=2 wm=8 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) SuSE. Supporting Linux since 1992. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On 2011-03-14 15:19:36 +0100, Juergen Weigert wrote:
On Mar 14, 11 10:47:27 -0300, Cristian Rodríguez wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
You need CAP_SYS_CHROOT , only root has that capability by default.
fakechroot(1) comes to mind. Would that help?
no we really need root permissions because after the chroot we want to get the build process running as user abuild. also installing rpms shouldnt be done as a non root user, so the package cant accidently modify the chroot during the build (misguided make install e.g.) darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On Mon, 14 Mar 2011, Marcus Rueckert wrote:
On 2011-03-14 15:19:36 +0100, Juergen Weigert wrote:
On Mar 14, 11 10:47:27 -0300, Cristian Rodríguez wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
You need CAP_SYS_CHROOT , only root has that capability by default.
fakechroot(1) comes to mind. Would that help?
no we really need root permissions because after the chroot we want to get the build process running as user abuild.
Well, we want to provide a real jail for the build (even though people might disagree whether a chroot is appropriate for this).
also installing rpms shouldnt be done as a non root user, so the package cant accidently modify the chroot during the build (misguided make install e.g.)
That sentence has some twisted self-contradicting logic in it ;) Richard.
On 14.3.2011 15:36, Richard Guenther wrote:
On Mon, 14 Mar 2011, Marcus Rueckert wrote:
also installing rpms shouldnt be done as a non root user, so the package cant accidently modify the chroot during the build (misguided make install e.g.)
That sentence has some twisted self-contradicting logic in it ;)
The binary rpms in the chroot need to be installed as root, so that the build (running as user abuild) can only write to /usr/src/packages and (/var)/tmp. Something you can hardly implement with fakeroot. Michal -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
El 14/03/11 11:25, Marcus Rueckert escribió:
On 2011-03-14 15:19:36 +0100, Juergen Weigert wrote:
On Mar 14, 11 10:47:27 -0300, Cristian Rodríguez wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
You need CAP_SYS_CHROOT , only root has that capability by default.
fakechroot(1) comes to mind. Would that help?
no we really need root permissions
And there is also no jail(2) implemented in linux, which may be useful for this task. Anyway, best advice is Adrian's . try building in KVM instead. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On Tue, 15 Mar 2011 02:01, Cristian Rodríguez <crrodriguez@...> wrote:
El 14/03/11 11:25, Marcus Rueckert escribió:
On 2011-03-14 15:19:36 +0100, Juergen Weigert wrote:
On Mar 14, 11 10:47:27 -0300, Cristian Rodríguez wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
You need CAP_SYS_CHROOT , only root has that capability by default.
fakechroot(1) comes to mind. Would that help?
no we really need root permissions
And there is also no jail(2) implemented in linux, which may be useful for this task.
Anyway, best advice is Adrian's . try building in KVM instead.
Just an idea: Wouldn't it make sense to publish a working build environment with all the tools needed as a virtual machine? Maybe via SUSE Studio? One for each supported OSS version? With already 'installed' and activated repos for obs/system updates? IMHO this woud it make easy for a newbie and even a more experienced, but seldom packaging user to use OBS with all the needed tools without contaminating his/her working system with packages not needed for daily operation. Just an Idea, but it could make life as a packager easier. ... Or does such an vitual machine image already exist, and was 'just' not anounced loudly and clearly enough ? (like in the wiki under Packaging and under rpm-building) -- Cheers, Yamaban out.
On Mon, Mar 14, 2011 at 9:31 PM, Yamaban <foerster@lisas.de> wrote:
On Tue, 15 Mar 2011 02:01, Cristian Rodríguez <crrodriguez@...> wrote:
El 14/03/11 11:25, Marcus Rueckert escribió:
On 2011-03-14 15:19:36 +0100, Juergen Weigert wrote:
On Mar 14, 11 10:47:27 -0300, Cristian Rodríguez wrote:
Going through this step by step, when I do "osc build openSUSE_Factory", I'm asked to su to root - why? (it seems unnecessary).
You need CAP_SYS_CHROOT , only root has that capability by default.
fakechroot(1) comes to mind. Would that help?
no we really need root permissions
And there is also no jail(2) implemented in linux, which may be useful for this task.
Anyway, best advice is Adrian's . try building in KVM instead.
Just an idea: Wouldn't it make sense to publish a working build environment with all the tools needed as a virtual machine?
Maybe via SUSE Studio? One for each supported OSS version?
With already 'installed' and activated repos for obs/system updates?
IMHO this woud it make easy for a newbie and even a more experienced, but seldom packaging user to use OBS with all the needed tools without contaminating his/her working system with packages not needed for daily operation.
Just an Idea, but it could make life as a packager easier.
... Or does such an vitual machine image already exist, and was 'just' not anounced loudly and clearly enough ? (like in the wiki under Packaging and under rpm-building)
-- Cheers, Yamaban out.
something like this? http://en.opensuse.org/openSUSE:Build_Service_Appliance Greg -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On Tue, 15 Mar 2011 02:42, Greg Freemyer <greg.freemyer@...> wrote:
On Mon, Mar 14, 2011 at 9:31 PM, Yamaban <foerster@lisas.de> wrote:
On Tue, 15 Mar 2011 02:01, Cristian Rodríguez <crrodriguez@...> wrote:
El 14/03/11 11:25, Marcus Rueckert escribió:
On 2011-03-14 15:19:36 +0100, Juergen Weigert wrote:
On Mar 14, 11 10:47:27 -0300, Cristian Rodríguez wrote: <snip> Maybe via SUSE Studio? One for each supported OSS version?
With already 'installed' and activated repos for obs/system updates?
IMHO this woud it make easy for a newbie and even a more experienced, but seldom packaging user to use OBS with all the needed tools without contaminating his/her working system with packages not needed for daily operation.
Just an Idea, but it could make life as a packager easier.
... Or does such an vitual machine image already exist, and was 'just' not anounced loudly and clearly enough ? (like in the wiki under Packaging and under rpm-building)
something like this?
YES! now all that is missing are the links / notations on the better known / used wiki Pages like: - http://en.opensuse.org/Portal:Packaging - http://en.opensuse.org/Portal:Build_Service - http://en.opensuse.org/Portal:Development/Contribute - http://en.opensuse.org/openSUSE:Build_Service_Tutorial - http://en.opensuse.org/openSUSE:Build_Service_Tips_and_Tricks containing the loud HINT to use KVM with "Build Service Appliance" as prefered method to build packages ( at home, or normal working machine ) see: http://en.opensuse.org/Special:WhatLinksHere/openSUSE:Build_Service_Applianc... for information on which pages are already linking to this. But to be honest, I personally can't formulate a suitable tailored Hint to include into this pages, so I'd like to call out to better people than me to do so. PS: Would it be possible to write something like a Starter / Newbie Guide on how to set up a building environment (in KVM) to help to avoid unneeded headaches and wasted time for beginners / newcommers / switchers (from other distros) ? -- Cheers, and thanks for the help, Yamaban out
Hello, On Tue, 15 Mar 2011, Yamaban wrote:
IMHO this woud it make easy for a newbie and even a more experienced, but seldom packaging user to use OBS with all the needed tools without contaminating his/her working system with packages not needed for daily operation.
The only thing contaminated here by using "osc build" is /var/tmp/build. Along with these parts ==== of my ~/.oscrc ==== su-wrapper = sudo build-root = /var/tmp/build/%(repo)s-%(arch)s-root extra-pkgs = strace ltrace ==== and (the unoptimized, this is only a well-updated, "locked-down"[0] single user box though!) ==== of my /etc/sudoers ==== Defaults timestamp_timeout=0 dh localhost=(root) NOPASSWD:/usr/bin/build ==== using (e.g.) my ==== ~/bin/oscbuild11.2 ==== #!/bin/sh -x if ! test -d /ISO/suse; then umount /ISO mount /ISO || exit 1 fi osc build --prefer-pkgs=/ISO/suse/x86_64 -j 2 --ccache \ --local-package openSUSE_11.2 x86_64 "$@" # umount /ISO ### as this is the "system" .iso, I keep it mounted ### for other variants you might like to unmount. ==== and this in ==== /etc/fstab ==== /data/openSUSE-11.2-DVD-x86_64.iso /ISO iso9660 loop,user,users 0 0 ==== (more variants of that script and fstab entries may exist and may mount+umount other DVD-Images explicitly or not ;) gives me a quite flexible and easy to use 'osc build' wrapper having no side-effects on the system. E.g.: $ cd ~/osc/home:dnh/ddrescue $ oscbuild11.2 ddrescue.spec [..] $ oscbuild_snapshot ddrescue.spec [..] You probably may want to at least nail down the build-root for build in the sudoers, something which might need a wrapper around build that checks for that. YMMV, just wanted to throw some ideas into the discussion. HTH, -dnh, *rüberwinkend von Filderstadt in die Flandernstraße*, dessen Papa um die Ecke wohnte und der gegenüber auf der Kennenburg seinen Zivi geleistet hat ... ;) -> PM? [0] that 'build'-entry is as unspecific as my sudoers gets. Only my user can only call some few specified commands via sudo. root can do what he likes, and anyone else can do nothing via sudo. I despise the -buntu "do everything with sudo" adminning. When the password is cached (for more than say 3 CPU-cycles), it's unsafe. Go ahead, check your /etc/sudoers for -buntu like entries like: ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! That comment lies. It is inherently unsafe without Defaults timestamp_timeout=0 *GAH* -- Well I wish you'd just tell me rather than try to engage my enthusiasm, because I haven't got one. -- Marvin -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
participants (10)
-
Adrian Schröter -
Cristian Rodríguez -
David Haller -
Greg Freemyer -
Juergen Weigert -
Marcus Rueckert -
Michal Marek -
Per Jessen -
Richard Guenther -
Yamaban