Mailinglist Archive: opensuse-bugs (6588 mails)

< Previous Next >
[Bug 1131084] Build packages in docker fails /usr/lib/rpm/find-debuginfo.sh: line 519: /dev/fd/62: No such file or directory
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Wed, 31 Jul 2019 07:03:28 +0000
  • Message-id: <bug-1131084-21960-5E7yEgF8rr@http.bugzilla.suse.com/>
http://bugzilla.suse.com/show_bug.cgi?id=1131084
http://bugzilla.suse.com/show_bug.cgi?id=1131084#c17

--- Comment #17 from Aleksa Sarai <asarai@xxxxxxxx> ---
(In reply to William Brown from comment #16)
osc build mounts /proc, so it's a bit hard to avoid this pattern ...

Does "osc build" use PID namespaces? If not, then you could try to change "osc
build" to always rbind the "host" /proc. This should make no difference outside
of containers and would avoid this (and other) problems inside containers.

If you really need to be able to mount procfs and bind-mounting is not
acceptable there are some other workarounds such as the one Kubernetes does (if
you explicitly enable it):

1. On the host:
a. unshare(CLONE_NEWPID)
b. fork()
c. mount procfs somewhere
2. Bind-mount the procfs mount into the container anywhere (preferably
somewhere away from the "real" /proc which we will mount in a second).

And now the container will be able to mount procfs -- because the process can
see a procfs mount without any masked paths mounted over it. As I said, this
reduces security a fair amount (though with user namespaces it isn't _too_ bad
since most of the bad things in /proc are blocked with user namespaces).

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >