enable loopback adapter in hermetic unshare namespace

Bazel uses a client server architecture to execute even when performing network isolated builds.It works fine as long as there is any adapter, even a loopback addapter. The default unshare env has a loopback device [lo] but it is DOWN by default. This PR brings lo UP in the unshare environment so that hermetic Bazel builds will work.
konflux-ci · Sep 25, 2024 · 6590eac · 6590eac
1 parent dc50185
commit 6590eac
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 14 deletions.
diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
@@ -412,13 +412,16 @@ spec:
           done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;)
         fi
 
-        unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
-          $VOLUME_MOUNTS \
-          "${BUILDAH_ARGS[@]}" \
-          "${LABELS[@]}" \
-          --tls-verify=$TLSVERIFY --no-cache \
-          --ulimit nofile=4096:4096 \
-          -f "$dockerfile_path" -t $IMAGE .
+        COMMAND="ip link set lo up;
+            buildah build \
+              $VOLUME_MOUNTS \
+              "${BUILDAH_ARGS[@]}" \
+              "${LABELS[@]}" \
+              --tls-verify=$TLSVERIFY --no-cache \
+              --ulimit nofile=4096:4096 \
+              -f "$dockerfile_path" -t $IMAGE ."
+
+        unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- sh -c "$COMMAND"
 
         container=$(buildah from --pull-never $IMAGE)
         buildah mount $container | tee /shared/container_path

diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml
@@ -349,13 +349,16 @@ spec:
         done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;)
       fi
 
-      unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
-        $VOLUME_MOUNTS \
-        "${BUILDAH_ARGS[@]}" \
-        "${LABELS[@]}" \
-        --tls-verify=$TLSVERIFY --no-cache \
-        --ulimit nofile=4096:4096 \
-        -f "$dockerfile_path" -t $IMAGE .
+      COMMAND="ip link set lo up;
+          buildah build \
+            $VOLUME_MOUNTS \
+            "${BUILDAH_ARGS[@]}" \
+            "${LABELS[@]}" \
+            --tls-verify=$TLSVERIFY --no-cache \
+            --ulimit nofile=4096:4096 \
+            -f "$dockerfile_path" -t $IMAGE ."
+
+      unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- sh -c "$COMMAND"
 
       container=$(buildah from --pull-never $IMAGE)
       buildah mount $container | tee /shared/container_path