From b8bfff46c2d0c1c9039585b76c2bc7b120ea4ad7 Mon Sep 17 00:00:00 2001 From: Brian Cook Date: Tue, 24 Sep 2024 17:40:22 -0400 Subject: [PATCH] enable loopback adapter in hermetic unshare namespace Bazel uses a client server architecture to execute even when performing network isolated builds.It works fine as long as there is any adapter, even a loopback addapter. The default unshare env has a loopback device [lo] but it is DOWN by default. This PR brings lo UP in the unshare environment so that hermetic Bazel builds will work. --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 17 ++++++++++------- .../0.2/buildah-remote-oci-ta.yaml | 17 ++++++++++------- task/buildah-remote/0.2/buildah-remote.yaml | 17 ++++++++++------- task/buildah/0.2/buildah.yaml | 17 ++++++++++------- 4 files changed, 40 insertions(+), 28 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 133df7524..bf3fa998a 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -412,13 +412,16 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi - unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ - $VOLUME_MOUNTS \ - "${BUILDAH_ARGS[@]}" \ - "${LABELS[@]}" \ - --tls-verify=$TLSVERIFY --no-cache \ - --ulimit nofile=4096:4096 \ - -f "$dockerfile_path" -t $IMAGE . + COMMAND="ip link set lo up; + buildah build \ + $VOLUME_MOUNTS \ + "${BUILDAH_ARGS[@]}" \ + "${LABELS[@]}" \ + --tls-verify=$TLSVERIFY --no-cache \ + --ulimit nofile=4096:4096 \ + -f "$dockerfile_path" -t $IMAGE ." + + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- sh -c "$COMMAND" container=$(buildah from --pull-never $IMAGE) buildah mount $container | tee /shared/container_path diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 24743cc0b..2c038c272 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -447,13 +447,16 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi - unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ - $VOLUME_MOUNTS \ - "${BUILDAH_ARGS[@]}" \ - "${LABELS[@]}" \ - --tls-verify=$TLSVERIFY --no-cache \ - --ulimit nofile=4096:4096 \ - -f "$dockerfile_path" -t $IMAGE . + COMMAND="ip link set lo up; + buildah build \ + $VOLUME_MOUNTS \ + "${BUILDAH_ARGS[@]}" \ + "${LABELS[@]}" \ + --tls-verify=$TLSVERIFY --no-cache \ + --ulimit nofile=4096:4096 \ + -f "$dockerfile_path" -t $IMAGE ." + + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- sh -c "$COMMAND" container=$(buildah from --pull-never $IMAGE) buildah mount $container | tee /shared/container_path diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 2d5a68235..0e5e88d55 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -429,13 +429,16 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi - unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ - $VOLUME_MOUNTS \ - "${BUILDAH_ARGS[@]}" \ - "${LABELS[@]}" \ - --tls-verify=$TLSVERIFY --no-cache \ - --ulimit nofile=4096:4096 \ - -f "$dockerfile_path" -t $IMAGE . + COMMAND="ip link set lo up; + buildah build \ + $VOLUME_MOUNTS \ + "${BUILDAH_ARGS[@]}" \ + "${LABELS[@]}" \ + --tls-verify=$TLSVERIFY --no-cache \ + --ulimit nofile=4096:4096 \ + -f "$dockerfile_path" -t $IMAGE ." + + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- sh -c "$COMMAND" container=$(buildah from --pull-never $IMAGE) buildah mount $container | tee /shared/container_path diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 96561dfd7..8ec23b253 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -349,13 +349,16 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi - unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ - $VOLUME_MOUNTS \ - "${BUILDAH_ARGS[@]}" \ - "${LABELS[@]}" \ - --tls-verify=$TLSVERIFY --no-cache \ - --ulimit nofile=4096:4096 \ - -f "$dockerfile_path" -t $IMAGE . + COMMAND="ip link set lo up; + buildah build \ + $VOLUME_MOUNTS \ + "${BUILDAH_ARGS[@]}" \ + "${LABELS[@]}" \ + --tls-verify=$TLSVERIFY --no-cache \ + --ulimit nofile=4096:4096 \ + -f "$dockerfile_path" -t $IMAGE ." + + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- sh -c "$COMMAND" container=$(buildah from --pull-never $IMAGE) buildah mount $container | tee /shared/container_path