Add --no-network option

Completely disables network inside the container, making sure we fully
control the supply chain.

Signed-off-by: Yann Dirson <[email protected]>

Author: ydirson

src/xcp_ng_dev/cli.py

@@ -57,6 +57,8 @@ def add_common_args(parser):
                        help="Directory where the build-dependency RPMs will be taken from.")
     group.add_argument('--no-update', action='store_true',
                        help='do not run "yum update" on container start, use it as it was at build time')
+    group.add_argument('--no-network', action='store_true',
+                       help='disable all networking support in the build environment')
 
 def add_container_args(parser):
     group = parser.add_argument_group("container arguments")
@@ -212,6 +214,11 @@ def container(args):
         docker_args += ["-e", "DISABLEREPO=%s" % args.disablerepo]
     if args.no_update:
         docker_args += ["-e", "NOUPDATE=1"]
+    if args.no_network:
+        docker_args += ["--network", "none"]
+
+    if args.no_network and not args.no_update:
+        print("WARNING: network disabled but --no-update not passed", file=sys.stderr)
 
     # container args
     if args.volume:
@@ -248,6 +255,9 @@ def container(args):
     # action-specific
     match args.action:
         case 'build':
+            if args.no_network and not args.local_repo:
+                print("WARNING: network disabled but --local-repo not passed", file=sys.stderr)
+
             build_dir = os.path.abspath(args.source_dir)
             if args.define:
                 docker_args += ["-e", "RPMBUILD_DEFINE=%s" % args.define]