diff options
| author | Ross Burton <ross.burton@arm.com> | 2024-09-12 17:57:36 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-09-13 10:28:10 +0100 |
| commit | 7004840f3dc12e76822cee7b48902c08a553a118 (patch) | |
| tree | 75fd1f4d42fa507d26169f636e22dc44f87f67ab | |
| parent | 0249d9c8932674b8b00ec0d0a261f616794eee36 (diff) | |
| download | poky-7004840f3dc12e76822cee7b48902c08a553a118.tar.gz | |
sanity: check for working user namespaces
If user namespaces are not available (typically because AppArmor is
blocking them), alert the user.
We consider network isolation sufficiently important that this is a fatal
error, and the user will need to configure AppArmor to allow bitbake to
create a user namespace.
[ YOCTO #15592 ]
(From OE-Core rev: b6af956fe6e876957a49d4abf425e8c789bf0459)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes-global/sanity.bbclass | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass index 1d242f0f0a..72dab0fea2 100644 --- a/meta/classes-global/sanity.bbclass +++ b/meta/classes-global/sanity.bbclass | |||
| @@ -475,6 +475,29 @@ def check_wsl(d): | |||
| 475 | bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space") | 475 | bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space") |
| 476 | return None | 476 | return None |
| 477 | 477 | ||
| 478 | def check_userns(): | ||
| 479 | """ | ||
| 480 | Check that user namespaces are functional, as they're used for network isolation. | ||
| 481 | """ | ||
| 482 | |||
| 483 | # There is a known failure case with AppAmrmor where the unshare() call | ||
| 484 | # succeeds (at which point the uid is nobody) but writing to the uid_map | ||
| 485 | # fails (so the uid isn't reset back to the user's uid). We can detect this. | ||
| 486 | parentuid = os.getuid() | ||
| 487 | pid = os.fork() | ||
| 488 | if not pid: | ||
| 489 | try: | ||
| 490 | bb.utils.disable_network() | ||
| 491 | except: | ||
| 492 | pass | ||
| 493 | os._exit(parentuid != os.getuid()) | ||
| 494 | |||
| 495 | ret = os.waitpid(pid, 0)[1] | ||
| 496 | if ret: | ||
| 497 | bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n" | ||
| 498 | "See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.") | ||
| 499 | |||
| 500 | |||
| 478 | # Require at least gcc version 8.0 | 501 | # Require at least gcc version 8.0 |
| 479 | # | 502 | # |
| 480 | # This can be fixed on CentOS-7 with devtoolset-6+ | 503 | # This can be fixed on CentOS-7 with devtoolset-6+ |
| @@ -641,6 +664,7 @@ def check_sanity_version_change(status, d): | |||
| 641 | status.addresult(check_git_version(d)) | 664 | status.addresult(check_git_version(d)) |
| 642 | status.addresult(check_perl_modules(d)) | 665 | status.addresult(check_perl_modules(d)) |
| 643 | status.addresult(check_wsl(d)) | 666 | status.addresult(check_wsl(d)) |
| 667 | status.addresult(check_userns()) | ||
| 644 | 668 | ||
| 645 | missing = "" | 669 | missing = "" |
| 646 | 670 | ||