diff options
| author | Ross Burton <ross.burton@arm.com> | 2024-09-12 17:57:36 +0100 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-12-16 05:58:03 -0800 |
| commit | 016ca6a8a83761fe071f15ef76c6f2ba3a3f26d2 (patch) | |
| tree | 0a8a51a8473829e80e5e146ce0a12e1c34dff4be /meta/classes | |
| parent | da007b8f01bb8bf1e2661a7060ec45af83ab70b4 (diff) | |
| download | poky-016ca6a8a83761fe071f15ef76c6f2ba3a3f26d2.tar.gz | |
sanity: check for working user namespaces
If user namespaces are not available (typically because AppArmor is
blocking them), alert the user.
We consider network isolation sufficiently important that this is a fatal
error, and the user will need to configure AppArmor to allow bitbake to
create a user namespace.
[ YOCTO #15592 ]
(From OE-Core rev: a069b9f9ee6708022e12970d53262d966ee806ba)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b6af956fe6e876957a49d4abf425e8c789bf0459)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/classes')
| -rw-r--r-- | meta/classes/sanity.bbclass | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass index 293e405f62..3b13ba647e 100644 --- a/meta/classes/sanity.bbclass +++ b/meta/classes/sanity.bbclass | |||
| @@ -469,6 +469,29 @@ def check_wsl(d): | |||
| 469 | bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space") | 469 | bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space") |
| 470 | return None | 470 | return None |
| 471 | 471 | ||
| 472 | def check_userns(): | ||
| 473 | """ | ||
| 474 | Check that user namespaces are functional, as they're used for network isolation. | ||
| 475 | """ | ||
| 476 | |||
| 477 | # There is a known failure case with AppAmrmor where the unshare() call | ||
| 478 | # succeeds (at which point the uid is nobody) but writing to the uid_map | ||
| 479 | # fails (so the uid isn't reset back to the user's uid). We can detect this. | ||
| 480 | parentuid = os.getuid() | ||
| 481 | pid = os.fork() | ||
| 482 | if not pid: | ||
| 483 | try: | ||
| 484 | bb.utils.disable_network() | ||
| 485 | except: | ||
| 486 | pass | ||
| 487 | os._exit(parentuid != os.getuid()) | ||
| 488 | |||
| 489 | ret = os.waitpid(pid, 0)[1] | ||
| 490 | if ret: | ||
| 491 | bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n" | ||
| 492 | "See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.") | ||
| 493 | |||
| 494 | |||
| 472 | # Require at least gcc version 7.5. | 495 | # Require at least gcc version 7.5. |
| 473 | # | 496 | # |
| 474 | # This can be fixed on CentOS-7 with devtoolset-6+ | 497 | # This can be fixed on CentOS-7 with devtoolset-6+ |
| @@ -634,6 +657,7 @@ def check_sanity_version_change(status, d): | |||
| 634 | status.addresult(check_git_version(d)) | 657 | status.addresult(check_git_version(d)) |
| 635 | status.addresult(check_perl_modules(d)) | 658 | status.addresult(check_perl_modules(d)) |
| 636 | status.addresult(check_wsl(d)) | 659 | status.addresult(check_wsl(d)) |
| 660 | status.addresult(check_userns()) | ||
| 637 | 661 | ||
| 638 | missing = "" | 662 | missing = "" |
| 639 | 663 | ||