[baker-baker] sandbox compile
T. Onoma
transami at runbox.com
Tue Dec 16 23:50:33 EST 2003
On Saturday 13 December 2003 04:00 pm, Mika Pesu wrote:
> hmm, i didnt know/noticed this,so we have to think another way to do
> safe building...
Hi,
Sorry I haven't been about the last few days. I have been working on some
other code.
I've given the fakeroot issue a lot of thought. As best as I can tell, there
is, as of yet, no "perfect" way to handle this. Therefore, I think the best
course of action is to:
1. extract source package to /pkg/program/build
2. Use mount --bind -r / /pkg/program/real_root
3. Use mount --bind -r /pkg/dependency1 /pkg/program/require/dependency1, etc.
4. Setup and chroot /pkg/program
5. Set ENV vars in chroot for lib path, etc. to include root and dependencies.
6. Build and install
7. Commit link or copy
Note that /pkg can be a different directory depending on settings.
I think this is the best solution for a couple of reasons: Even though mount
--bind does not, as of yet, correctly mount the dir as read-only, from what I
understand it is considered a bug and will be fixed. Also, other operating
systems, like BSD, have the same feature (although different syntax, but that
difference can be accounted for). Lastly, by mounting to subdirectories and
using environment variables we help prevent alteration to real root.
In the future, we can keep our eye out for a mature cross-platform
copy-on-write or union/stackable VFS, or perhaps even better route through a
distributed file system. But for now we must utilize what is readily
available.
I want to thank you, Mika, especially for working so hard to investigate the
possibilites. It made all the difference.
T.
P.S. I'll get back to work on the code ASAP and finsh getting this stuff in.
More information about the Baker-baker
mailing list