Bug 1010309

Summary: Doesn't build with config_opts['basedir'] != '/var/lib/mock/'
Product: [Fedora] Fedora Reporter: Nils Philippsen <nphilipp>
Component: mockAssignee: Clark Williams <williams>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: mebrown, nphilipp, williams
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-06 14:23:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
root.log from failed mock build none

Description Nils Philippsen 2013-09-20 13:34:59 UTC 
Created attachment 800508 [details]
root.log from failed mock build

Description of problem:
If I set the basedir to my external hard disk (which mounts on /data -- space on the internal SSD is scarce)...

    config_opts['basedir'] = '/data/mock/lib'

...building packages in mock doesn't work anymore.

Version-Release number of selected component (if applicable):
mock-1.1.33-1.fc19.noarch
yum-3.4.3-106.fc19.noarch
rpm-4.11.1-3.fc19.x86_64

How reproducible:
reproducible

Steps to Reproduce:
1. Configure "config_opts['basedir'] = '/data/mock/lib'" in /etc/mock/site-defaults.cfg
2. "mock rebuild <some SRPM>" or in a dist-git checkout, "fedpkg mockbuild"

Actual results:
See attached root.log

Expected results:
building packages in mock works even if basedir is not the default

Additional info:
I think the SELinux context of /data/mock/{lib,cache} is correct, "ausearch -sv none -ts recent" doesn't yield results after a failed build.

nils@gibraltar:~> ls -lZa /data/mock/
drwxr-xr-x. root root unconfined_u:object_r:file_t:s0  .
drwxrwxrwt. nils nils system_u:object_r:file_t:s0      ..
drwxrwsr-x. root mock unconfined_u:object_r:file_t:s0  cache
drwxrwsr-x. root mock system_u:object_r:mock_var_lib_t:s0 lib

Unlike bug #980244, the RPM database files have correct permissions:

nils@gibraltar:~> ls -l /data/mock/lib/fedora-rawhide-x86_64/root/var/lib/rpm
total 14212
-rw-r--r--. 1 root mock   761856 Sep 20 15:19 Basenames
-rw-r--r--. 1 root mock     8192 Sep 20 15:19 Conflictname
-rw-r--r--. 1 root mock   176128 Sep 20 15:19 Dirnames
-rw-r--r--. 1 root mock     8192 Sep 20 15:19 Group
-rw-r--r--. 1 root mock    12288 Sep 20 15:19 Installtid
-rw-r--r--. 1 root mock    16384 Sep 20 15:19 Name
-rw-r--r--. 1 root mock     8192 Sep 20 15:19 Obsoletename
-rw-r--r--. 1 root mock 13340672 Sep 20 15:19 Packages
-rw-r--r--. 1 root mock    98304 Sep 20 15:19 Providename
-rw-r--r--. 1 root mock    65536 Sep 20 15:19 Requirename
-rw-r--r--. 1 root mock    28672 Sep 20 15:19 Sha1header
-rw-r--r--. 1 root mock    16384 Sep 20 15:19 Sigmd5
-rw-r--r--. 1 root mock     8192 Sep 20 15:19 Triggername
Comment 1 Clark Williams 2013-11-01 15:32:44 UTC 
Hmmm, I created /home/tmp/mock on my system and then set basedir of a fedora-19-x86_64.cfg to point there. I got all kinds of weird errors until I set the gid bit of /home/tmp/mock to be setgid mock:

$ sudo chgrp mock /home/tmp/mock
$ sudo chmod g+s /home/tmp/mock

Then I could build packages with selinux turned on or off. 

I can't tell from your 'ls -lZa' whether the /data/mock directory is setgid mock. If it is then we need to dig deeper.
Comment 2 Clark Williams 2013-11-01 15:45:36 UTC 
On a different tack, our SELinux guru said that an easier way would be to bind-mount your /data/mock directory over /var/lib/mock:

$ sudo mount -bind /data/mock /var/lib/mock
Comment 3 Nils Philippsen 2013-11-04 13:07:46 UTC 
(In reply to Clark Williams from comment #1)
> Hmmm, I created /home/tmp/mock on my system and then set basedir of a
> fedora-19-x86_64.cfg to point there. I got all kinds of weird errors until I
> set the gid bit of /home/tmp/mock to be setgid mock:
> 
> $ sudo chgrp mock /home/tmp/mock
> $ sudo chmod g+s /home/tmp/mock
> 
> Then I could build packages with selinux turned on or off. 
> 
> I can't tell from your 'ls -lZa' whether the /data/mock directory is setgid
> mock. If it is then we need to dig deeper.

It is setgid mock:

nils@gibraltar:~> ls /data/mock/ -lZa
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 .
drwxrwxrwt. nils nils system_u:object_r:file_t:s0      ..
drwxrwsr-x. root mock unconfined_u:object_r:default_t:s0 cache
drwxrwsr-x. root mock system_u:object_r:default_t:s0   lib

(In reply to Clark Williams from comment #2)
> On a different tack, our SELinux guru said that an easier way would be to
> bind-mount your /data/mock directory over /var/lib/mock:
> 
> $ sudo mount -bind /data/mock /var/lib/mock

I'd like to do that, but /data is on an external disk and that would triple the number of mount operations:

mount /data
mount --bind /data/mock/lib /var/lib/mock
mount --bind /data/mock/cache /var/cache/mock

I've looked into mock's bind_mount options but they apparently only work for bind mounts into the build root, but not for the rest.
Comment 4 Clark Williams 2013-11-04 21:30:56 UTC 
(In reply to Nils Philippsen from comment #3)
> (In reply to Clark Williams from comment #2)
> > On a different tack, our SELinux guru said that an easier way would be to
> > bind-mount your /data/mock directory over /var/lib/mock:
> > 
> > $ sudo mount -bind /data/mock /var/lib/mock
> 
> I'd like to do that, but /data is on an external disk and that would triple
> the number of mount operations:
> 
> mount /data
> mount --bind /data/mock/lib /var/lib/mock
> mount --bind /data/mock/cache /var/cache/mock
> 

This is on a USB drive? Or eSATA? You should be able to script those bind mounts rather easily. 

> I've looked into mock's bind_mount options but they apparently only work for
> bind mounts into the build root, but not for the rest.

Correct, mock's main concern is getting the organization and contents of the chroot correct. 

From what I see in your root log, you're running on f19 and kicked off a package build for a rawhide/f21 package. It looks like most of the %post sections failed during the installation and then rpm decides that the rpmdb is corrupt. 

What type of filesystem is on this external drive? If you point to a local filesystem, say something in /var/tmp does it still error out as before?
Comment 5 Clark Williams 2013-11-04 21:56:15 UTC 
I just grabbed one of my external USB drives and tried to build an SRPM with the basedir set to that drive. Got the same sort of results as you did from rpm. This looks like an issue with NTFS (or HPFS or exFAT, whichever the drive filesystem is using).
Comment 6 Nils Philippsen 2013-11-06 14:23:48 UTC 
I think I've found the issue: because the FS (ext4 BTW) is mounted by me ("user"), it was mounted with "noexec,nosuid,nodev" which breaks mock/rpm in interesting ways (found this when I tried to run "make" in the kernel source tree that's on the same volume) -- not sure if mock could check for this situation.

Sorry for the hassle.