Bug 1774499
| Summary: | mock: Use chroot mode by default | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> |
| Component: | mock | Assignee: | Miroslav Suchý <msuchy> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | jdisnard, jkeating, mebrown, mhroncok, msuchy, philip.wyett, praiskup, williams, zbyszek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-21 08:26:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Florian Weimer
2019-11-20 12:30:15 UTC
To be sure - it is sufficient to disable it only for fedora-rawhide-i386 config. Right? No, the pidfd_open filter affects everyone. See bug 1774417 comment 2. I'll ask around for a simple sandbox replacement which still gives us the obvious benefit of namespaces (such as TCP/UDP port isolation), without all the hassle. A lot of people put a lot of effort to learn Mock to use systemd-nspawn. I am not a big fan of turning everything off. I think this should be fixed in systemd-nspawn instead of Mock. It should be already fixed (in updates-testing for F31 and rawhide). Latest systemd update and libseccomp are needed. It happened that the a bunch of syscalls were added to the kernel, and nobody happened to hit them until now. As soon as the issue was reported, it was fixed. The fix is generally very simple, just adding a line to a table. Thank you @zbyszek. I think we can close this BZ then. |