Red Hat Bugzilla – Bug 146650
RFE: enhance chroot-installation
Last modified: 2014-01-21 17:51:15 EST
Description of problem: Some ideas how to enhance the '--installroot' mode: * let override '$releasever' directly; this allows to use the same yum.repos.d directory for both the host and the guest systems. * allow to specify that 'cachedir', 'reposdir' and 'logfile' are located outside of the chroot. Currently, some magic is used to test where this directories are located. This causes both an undeterministic and an insecure behaviour. E.g. an attacker withing the chroot could make /var/cache/yum a symlink into the host and cause fileremovals there. Shareing a 'cachedir' between several guests could save diskspace and network traffic also. * it would be nice when the paths mentioned above could be overridden on the CLI. So the same configuration could be used for all guestsystems. Version-Release number of selected component (if applicable): yum-2.1.12-0.fc3
Created attachment 111435 [details] Allows to specify (non-)chroot relative paths with 'hostfs://' resp. 'chrootfs://' prefixes This patch solves the second point by introducing two new prefixes for pathnames. When not used, the current behavior will not be changed.
Any comments Seth?
adding non-real protocols to the relative paths is not going to happen in yum. 1. it adds unnecessary complexity 2. it'll be a bitch to maintain forever, esp when someone gets the wise idea of actually having a hostfs:// or chrootfs:// protocol 3. it's a pretty narrow requirement 4. it's a lot more easily solved with the plugin infrastructure that's being worked on in yum now, so that if YOU want to maintain stuff like this in your own plugins, then YOU can, but I'm not going to.
When speaking about complexity: you can remove complexity by removing the magic which guesses the final paths. When you want files in the chroot, then specify the path within the chroot. The complexity in my patch was required to remove this complexity. When you do not want protocol specifiers, then use a trampfs style /[hostfs]/ resp. /[chrootfs]/ or use relative paths to guess the final destination.
Created attachment 112920 [details] Patch for yum-2.3.2 Attached is an updated version for yum-2.3.2. This applies the same changes for the lockfile also which is made configurable. Now, the main configuration file is searched in chroot only, when it was not specified on the CLI explicitly. I do not see how the current plugin system would solve the problem of the magic detection of configuration files. AFAIS, the hooks are called much too late so they can not modify the internal configuration values. Perhaps the getRootedPath() method should be implemented by plugins?
Created attachment 112921 [details] patch for yum-2.2.1
Created attachment 115657 [details] patch against yum-2.3.3
Created attachment 116574 [details] patch against yum-2.3.4
Enrico Scholz, Look at implementing this as yum plugin. There is a seperate package of them called yum-utils in the Fedora Extras repository now. Seth Vidal has already commented that it has a better chance of being implemented as a plugin and not in yum itself. Closing this one
see comment #5; my patch begins to work before any configuration will be read (e.g. it determines the location of 'yum.conf'). The brokeness which is fixed by my patch is caused by redundant code in the yum codebase which is spread across several places. So I really do not see how to make it a yum plugin. Btw; last patch applies to yum-2.4.0 also.
Does this patch provide a bug fix or does it add a enhancement?. If you are providing a patch to fix bugs there is no need to combine them with something that adds additional functionality. The enhancement to provide chroot functionality can still be a yum plugin.
Yes, it fixes a bug. 'yum' has an undefined behavior when it used for chroot operations: sometimes it reads information from the chroot, sometimes from the host. This can be a security risk e.g. when used in combination with vservers. There is no new functionality provided by the patch.
I'm not taking this patch as a Fedora specific change. I'm not convinced that it's really needed and I do a fair bit with yum in chroots.
Created attachment 126765 [details] patch against yum-2.6.0