Red Hat Bugzilla – Bug 146650
RFE: enhance chroot-installation
Last modified: 2014-01-21 17:51:15 EST
Description of problem:
Some ideas how to enhance the '--installroot' mode:
* let override '$releasever' directly; this allows to use the
same yum.repos.d directory for both the host and the guest
* allow to specify that 'cachedir', 'reposdir' and 'logfile' are located
outside of the chroot. Currently, some magic is used to test where
this directories are located. This causes both an undeterministic and
an insecure behaviour. E.g. an attacker withing the chroot could make
/var/cache/yum a symlink into the host and cause fileremovals there.
Shareing a 'cachedir' between several guests could save diskspace
and network traffic also.
* it would be nice when the paths mentioned above could be overridden on
the CLI. So the same configuration could be used for all guestsystems.
Version-Release number of selected component (if applicable):
Created attachment 111435 [details]
Allows to specify (non-)chroot relative paths with 'hostfs://' resp. 'chrootfs://' prefixes
This patch solves the second point by introducing two new prefixes for
pathnames. When not used, the current behavior will not be changed.
Any comments Seth?
adding non-real protocols to the relative paths is not going to happen in yum.
1. it adds unnecessary complexity
2. it'll be a bitch to maintain forever, esp when someone gets the wise idea of
actually having a hostfs:// or chrootfs:// protocol
3. it's a pretty narrow requirement
4. it's a lot more easily solved with the plugin infrastructure that's being
worked on in yum now, so that if YOU want to maintain stuff like this in your
own plugins, then YOU can, but I'm not going to.
When speaking about complexity: you can remove complexity by removing the magic
which guesses the final paths. When you want files in the chroot, then specify
the path within the chroot. The complexity in my patch was required to remove
this complexity. When you do not want protocol specifiers, then use a trampfs style
/[hostfs]/ resp. /[chrootfs]/
or use relative paths to guess the final destination.
Created attachment 112920 [details]
Patch for yum-2.3.2
Attached is an updated version for yum-2.3.2. This applies the same
changes for the lockfile also which is made configurable. Now, the
main configuration file is searched in chroot only, when it was not
specified on the CLI explicitly.
I do not see how the current plugin system would solve the problem of
the magic detection of configuration files. AFAIS, the hooks are called
much too late so they can not modify the internal configuration values.
Perhaps the getRootedPath() method should be implemented by plugins?
Created attachment 112921 [details]
patch for yum-2.2.1
Created attachment 115657 [details]
patch against yum-2.3.3
Created attachment 116574 [details]
patch against yum-2.3.4
Look at implementing this as yum plugin. There is a seperate package of them
called yum-utils in the Fedora Extras repository now. Seth Vidal has already
commented that it has a better chance of being implemented as a plugin and not
in yum itself. Closing this one
see comment #5; my patch begins to work before any configuration will be read
(e.g. it determines the location of 'yum.conf'). The brokeness which is fixed by
my patch is caused by redundant code in the yum codebase which is spread across
several places. So I really do not see how to make it a yum plugin.
Btw; last patch applies to yum-2.4.0 also.
Does this patch provide a bug fix or does it add a enhancement?. If you are
providing a patch to fix bugs there is no need to combine them with something
that adds additional functionality. The enhancement to provide chroot
functionality can still be a yum plugin.
Yes, it fixes a bug. 'yum' has an undefined behavior when it used for chroot
operations: sometimes it reads information from the chroot, sometimes from the
host. This can be a security risk e.g. when used in combination with vservers.
There is no new functionality provided by the patch.
I'm not taking this patch as a Fedora specific change. I'm not convinced that
it's really needed and I do a fair bit with yum in chroots.
Created attachment 126765 [details]
patch against yum-2.6.0