akachanova/abuild
1
0
Fork 0
forked from rpms/abuild
Code Pull Requests Activity

Compare commits

merge into: akachanova:c9
Branches Tags
akachanova:c9
akachanova:pf-632-reapply-sysctl
rpms:c9
...
pull from: rpms:c9
Branches Tags
rpms:c9
akachanova:c9
akachanova:pf-632-reapply-sysctl

1 Commits
c9 ... c9

Author SHA1 Message Date
Aleksandra Kachanova
1c56b304cd Reapply user.max_user_namespaces sysctl before rootbld bwrap (#4) 
Reviewed-on: rpms/abuild#4
Co-authored-by: Aleksandra Kachanova <akachanova@cloudlinux.com>
Co-committed-by: Aleksandra Kachanova <akachanova@cloudlinux.com>
 2026-06-15 12:59:21 +00:00
2 changed files with 39 additions and 1 deletions
Show Stats Expand all files Collapse all files

33
SOURCES/0005-Reapply-sysctl-before-rootbld.patch Normal file
View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000005 Mon Sep 17 00:00:00 2001
From: Aleksandra Kachanova <akachanova@cloudlinux.com>
Date: Mon, 15 Jun 2026 12:00:00 +0000
Subject: [PATCH] PF-632: re-assert max_user_namespaces before rootbld bwrap
A concurrent, non-isolated RPM build on the same node can run
`sysctl --system` inside its mock chroot (e.g. cloudlinux-linksafe's
%posttrans re-applies the el7 base config), which resets the host's
user.max_user_namespaces to 0. bwrap then fails to create a user
namespace with the misleading "No space left on device". Re-assert the
value immediately before invoking bwrap. Best-effort: never fail the
build if the re-assert is denied.
---
abuild.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/abuild.in b/abuild.in
index 4447b4d..5555555 100644
--- a/abuild.in
+++ b/abuild.in
@@ -2636,6 +2636,9 @@ rootbld() {
printf("%s\n", users[i]) > (root "/passwd")
}'
+ # PF-632: re-assert user.max_user_namespaces before bwrap (a concurrent RPM build's sysctl --system can reset it to 0).
+ sudo -n sysctl -w user.max_user_namespaces=20000 >/dev/null 2>&1 || true
+
local bwrap_opts=""
options_has "net" || bwrap_opts="$bwrap_opts --unshare-net"
bwrap --new-session --unshare-ipc --unshare-uts $bwrap_opts \
--
2.43.5

7
SPECS/abuild.spec
View File

@ -1,6 +1,6 @@
Name: abuild Name: abuild
Version: 3.15.0 Version: 3.15.0
Release: 1%{?dist} Release: 2%{?dist}
Summary: Alpine build tools Summary: Alpine build tools
License: GPL-2.0-or-later License: GPL-2.0-or-later
@ -13,6 +13,7 @@ Patch0: 0001-Do-not-build-docs.patch
Patch1: 0002-Allow-running-abuild-rootbld.patch Patch1: 0002-Allow-running-abuild-rootbld.patch
Patch2: 0003-Pass-startdir-as-a-bind-mount.patch Patch2: 0003-Pass-startdir-as-a-bind-mount.patch
Patch3: 0004-Backport-b0d3dbe3.patch Patch3: 0004-Backport-b0d3dbe3.patch
Patch4: 0005-Reapply-sysctl-before-rootbld.patch
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: make BuildRequires: make
@ -58,6 +59,7 @@ abuild is a set of scripts used to build Alpine Linux packages.
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1
%build %build
make VERSION=%{version} make VERSION=%{version}
@ -100,5 +102,8 @@ done
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%changelog %changelog
* Mon Jun 15 2026 Aleksandra Kachanova <akachanova@cloudlinux.com> - 3.15.0-2
- Reapply user.max_user_namespaces sysctl before rootbld bwrap (PF-632)
* Mon Jul 07 2025 Andrew Lukoshko <alukoshko@cloudlinux.com> - 3.15.0-1 * Mon Jul 07 2025 Andrew Lukoshko <alukoshko@cloudlinux.com> - 3.15.0-1
- Initial RPM release - Initial RPM release