flatpak-builder icon indicating copy to clipboard operation
flatpak-builder copied to clipboard

Published 20 hours ago verified publisher icon flatpak

Support passing --disable-rofiles-fuse to --run

Open barthalion opened this issue 5 years ago • 5 comments

barthalion avatar Feb 18 '20 12:02 barthalion

Can one of the admins verify this patch? I understand the following commands:

  • bot, add author to whitelist
  • bot, test pull request
  • bot, test pull request once

rh-atomic-bot avatar Feb 18 '20 12:02 rh-atomic-bot

This is an extremely dangerous operation. Typically the files in /app (ie. the build dir) are hardlinks into the flatpak-builder build cache, and unless you use rofiles-fuse the container can do modifications of the files in there which changes whats in the cache breaking it in unexpected ways.

We do allow --disable-rofiles-fuse in the build stages because we then are in control of what we're running against and can ensure the cache checksouts are not hardlinks (by setting force_copy=TRUE in the cache ostree checkout operation). This makes the build slower but its safe. However, "flatpak-builder --run" just uses whatever is currently in the builddir, and there is no guarantee that what is there was built with --disable-rofiles-fuse.

Maybe we can store some kind of hint in the builddir when it contains a hardlinked cache checkout and allow disabling rofiles if that is not there. In fact, if we did that we could automatically skip the rofiles fuse when it is not necessary.

What exactly is your usecase for this?

alexlarsson avatar Feb 18 '20 13:02 alexlarsson

There are GNOME pipelines using flatpak-builder --run builddir to retain SDK extensions and run meson and ninja. I don't know the full rationale why the build isn't self-contained in the first place though. Other pipelines also run number of flatpak build commands on builddir created by flatpak-builder but I haven't tested them yet if they work in the Docker contaner.

The use case is that GNOME doesn't have ephemeral builders anymore so I'm trying to strip CI builds from --privileged.

barthalion avatar Feb 18 '20 15:02 barthalion

These two, to be exact, which are later re-used by most projects.

https://gitlab.gnome.org/GNOME/citemplates/blob/master/flatpak/flatpak-ci-initiative-sdk-extensions.yml https://gitlab.gnome.org/GNOME/citemplates/blob/master/flatpak/flatpak_ci_initiative.yml

barthalion avatar Feb 18 '20 15:02 barthalion

Ok then. I think any time we do builder_cache_checkout () with options.force_copy = FALSE, we should also create a file .hardlinked-cache in the checkout dir, and we should then filter this out in commit_filter() in the same file. Then flatpak-builder run should be changed to only enable rofuse if this file exists in the builddir.

alexlarsson avatar Feb 18 '20 16:02 alexlarsson