core-base icon indicating copy to clipboard operation
core-base copied to clipboard
verified publisher icon snapcore

Use mount namespace instead of chroot

Open valentindavid opened this issue 3 years ago • 2 comments

This allow to not worry about mounts done within the namespace. We can now bind mount files into the sysroot instead of copying them.

valentindavid avatar Jun 16 '22 11:06 valentindavid

I would like to get #61 merged first and I will rebase it. I keep it as draft for the moment.

valentindavid avatar Jun 16 '22 11:06 valentindavid

The approach is interesting but tbh I am not totally bought on this, which are the advantages from your POV?

Namespaces can isolate better than chroot in general.

My main reason here is that we can hide the mounts done within the namespace to the rest system. So when the build is done and some mounts were not unmounted properly, it is fine, because they will be removed with the namespace.

Mounting of /proc in hooks/001-extra-packages.chroot was the reason I did this. First of all, we should always have /proc mounted. And if we did mount things in the hook scripts, then we should make sure they are not exposed to the rest of the system.

valentindavid avatar Aug 11 '22 12:08 valentindavid