Avoid rbind /sys for chroot snap pre-seeding (cgroups fail to unmount)

Builds in LP with the Xenial kernel were happy with the recursive mount of /sys inside the chroot while performing snap-preseeding but autopkgtests with the groovy kernel failed. With the groovy kernel the build was unable to unmount sys/kernel/slab/*/cgroup/* (Operation not permitted). This patch mounts /sys and /sys/kernel/security in the chroot in the same way we've added for binary hooks. This provides the paths under /sys needed for snap-preseed while avoiding issues unmounting other paths.
2025-03-04 16:01:24 +00:00 · 2020-07-18 16:52:18 -05:00 · 2020-07-18 16:52:18 -05:00 · 84397b5098
commit 84397b5098
parent b22d7dc38c
2 changed files with 8 additions and 1 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+livecd-rootfs (2.677) groovy; urgency=medium
+
+  * Avoid rbind /sys for chroot snap pre-seeding (cgroups fail to unmount)
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Sat, 18 Jul 2020 16:51:05 -0500
+
 livecd-rootfs (2.676) groovy; urgency=medium

  * apparmor: Add generic v5.4 kernel apparmor features
--- a/live-build/auto/build
+++ b/live-build/auto/build
@ -119,7 +119,8 @@ preinstall_snaps() {
 	fi

 	mount --rbind /dev chroot/dev
-	mount --rbind /sys chroot/sys
+	mount --bind /sys chroot/sys
+	mount --bind /sys/kernel/security chroot/sys/kernel/security
 	mount --bind /proc chroot/proc
 	# Provide more up to date apparmor features, matching target kernel
 	mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic chroot/sys/kernel/security/apparmor/features