Avoid rbind /sys for chroot snap pre-seeding (cgroups fail to unmount)

Builds in LP with the Xenial kernel were happy with the recursive mount of
/sys inside the chroot while performing snap-preseeding but autopkgtests
with the groovy kernel failed.  With the groovy kernel the build was
unable to unmount sys/kernel/slab/*/cgroup/* (Operation not permitted).

This patch mounts /sys and /sys/kernel/security in the chroot in the
same way we've added for binary hooks.  This provides the paths under
/sys needed for snap-preseed while avoiding issues unmounting other
paths.
raspi-desktop-1
Robert C Jennings 4 years ago
parent b22d7dc38c
commit 84397b5098
No known key found for this signature in database
GPG Key ID: 740C3D9EEDF2ED73

6
debian/changelog vendored

@ -1,3 +1,9 @@
livecd-rootfs (2.677) groovy; urgency=medium
* Avoid rbind /sys for chroot snap pre-seeding (cgroups fail to unmount)
-- Robert C Jennings <robert.jennings@canonical.com> Sat, 18 Jul 2020 16:51:05 -0500
livecd-rootfs (2.676) groovy; urgency=medium livecd-rootfs (2.676) groovy; urgency=medium
* apparmor: Add generic v5.4 kernel apparmor features * apparmor: Add generic v5.4 kernel apparmor features

@ -119,7 +119,8 @@ preinstall_snaps() {
fi fi
mount --rbind /dev chroot/dev mount --rbind /dev chroot/dev
mount --rbind /sys chroot/sys mount --bind /sys chroot/sys
mount --bind /sys/kernel/security chroot/sys/kernel/security
mount --bind /proc chroot/proc mount --bind /proc chroot/proc
# Provide more up to date apparmor features, matching target kernel # Provide more up to date apparmor features, matching target kernel
mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic chroot/sys/kernel/security/apparmor/features mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic chroot/sys/kernel/security/apparmor/features

Loading…
Cancel
Save