From patchwork Thu Dec  5 15:53:12 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anton Mikanovich <amikan@ilbers.de>
X-Patchwork-Id: 3972
Return-Path: <isar-users+bncBCHIPONZWECRB5MYY65AMGQENRE6LDI@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	 by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
	 Thu, 05 Dec 2024 16:53:32 +0100
X-Sieve: CMU Sieve 2.4
Received: from mail-wm1-f57.google.com (mail-wm1-f57.google.com
 [209.85.128.57])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id
 4B5FrV2E030384
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <iupwgm@isar-build.org>; Thu, 5 Dec 2024 16:53:32 +0100
Received: by mail-wm1-f57.google.com with SMTP id
 5b1f17b1804b1-43498af7937sf9152965e9.1
        for <iupwgm@isar-build.org>; Thu, 05 Dec 2024 07:53:32 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1733414006; cv=pass;
        d=google.com; s=arc-20240605;
        b=eR3s3OkJUZCtUA5lYrd/cOwFxg9OScDGONa5MThnDHteBhVMj/K6l9DBKN1qR8Zcpd
         AJ5J8CeDpDtbcR1YaTLXi/dxM9+/RrKra3R3FMd7wEnJZY9FmoliW6cnGTYOoyEvm4eH
         /9bclNMP7wY6SEIW4le2Xv4H3AFIXoSD/i82JlL/230ZBEhc0uH4jJ3RRou42And+pJ+
         AQXlCBq0AAou+CR/oMR6pCx3muwTmkz6GUdhHRv+Z6Bo6mKe7+BH6orEbjs2r50tTUUg
         ZFMaXdGqAah4zWE/OL8bUlAiZU/MthipTtrbTvSM3FyaP4cdWTe1tRWXI2JJAjcMjttS
         0ZiA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:sender:dkim-signature;
        bh=phgCs2QOrLimbZ+p3/3gHuC7kJEPY95P9g5CU4e48ho=;
        fh=USB4KkJA33AoPFSw0EhVYGgw01NzGvXSz2v1yc8K/q4=;
        b=PBBno4k7ewKH7k9Ij2jskZwlPqbv3cq074Lh3YOTw7lyzB2Z97iKRHgh86OmTtEtvZ
         mOFoioU4tR8ZWOg8VkMnWYw4LRnp68VbAZSHvF1Oe2dW2DdnkXT/lnyovkhhC5+8cSYs
         tfvvGCATDpynDiK+claS/17yZ7qPQcP+y9h5StyEGcjLpoTCS7Ub8emVDtqfJzYZFILV
         fqspH5zZLt1X/UsZippgc8dAqMdXZurksnpkS6E3hXpiXnSGPo1TWdFpWyYYsvp7TyDy
         VcitWITq89/zNtQjYJ7xl+/2ZD+385AR+glKut+s7xbU6hgO7PGs4ulXtwooCpEJGSlT
         W+PA==;
        darn=isar-build.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       spf=pass (google.com: domain of amikan@ilbers.de designates
 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1733414006; x=1734018806;
 darn=isar-build.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:mime-version:references:in-reply-to:message-id
         :date:subject:cc:to:from:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=phgCs2QOrLimbZ+p3/3gHuC7kJEPY95P9g5CU4e48ho=;
        b=V96gZNqI/fNLF8xy4Di1RaBVk1Qlrxq5zV9+GrRChmDyOdORquB3M/WJ+hh9hoYVEg
         UfxvaiEf4KuDqFEeFjW/l7e1+9uHHfli2A4s3s6smlsNJ2n9CdPtPNkzMaoacyAohFKb
         z0Q0OkBcUvevKnAMSeIXFKyuFy6yax45zFDL4xNT9I7G7VOiYPg8g+Um8AzFEyh6tao8
         BzCQTYGcJpCO7J+GVuS/x4gDeHH0RRN2oXZPjKkriOaJHJz6IkhlzQFI1eNe0k1DCThV
         P2GpTPIKmlHO//HLBel2i0AxUOyCer4N6sXDxFyk85kfAD99aAT6c0gmTC+GwuGV315b
         2UeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1733414006; x=1734018806;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence
         :x-original-authentication-results:x-original-sender:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
         :message-id:reply-to;
        bh=phgCs2QOrLimbZ+p3/3gHuC7kJEPY95P9g5CU4e48ho=;
        b=DcXSR298o0QJAuQtW0knnikgI8keQlhVZG+82Zgl7wSa/iAuFYxnGfzCWfyNuxsfaM
         6CcITbtbDitTZ3TRicvo+Wam+uOdjgXr4EX0WPxlMSQFBtdynJbmsAXNMAAqDMCwu6BW
         kt3LVF7PbIXJ8zCSK8y/P8JZdn0MiDP1iSKLChIxNCteU4UAokYow0GRr9fPjrlZbmsP
         j8f7xxJ61OFUarHZOiMlLmFk6m9tS+/SFWwBSAiASimAZc8v1dpqKB3E0V1WhHGgqqyB
         LSGnQmP9x3Nz+OyArOk2j3IyiVUFDl/9zrPMSHZR49jnyb5CjhzAWrJ2mHf5rxO5NAZx
         CKpA==
Sender: isar-users@googlegroups.com
X-Forwarded-Encrypted: i=2;
 AJvYcCW1NBqq8NFyJIB/Oc/izOYFoxZ2gr93nZlX3BOQQ7Kw5aaXcB215fDwNeDNeKC1Yibp/aoYfJ0=@isar-build.org
X-Gm-Message-State: AOJu0Yz0c/vHqatLj6qwrf/mo8OzClvKhmHRJE3xUxJKITUOtfwgSPnV
	vTOuuyEGJbme2rarkMFavFxzsOCLXkwG4s5EoHkd/8oZ+95d5Ozf
X-Google-Smtp-Source: 
 AGHT+IE4U0O4OWFvEWc62QBdJGg1PUmHgzGthxvWxAO0Ya9GyC8biFLuS0YNjRuv+z3HEEQBzSnkEA==
X-Received: by 2002:a05:600c:4593:b0:434:a4a6:5212 with SMTP id
 5b1f17b1804b1-434d08ee90fmr103833535e9.0.1733414005740;
        Thu, 05 Dec 2024 07:53:25 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:600c:4f89:b0:434:a747:edc1 with SMTP id
 5b1f17b1804b1-434d95c7ef8ls6074455e9.0.-pod-prod-09-eu; Thu, 05 Dec 2024
 07:53:23 -0800 (PST)
X-Received: by 2002:a05:600c:19d1:b0:434:a765:7f9c with SMTP id
 5b1f17b1804b1-434d09acf91mr95230665e9.6.1733414003516;
        Thu, 05 Dec 2024 07:53:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1733414003; cv=none;
        d=google.com; s=arc-20240605;
        b=Puf2cCe+t2NAXRzty+p6WTQan3Q8oK5UOKf1aFmSF+ns4FdTK7/dKCUdE0Z1+j7ezS
         l6vmy00ZwpPLPMDsc23ezKPYoDhsZseZcTl6j4Dpwx1bTtxSVOmi87tA1l9HhWPPyrsY
         C097oiol95MYxwm2tB2O10CmJ0RW1uQGfv6JCsgrjMNtuDQ34T9oLlRE57KQnE2CpjOx
         GW0AiRBDEuhHwSinbh6bVMiq4urU6UBOG29+olK49q6UzFTOo3rKnnBxFFZs0MHfaXPr
         1ATI0gvegv8DQuG1Ij2XgC4FRGyy3qVFuCJEO4xhHwkT52CeVDUL8nNSPtHzCyZ75uxx
         JbIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from;
        bh=tHdwPlg4d3qjN8utUjj4nm/N+ArKyWfsfaqK9Ptw3P4=;
        fh=/h9QQkzJ8EboVkWg45aWwpaUro6WMavIVd2OhN45RtE=;
        b=JnM6Tu+j4VFNx2+oCKNHpwqmrWta7NNmVm39K3Yuw0aVFw9OA+R1vEuZHCVy1XLm23
         wPeuxj0oMNdSbjnzdPEK7t4R2SLWcduK5c5lQZk79yCo07o8NSUfPz7tUjSY4AoHMkKz
         m04JtjtnmIsKFMMQC6jo7DvoGGQebJRPGjYnfNRyKRJbmmuiewmamKXIOYQcCc1UCS+x
         n6EU9Ki7AOq+QchmWuffK6hV6CY+0Qz3XsrXbVpP54C5tX4wc4dhhqBDR7qv0toY2dqY
         RYoUPcq4OriBbQQivV8StGJEgXMD1mc1n/IURG6oa4B0VVRL5zjhFI4IObW+K/0CutQe
         HiqQ==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of amikan@ilbers.de designates
 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id
 5b1f17b1804b1-434d04e6f48si4518265e9.0.2024.12.05.07.53.23
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 05 Dec 2024 07:53:23 -0800 (PST)
Received-SPF: pass (google.com: domain of amikan@ilbers.de designates
 85.214.156.166 as permitted sender) client-ip=85.214.156.166;
Received: from user-B660.promwad.corp ([159.148.83.114])
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id
 4B5FrKI8030356
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 5 Dec 2024 16:53:22 +0100
From: Anton Mikanovich <amikan@ilbers.de>
To: isar-users@googlegroups.com
Cc: Anton Mikanovich <amikan@ilbers.de>
Subject: [RFC 1/1] meta: Protect schroot config management
Date: Thu,  5 Dec 2024 17:53:12 +0200
Message-Id: <20241205155312.2373479-2-amikan@ilbers.de>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20241205155312.2373479-1-amikan@ilbers.de>
References: <20241205155312.2373479-1-amikan@ilbers.de>
MIME-Version: 1.0
X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,
	RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-Original-Sender: amikan@ilbers.de
X-Original-Authentication-Results: gmr-mx.google.com;       spf=pass
 (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as
 permitted sender) smtp.mailfrom=amikan@ilbers.de
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
 contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>,
 <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>,
 <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=

As schroot itself is not thread safe and can fail in case of reading
chroot/session config files when other instance removing those files,
we need to add external locking for race protection.
Run schroot through flock protected script provided via PATH by
default. Also protect with the same lock removing of configs.

Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
---
 meta/classes/dpkg.bbclass   |  3 +++
 meta/classes/sbuild.bbclass |  6 ++++++
 scripts/schroot             | 43 +++++++++++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100755 scripts/schroot

diff --git a/meta/classes/dpkg.bbclass b/meta/classes/dpkg.bbclass
index ef85890a..64404103 100644
--- a/meta/classes/dpkg.bbclass
+++ b/meta/classes/dpkg.bbclass
@@ -96,6 +96,9 @@ dpkg_runbuild() {
 
     export SBUILD_CONFIG="${SBUILD_CONFIG}"
 
+    # Provide locking filter for schroot
+    sbuild_add_env_filter "PATH"
+
     for envvar in http_proxy HTTP_PROXY https_proxy HTTPS_PROXY \
         ftp_proxy FTP_PROXY no_proxy NO_PROXY; do
         sbuild_add_env_filter "$envvar"
diff --git a/meta/classes/sbuild.bbclass b/meta/classes/sbuild.bbclass
index f68e8735..1ab72aad 100644
--- a/meta/classes/sbuild.bbclass
+++ b/meta/classes/sbuild.bbclass
@@ -14,6 +14,9 @@ SCHROOT_CONF_FILE ?= "${SCHROOT_CONF}/chroot.d/${SBUILD_CHROOT}"
 
 SBUILD_CONFIG="${WORKDIR}/sbuild.conf"
 
+# Lockfile available for all the users
+SCHROOT_LOCKFILE = "/tmp/schroot.lock"
+
 schroot_create_configs() {
     mkdir -p "${TMPDIR}/schroot-overlay"
     echo "Creating ${SCHROOT_CONF_FILE}"
@@ -54,6 +57,8 @@ EOSUDO
 }
 
 schroot_delete_configs() {
+    (flock -x 9
+    set -e
     sudo -s <<'EOSUDO'
         set -e
         if [ -d "${SBUILD_CONF_DIR}" ]; then
@@ -63,6 +68,7 @@ schroot_delete_configs() {
         echo "Removing ${SCHROOT_CONF_FILE}"
         rm -f "${SCHROOT_CONF_FILE}"
 EOSUDO
+    ) 9>"${SCHROOT_LOCKFILE}"
 }
 
 sbuild_add_env_filter() {
diff --git a/scripts/schroot b/scripts/schroot
new file mode 100755
index 00000000..f5320a6a
--- /dev/null
+++ b/scripts/schroot
@@ -0,0 +1,43 @@
+#!/bin/bash
+#
+# This software is a part of ISAR.
+# Copyright (C) 2024 ilbers GmbH
+#
+# SPDX-License-Identifier: MIT
+
+set -e
+
+# Save command line
+OPTS=("$@")
+
+# Analyze used flags
+while [ $# -gt 0 ]
+do
+    key="$1"
+
+    case $key in
+    -b|--begin-session)
+        BEGIN="1"
+        ;;
+    -r|--run-session)
+        RUN="1"
+        ;;
+    -e|--end-session)
+        END="1"
+        ;;
+    esac
+
+    shift
+done
+
+# Use exclusive lock for configs rm, shared for any other calls
+TYPE="-s"
+if [ "$END" == "1" ]; then
+    TYPE="-x"
+fi
+
+# A place for lock available for all the users
+LOCKDIR="/tmp"
+
+# Run schroot protected with lock
+flock $TYPE $LOCKDIR/schroot.lock /usr/bin/schroot "${OPTS[@]}"