From patchwork Fri Dec 20 08:29:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anton Mikanovich <amikan@ilbers.de>
X-Patchwork-Id: 3992
Return-Path: <isar-users+bncBCHIPONZWECRBEWWSS5QMGQERU74JAY@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	 by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
	 Fri, 20 Dec 2024 09:30:18 +0100
X-Sieve: CMU Sieve 2.4
Received: from mail-lj1-f186.google.com (mail-lj1-f186.google.com
 [209.85.208.186])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id
 4BK8UHad014261
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <iupwgm@isar-build.org>; Fri, 20 Dec 2024 09:30:18 +0100
Received: by mail-lj1-f186.google.com with SMTP id
 38308e7fff4ca-30221227ec8sf9481771fa.0
        for <iupwgm@isar-build.org>; Fri, 20 Dec 2024 00:30:18 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1734683412; cv=pass;
        d=google.com; s=arc-20240605;
        b=TSKGltxHwbFm40fRDbBSy7GITnwxw304IPridA1Xzc23lHU3gA07mpjol+JH0syzH2
         HuT8pRd3nx1B0bOeJ13UbGOP+3dqpweNfP4wyunYtVYwDpRtC5bmr3UdWEd2ZRa/KChO
         ygHRyKZNjV3Qt/YjOivMlg5fqhlxJ9L/MRYs6M1PaRxnxYQmXa7b2nIXICGuOAcePFQZ
         Fqinjh4JjMSS2GXy6I7LrYUyFWVuKPG0OgovlXbKXTIjyq418fzqjW0ONXjilLKVZ1MK
         pKDwa/GS87oDCu0jpbHXiVTFUX2wKgxNaOCRf9NRrqfaUJ2OifApHjAAow5y6PyH8V4C
         4dQQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:sender:dkim-signature;
        bh=VHen90Xy6sjH9SFtAdO5y13eg3kS00eChTVpGgya+7o=;
        fh=huS+aibrbiqHrozuQQOO7YOHG0sbGFelF/9EpMLg0KM=;
        b=fdKPAwUSHcqHrVsr8J9A66jeO2OtHFKIe8pBBPvvX+ONpc7h2w1FleIsxpYL/z58z7
         8cwgyMR7EsqtcIDPbEDfwh1aYyy/euu+Q6KDz0bmLgcIjA5mK4NkgQUjWuDLjsFZzxVr
         pIbKA1+GR5vOvPPZzJNqTR2L1vL0cB9JrGgd1uNqlH0Lk7muXte1Fo7JVZFOW3qmL40L
         iIbYCJpLoLi4ZY6fmffDXR2vixh07jhmi63Zcf748VWniFqDohGz84sb57oO+TV6QB5w
         twBtl6lTEsyL/n34iCg1wO6xJdG9P4o5D1+TenhnpNAFygssU11A1j0BKqf17oWil7+B
         AA8g==;
        darn=isar-build.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       spf=pass (google.com: domain of amikan@ilbers.de designates
 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1734683412; x=1735288212;
 darn=isar-build.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:mime-version:references:in-reply-to:message-id
         :date:subject:cc:to:from:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=VHen90Xy6sjH9SFtAdO5y13eg3kS00eChTVpGgya+7o=;
        b=U/wfrjsFuAPWU8wyyRaL2H8E1x/1z9JnNDGt2oSirzNpUatmNCx8itAY8ytX5G1Fdo
         JXKBrAUmZ77y03Y+CI1Vb1yLTdhO6x7TpgZb+5F9Z/9Pr/ee3/krw501oLpvKJlzAABu
         FZ/9oZm1d2eRzNU735T1hrIaYWnDaLgvtvwVMy0fG96/Os4pNjezXGmYY5VaFRlu8u8q
         guXFvCF/iI8G8VO5LHr7ELFrtDqNY3Cz/nfsXlMBm5ymoIx9LoIj3UFvqsBg5LHV18Zj
         a1U3hHrgKmS4SIKxIfKrvnV2y7mSkJR33HiBT7CKR0QvT1hqypPDiym47hcJihbS87qF
         mbZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734683412; x=1735288212;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence
         :x-original-authentication-results:x-original-sender:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
         :message-id:reply-to;
        bh=VHen90Xy6sjH9SFtAdO5y13eg3kS00eChTVpGgya+7o=;
        b=W/bsuNZPXiyItrTAqKm6zAiN0VGXsB61NN5g54c3zaHG6ASIkfrJKWu/5aFnf1A9dR
         OrIdggii2NfRMkYvURhuJuLqw4nFA0WkMqK1xW/RI95oyeDbE/Xn3InSw+MCqrHVn8kU
         I7ub15SRLL4f/dNFpPcoPX5PPPr44TazmFFWlmriTsXZ5NTEDnaeg+nSFsBg0Hkktg+a
         sLPhRrPhxj4S/uItI6XrmcNHbGH0LHJxaGlzG5N2LNVIRz4qVLFlDIshqYqCOm0CXXkU
         LcT/N/ppWGb+dC9Qg40mUPtyvr5zXFui+V6euUbYyKLbXv3DAKM5omewe5OpVN9eUOlN
         9W/g==
Sender: isar-users@googlegroups.com
X-Forwarded-Encrypted: i=2;
 AJvYcCXR/Pw9c0W6CRwnZro+0BCXJdT2NQdm3FRKXyiyoSZt6rgI0uuUQslUAKfU52wIMM2sr+/uZS8=@isar-build.org
X-Gm-Message-State: AOJu0YyZBeuqreWl/AWydK1vF8shlG6OZBerO+6jxzXPSA2OvoanJSIy
	sb+HSoRDse4brOg8/NzkZ49nv0MZtqpM1sLQ0RK6SeiM4zcsinXQ
X-Google-Smtp-Source: 
 AGHT+IHTCQX8XIDLY+0pIH8xpHKpBM1vKz5w7PnENcI0l1Ky/F+pk/A4QjgXJjGekvYtdnXJB0eXOg==
X-Received: by 2002:a05:651c:199e:b0:302:17e7:e176 with SMTP id
 38308e7fff4ca-3046850a20emr5497391fa.5.1734683410877;
        Fri, 20 Dec 2024 00:30:10 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a2e:7005:0:b0:302:1cfa:245c with SMTP id
 38308e7fff4ca-30457ee23c5ls1601361fa.0.-pod-prod-04-eu;
 Fri, 20 Dec 2024 00:30:08 -0800 (PST)
X-Received: by 2002:a05:6512:3e2a:b0:540:2311:28c5 with SMTP id
 2adb3069b0e04-5422956c4c7mr481632e87.57.1734683408488;
        Fri, 20 Dec 2024 00:30:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1734683408; cv=none;
        d=google.com; s=arc-20240605;
        b=d/iB23uLefjDZtmB/o6On2myq8Yjt1YIm/KbvCWn4+YGcFA2ZEIVnXWUkQsYtu9tuo
         LgO+JenytJutRxoyqJn10k52Y9jBE4KKNHOF5NhRBidGKcapzRgmjNNiFDaDBlcWik6H
         9tlUug6YogdVRN0Y5L0UyiSwEPrRKFH1dthL5v9gQsJ4BxNtxAny+2ay6nR803tq/HcX
         Nheamergfiz+mzR6wqq5gHgOLddWpe+9yIYgHpuFzXfIidrNhydCnPLZnybbkd7P7/ey
         2TXOSXsFS4qtdF+3EfH4e23p+6ZqvnJQ2GiFIcEswPYtvYrxm8bvtE4r5Whts+MV4Caq
         /eKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from;
        bh=tHdwPlg4d3qjN8utUjj4nm/N+ArKyWfsfaqK9Ptw3P4=;
        fh=/h9QQkzJ8EboVkWg45aWwpaUro6WMavIVd2OhN45RtE=;
        b=BBlME53uWYpYGbxg1SXvIrnoOmESY6fNTlSaxjer4D7wGbS/mS1CXW5QdDtUw21JlY
         UtEbfm9FD3Z1auPk0mO4SoqUtg0xAguQfyQiddSusIylPW/vzA03Mb88RgJ5iLSHrJEt
         peP7vom4FejarNPjpYLdgYxv/sFfLf3fm+gU4gLBW9oAaOZWr4ua7gKMZUdzbWxQhdGg
         Acw5SfrXR8XrU/oz6yuzqLRX0t2Nyit6hcLvUCAbdihUCUE8el7DLsoXDuSPUj5H3NFM
         YDdxggCPL/Nt+BwOe/gAx0D2gYCAVhpypvzyaujJlMR+C2LT6HCwctXjsxEk/5bbikfB
         HNuA==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of amikan@ilbers.de designates
 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id
 2adb3069b0e04-542235eb74fsi72172e87.3.2024.12.20.00.30.08
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Fri, 20 Dec 2024 00:30:08 -0800 (PST)
Received-SPF: pass (google.com: domain of amikan@ilbers.de designates
 85.214.156.166 as permitted sender) client-ip=85.214.156.166;
Received: from user-B660.promwad.corp ([159.148.83.114])
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id
 4BK8U6J4014233
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 20 Dec 2024 09:30:07 +0100
From: Anton Mikanovich <amikan@ilbers.de>
To: isar-users@googlegroups.com
Cc: Anton Mikanovich <amikan@ilbers.de>
Subject: [PATCH 1/1] meta: Protect schroot config management
Date: Fri, 20 Dec 2024 10:29:59 +0200
Message-Id: <20241220082959.3123651-2-amikan@ilbers.de>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20241220082959.3123651-1-amikan@ilbers.de>
References: <20241220082959.3123651-1-amikan@ilbers.de>
MIME-Version: 1.0
X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,
	RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-Original-Sender: amikan@ilbers.de
X-Original-Authentication-Results: gmr-mx.google.com;       spf=pass
 (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as
 permitted sender) smtp.mailfrom=amikan@ilbers.de
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
 contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>,
 <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>,
 <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=

As schroot itself is not thread safe and can fail in case of reading
chroot/session config files when other instance removing those files,
we need to add external locking for race protection.
Run schroot through flock protected script provided via PATH by
default. Also protect with the same lock removing of configs.

Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
---
 meta/classes/dpkg.bbclass   |  3 +++
 meta/classes/sbuild.bbclass |  6 ++++++
 scripts/schroot             | 43 +++++++++++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100755 scripts/schroot

diff --git a/meta/classes/dpkg.bbclass b/meta/classes/dpkg.bbclass
index ef85890a..64404103 100644
--- a/meta/classes/dpkg.bbclass
+++ b/meta/classes/dpkg.bbclass
@@ -96,6 +96,9 @@ dpkg_runbuild() {
 
     export SBUILD_CONFIG="${SBUILD_CONFIG}"
 
+    # Provide locking filter for schroot
+    sbuild_add_env_filter "PATH"
+
     for envvar in http_proxy HTTP_PROXY https_proxy HTTPS_PROXY \
         ftp_proxy FTP_PROXY no_proxy NO_PROXY; do
         sbuild_add_env_filter "$envvar"
diff --git a/meta/classes/sbuild.bbclass b/meta/classes/sbuild.bbclass
index f68e8735..1ab72aad 100644
--- a/meta/classes/sbuild.bbclass
+++ b/meta/classes/sbuild.bbclass
@@ -14,6 +14,9 @@ SCHROOT_CONF_FILE ?= "${SCHROOT_CONF}/chroot.d/${SBUILD_CHROOT}"
 
 SBUILD_CONFIG="${WORKDIR}/sbuild.conf"
 
+# Lockfile available for all the users
+SCHROOT_LOCKFILE = "/tmp/schroot.lock"
+
 schroot_create_configs() {
     mkdir -p "${TMPDIR}/schroot-overlay"
     echo "Creating ${SCHROOT_CONF_FILE}"
@@ -54,6 +57,8 @@ EOSUDO
 }
 
 schroot_delete_configs() {
+    (flock -x 9
+    set -e
     sudo -s <<'EOSUDO'
         set -e
         if [ -d "${SBUILD_CONF_DIR}" ]; then
@@ -63,6 +68,7 @@ schroot_delete_configs() {
         echo "Removing ${SCHROOT_CONF_FILE}"
         rm -f "${SCHROOT_CONF_FILE}"
 EOSUDO
+    ) 9>"${SCHROOT_LOCKFILE}"
 }
 
 sbuild_add_env_filter() {
diff --git a/scripts/schroot b/scripts/schroot
new file mode 100755
index 00000000..f5320a6a
--- /dev/null
+++ b/scripts/schroot
@@ -0,0 +1,43 @@
+#!/bin/bash
+#
+# This software is a part of ISAR.
+# Copyright (C) 2024 ilbers GmbH
+#
+# SPDX-License-Identifier: MIT
+
+set -e
+
+# Save command line
+OPTS=("$@")
+
+# Analyze used flags
+while [ $# -gt 0 ]
+do
+    key="$1"
+
+    case $key in
+    -b|--begin-session)
+        BEGIN="1"
+        ;;
+    -r|--run-session)
+        RUN="1"
+        ;;
+    -e|--end-session)
+        END="1"
+        ;;
+    esac
+
+    shift
+done
+
+# Use exclusive lock for configs rm, shared for any other calls
+TYPE="-s"
+if [ "$END" == "1" ]; then
+    TYPE="-x"
+fi
+
+# A place for lock available for all the users
+LOCKDIR="/tmp"
+
+# Run schroot protected with lock
+flock $TYPE $LOCKDIR/schroot.lock /usr/bin/schroot "${OPTS[@]}"