| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251219212731.GC1407372@ax162>
Date: Fri, 19 Dec 2025 14:27:31 -0700
From: Nathan Chancellor <nathan@...nel.org>
To: Guillaume Tucker <gtucker@...cker.io>
Cc: Miguel Ojeda <ojeda@...nel.org>, David Gow <davidgow@...gle.com>,
Onur Özkan <work@...rozkan.dev>,
Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org,
rust-for-linux@...r.kernel.org, linux-kbuild@...r.kernel.org,
automated-testing@...ts.yoctoproject.org, workflows@...r.kernel.org,
llvm@...ts.linux.dev
Subject: Re: [PATCH v2 1/2] scripts: add tool to run containerized builds
On Thu, Dec 18, 2025 at 01:49:52PM +0100, Guillaume Tucker wrote:
...
> + def __init__(self, args, logger):
Adding something like
self._args = [
'--rm',
'--tty',
'--volume', f'{os.getcwd()}:/src',
'--workdir', '/src',
]
here then adding an __init__() in the subclasses to append the runtime
specific arguments would allow _do_run() to be moved into
ContainerRuntime(). Otherwise, this looks pretty good and extensible.
> + self._uid = args.uid or os.getuid()
> + self._gid = args.gid or args.uid or os.getgid()
> + self._env_file = args.env_file
> + self._logger = logger
> +
> + @classmethod
> + def is_present(cls):
> + """Determine whether the runtime is present on the system"""
> + return shutil.which(cls.name) is not None
> +
> + @abc.abstractmethod
> + def _do_run(self, image, cmd, container_name):
> + """Runtime-specific handler to run a command in a container"""
> +
> + @abc.abstractmethod
> + def _do_abort(self, container_name):
> + """Runtime-specific handler to abort a command in running container"""
> +
> + def run(self, image, cmd):
> + """Run a command in a runtime container"""
> + container_name = str(uuid.uuid4())
> + self._logger.debug("container: %s", container_name)
> + try:
> + return self._do_run(image, cmd, container_name)
> + except KeyboardInterrupt:
> + self._logger.error("user aborted")
> + self._do_abort(container_name)
> + return 1
> +
> +
> +class DockerRuntime(ContainerRuntime):
> + """Run a command in a Docker container"""
> +
> + name = 'docker'
> +
> + def _do_run(self, image, cmd, container_name):
> + cmdline = [
> + 'docker', 'run',
> + '--name', container_name,
> + '--rm',
> + '--tty',
> + '--volume', f'{os.getcwd()}:/src',
> + '--workdir', '/src',
> + '--user', f'{self._uid}:{self._gid}'
> + ]
> + if self._env_file:
> + cmdline += ['--env-file', self._env_file]
> + cmdline.append(image)
> + cmdline += cmd
> + return subprocess.call(cmdline)
> +
> + def _do_abort(self, container_name):
> + subprocess.call(['docker', 'kill', container_name])
> +
> +
> +class PodmanRuntime(ContainerRuntime):
> + """Run a command in a Podman container"""
> +
> + name = 'podman'
> +
> + def _do_run(self, image, cmd, container_name):
> + cmdline = [
> + 'podman', 'run',
> + '--name', container_name,
> + '--rm',
> + '--tty',
> + '--interactive',
> + '--volume', f'{os.getcwd()}:/src',
> + '--workdir', '/src',
> + '--userns', f'keep-id:uid={self._uid},gid={self._gid}',
> + ]
> + if self._env_file:
> + cmdline += ['--env-file', self._env_file]
> + cmdline.append(image)
> + cmdline += cmd
> + return subprocess.call(cmdline)
> +
> + def _do_abort(self, container_name):
> + pass # Signals are handled by Podman in interactive mode
Cheers,
Nathan
Powered by blists - more mailing lists