From d7f52751d0b0e3e78bace3b659d123b449b2ea76 Mon Sep 17 00:00:00 2001 From: Peter Ajamian Date: Mon, 9 Aug 2021 23:35:39 +1200 Subject: [PATCH] Prevent attempted writes to /sys and /proc in containers. Containers generally bind-mount /sys and /proc, so if dnf or rpm attempts to write to write to one of them it can cause issues with the host system, or just fail alltogether. We set an rpm macro to prevent this from happening. --- migrate2rocky/migrate2rocky.sh | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/migrate2rocky/migrate2rocky.sh b/migrate2rocky/migrate2rocky.sh index ceadbca..5b523d5 100644 --- a/migrate2rocky/migrate2rocky.sh +++ b/migrate2rocky/migrate2rocky.sh @@ -186,6 +186,9 @@ exit_clean () { if [[ -d "$tmp_dir" ]]; then rm -rf "$tmp_dir" fi + if [[ -f "$container_macros" ]]; then + rm -f "$container_macros" + fi } pre_check () { @@ -609,7 +612,8 @@ $'because continuing with the migration could cause further damage to system.' } convert_info_dir=/root/convert -unset convert_to_rocky reinstall_all_rpms verify_all_rpms update_efi +unset convert_to_rocky reinstall_all_rpms verify_all_rpms update_efi \ + container_macros usage() { printf '%s\n' \ @@ -850,9 +854,13 @@ efi_check () { exit_message "/sys is not accessible." fi - # Now that we know /sys is reliable, use it to check if we are running on EFI or not - if [[ -d /sys/firmware/efi/ ]] && ! systemd-detect-virt --quiet --container - then + # Now that we know /sys is reliable, use it to check if we are running on + # EFI or not + if systemd-detect-virt --quiet --container; then + declare -g container_macros + container_macros=$(mktemp /etc/rpm/macros.zXXXXXX) + printf '%s\n' '%_netsharedpath /sys:/proc' > "$container_macros" + elif [[ -d /sys/firmware/efi/ ]]; then declare -g update_efi update_efi=true fi