Prevent attempted writes to /sys and /proc in containers.

Containers generally bind-mount /sys and /proc, so if dnf or rpm attempts to
write to write to one of them it can cause issues with the host system, or just
fail alltogether.  We set an rpm macro to prevent this from happening.
This commit is contained in:
Peter Ajamian 2021-08-09 23:35:39 +12:00
parent 2f40d60ec2
commit d7f52751d0

View File

@ -186,6 +186,9 @@ exit_clean () {
if [[ -d "$tmp_dir" ]]; then if [[ -d "$tmp_dir" ]]; then
rm -rf "$tmp_dir" rm -rf "$tmp_dir"
fi fi
if [[ -f "$container_macros" ]]; then
rm -f "$container_macros"
fi
} }
pre_check () { pre_check () {
@ -609,7 +612,8 @@ $'because continuing with the migration could cause further damage to system.'
} }
convert_info_dir=/root/convert convert_info_dir=/root/convert
unset convert_to_rocky reinstall_all_rpms verify_all_rpms update_efi unset convert_to_rocky reinstall_all_rpms verify_all_rpms update_efi \
container_macros
usage() { usage() {
printf '%s\n' \ printf '%s\n' \
@ -850,9 +854,13 @@ efi_check () {
exit_message "/sys is not accessible." exit_message "/sys is not accessible."
fi fi
# Now that we know /sys is reliable, use it to check if we are running on EFI or not # Now that we know /sys is reliable, use it to check if we are running on
if [[ -d /sys/firmware/efi/ ]] && ! systemd-detect-virt --quiet --container # EFI or not
then if systemd-detect-virt --quiet --container; then
declare -g container_macros
container_macros=$(mktemp /etc/rpm/macros.zXXXXXX)
printf '%s\n' '%_netsharedpath /sys:/proc' > "$container_macros"
elif [[ -d /sys/firmware/efi/ ]]; then
declare -g update_efi declare -g update_efi
update_efi=true update_efi=true
fi fi