From a741c57c6053b6a8f3c87499df0ff5c71b3c0fd9 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 17 Feb 2022 17:19:46 +0100 Subject: vidhar: ... --- hosts/vidhar/borg/copy.py | 32 +++++++------------------------- hosts/vidhar/borg/default.nix | 9 +++++---- hosts/vidhar/borg/pyprctl-packages.nix | 21 --------------------- 3 files changed, 12 insertions(+), 50 deletions(-) delete mode 100644 hosts/vidhar/borg/pyprctl-packages.nix diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py index 96426682..6adaa817 100755 --- a/hosts/vidhar/borg/copy.py +++ b/hosts/vidhar/borg/copy.py @@ -21,7 +21,6 @@ from xdg import xdg_runtime_dir import pathlib import unshare -import pyprctl import signal from time import sleep @@ -94,38 +93,21 @@ def copy_archive(src_repo_path, dst_repo_path, entry): child = os.fork() if child == 0: # print('unshare/chroot', file=stderr) - uid, gid = os.geteuid(), os.getegid() - unshare.unshare(unshare.CLONE_NEWNS | unshare.CLONE_NEWUSER) - ps_effective = set() # {pyprctl.Cap.SETUID, pyprctl.Cap.SETGID} - ps_ambient = {pyprctl.Cap.SYS_ADMIN} - pyprctl.cap_permitted.add(*(ps_effective | ps_ambient)) - pyprctl.cap_effective.add(*(ps_effective | ps_ambient)) - pyprctl.cap_inheritable.add(*ps_ambient) - pyprctl.cap_ambient.add(*ps_ambient) - with open('/proc/self/setgroups', 'w') as setgroups: - setgroups.write('deny') - with open('/proc/self/uid_map', 'w') as uid_map: - uid_map.write(f'0 {uid} 1') - with open('/proc/self/gid_map', 'w') as gid_map: - gid_map.write(f'0 {gid} 1') + unshare.unshare(unshare.CLONE_NEWNS) subprocess.run(['mount', '--make-rprivate', '/'], check=True) chroot = pathlib.Path(tmpdir) / 'chroot' - chroot.mkdir() - # upper = pathlib.Path(tmpdir) / 'upper' - # work = pathlib.Path(tmpdir) / 'work' - # for path in [chroot,upper,work]: - # path.mkdir() - # print(f'euid={os.getuid()}', file=stderr) - # subprocess.run(['stat', '/', upper, work, chroot], check=True) - # subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) - bindMounts = ['etc', 'nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] + upper = pathlib.Path(tmpdir) / 'upper' + work = pathlib.Path(tmpdir) / 'work' + for path in [chroot,upper,work]: + path.mkdir() + subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) + bindMounts = ['nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] if not ":" in src_repo_path: bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) if 'SSH_AUTH_SOCK' in os.environ: bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/')) for bindMount in bindMounts: (chroot / bindMount).mkdir(parents=True,exist_ok=True) - print(*['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], file=stderr) subprocess.run(['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], check=True) os.chroot(chroot) os.chdir('/') diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix index b1bdde04..74f4a827 100644 --- a/hosts/vidhar/borg/default.nix +++ b/hosts/vidhar/borg/default.nix @@ -22,8 +22,8 @@ let serviceConfig = { Type = "oneshot"; ExecStart = "${copyBorg}/bin/copy ${escapeShellArg repo} yggdrasil.borgbase:repo"; - User = "borg"; - Group = "borg"; + # User = "borg"; + # Group = "borg"; StateDirectory = "borg"; RuntimeDirectory = "copy-borg"; Environment = [ @@ -44,8 +44,9 @@ let }; copyBorg = pkgs.stdenv.mkDerivation (let - packageOverrides = pkgs.callPackage ./pyprctl-packages.nix {}; - inpPython = pkgs.python39.override { inherit packageOverrides; }; + # packageOverrides = pkgs.callPackage ./pyprctl-packages.nix {}; + # inpPython = pkgs.python39.override { inherit packageOverrides; }; + inpPython = pkgs.python39; in rec { name = "copy"; src = ./copy.py; diff --git a/hosts/vidhar/borg/pyprctl-packages.nix b/hosts/vidhar/borg/pyprctl-packages.nix deleted file mode 100644 index d3b4256a..00000000 --- a/hosts/vidhar/borg/pyprctl-packages.nix +++ /dev/null @@ -1,21 +0,0 @@ -# Generated by pip2nix 0.8.0.dev1 -# See https://github.com/nix-community/pip2nix - -{ pkgs, fetchurl, fetchgit, fetchhg }: - -self: super: { - "pyprctl" = super.buildPythonPackage rec { - pname = "pyprctl"; - version = "0.1.3"; - src = fetchurl { - url = "https://files.pythonhosted.org/packages/bf/5e/62765de39bbce8111fb1f4453a4a804913bf49179fa265fb713ed66c9d15/pyprctl-0.1.3-py3-none-any.whl"; - sha256 = "1pgif990r92za5rx12mjnq5iiz72d455v0wrawzb73q79w8ya0k3"; - }; - format = "wheel"; - doCheck = false; - buildInputs = []; - checkInputs = []; - nativeBuildInputs = []; - propagatedBuildInputs = []; - }; -} -- cgit v1.2.3