On Fri, Apr 21, 2023 at 10:02 PM Demi Marie Obenour <demiobenour@xxxxxxxxx> wrote: > On 4/21/23 11:13, David Michael wrote: > > Hi, > > > > Following up on this, Firecracker has been accepted and submitted to > > Fedora. Thanks to Fabio for all of the Rust reviews. > > > > F37 https://bodhi.fedoraproject.org/updates/FEDORA-2023-dca8124d3b > > F38 https://bodhi.fedoraproject.org/updates/FEDORA-2023-edcbcf18e0 > > > > Some quick comments on the TODO from the original e-mail: > > > > On Sat, Mar 4, 2023 at 12:40 PM David Michael <fedora.dm0@xxxxxxxxx> wrote: > >> - The musl package adds /usr paths for compatibility with the compiler --sysroot option. > >> - The rust compiler adds musl target subpackages. > > > > Targeting musl was dropped after the initial discussion, so there is > > no sandbox or seccomp filter in Fedora until that can be implemented > > with dynamic linking glibc upstream. I'll keep the Copr repo[0] > > active for a while to provide musl builds. > > Would it be possible to add a warning to this effect? Without any form > of sandboxing Firecracker is not suitable for production use. Where would such a warning be placed? The sandboxing is done by a standalone program[0] which is not built in the package, so it should be clear that it isn't available. > Does the > sandboxed portion of Firecracker do anything that would require an NSS > (name service switch) lookup, such as DNS or username resolution? I don't think NSS lookups are an issue since the program takes numerical UID/GID values as command-line arguments. The main breaking issue with the jailer is that it requires Firecracker to be a single static binary[1] (which is the musl target's default output upstream). Their documentation also says glibc isn't supported, but I haven't tried making a static glibc binary to see what fails. The seccomp filter being unimplemented for glibc is a separate issue from the jailer. > If > not, then I don’t see why musl (which Fedora already ships!) would be a > problem. There is no problem technically; the Copr repo[2] is building Firecracker RPMs with musl. Maintainers of both Rust and musl seemed to be against it in Fedora. From this thread: On Sat, Mar 4, 2023 at 5:51 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > As the musl package maintainer, I don't particularly want Fedora > packages depending on it unless they absolutely have to. > [...] > As in musl is statically linked into the binaries? Or the Rust code is > statically linked. The former is not okay, >From the Firecracker package review: On Fri, Apr 7, 2023 at 11:27 AM <bugzilla@xxxxxxxxxx> wrote: > 2. Building for the *-musl Rust targets is not going to be supported in Fedora For what it's worth, Arch and openSUSE seem to be building with glibc and so are in the same position with this package. Without Rust's musl target, the only path forward is to try to improve glibc support upstream. Thanks. David [0] https://github.com/firecracker-microvm/firecracker/blob/main/docs/jailer.md [1] https://github.com/firecracker-microvm/firecracker/blob/v1.3.1/src/jailer/src/env.rs#L380 [2] https://copr.fedorainfracloud.org/coprs/dm0/Firecracker _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
