Skip to content

mock: disable networking in bootstrap for hermetic builds#1697

Merged
xsuchy merged 1 commit intorpm-software-management:mainfrom
praiskup:praiskup-disable-networking-in-hermetic-bootstrap
Feb 24, 2026
Merged

mock: disable networking in bootstrap for hermetic builds#1697
xsuchy merged 1 commit intorpm-software-management:mainfrom
praiskup:praiskup-disable-networking-in-hermetic-bootstrap

Conversation

@praiskup
Copy link
Member

@praiskup praiskup commented Jan 28, 2026

No description provided.

@praiskup
Copy link
Member Author

praiskup commented Jan 28, 2026

/packit test

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 28, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request disables networking for the bootstrap phase of hermetic builds by updating the hermetic-build.cfg file. The changes set rpmbuild_networking and use_host_resolv to False for the bootstrap configuration, which is the correct approach to enforce network isolation. The change is clear, correct, and improves the hermeticity of the build process. I have no further feedback.

praiskup added a commit to praiskup/rpmbuild-pipeline-environment-container that referenced this pull request Jan 29, 2026
@praiskup
Mock (<= v6.6) relies on existing resolv.conf with --hermetic-build
a53e175 
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2433808
Related: rpm-software-management/mock#1697
praiskup added a commit to praiskup/rpmbuild-pipeline-environment-container that referenced this pull request Jan 29, 2026
@praiskup
Mock (<= v6.6) relies on existing resolv.conf with --hermetic-build
d658b84 
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2433808
Related: rpm-software-management/mock#1697
@praiskup praiskup mentioned this pull request Jan 29, 2026
Merged
xsuchy
xsuchy reviewed Jan 29, 2026
View reviewed changes
mock/py/mock.py Outdated
mount_point = BindMountPoint(srcpath=key_dir, bindpath=chroot_dir)
bootstrap_buildroot.mounts.add(mount_point)

util.setup_host_resolv(bootstrap_buildroot_config)
Copy link
Member

@xsuchy xsuchy Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm. But plugins and bindmountpoint will not have a functional resolv.conf.

Copy link
Member Author

@praiskup praiskup Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue is that Mock tries to (unnecessarily) copy a non-existing resolv.conf on host into bootstrap.... (when podman run --network=none is being used).

Copy link
Contributor

@tkopecek tkopecek Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related Fedora issue https://bugzilla.redhat.com/show_bug.cgi?id=2433808

praiskup added a commit to praiskup/rpmbuild-pipeline-environment-container that referenced this pull request Jan 29, 2026
@praiskup
Mock (<= v6.6) relies on existing resolv.conf with --hermetic-build
a4a1bef 
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2433808
Related: rpm-software-management/mock#1697
Closes: konflux-ci#118
praiskup added a commit to praiskup/rpmbuild-pipeline-environment-container that referenced this pull request Jan 29, 2026
@praiskup
Mock (<= v6.6) relies on existing resolv.conf with --hermetic-build
1effaa3 
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2433808
Related: rpm-software-management/mock#1697
Closes: konflux-ci#118
praiskup added a commit to konflux-ci/rpmbuild-pipeline-environment-container that referenced this pull request Jan 29, 2026
@praiskup
Mock (<= v6.6) relies on existing resolv.conf with --hermetic-build
927831a 
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2433808
Related: rpm-software-management/mock#1697
Closes: #118
praiskup added a commit to praiskup/mock that referenced this pull request Feb 23, 2026
@praiskup
Do not fail (not just) hermetic builds for missing resolv.conf
9c3dd9f 
First, Mock cannot guarantee that the host environment provides a
resolv.conf file.  We should simply warn the user instead of triggering
a hard failure.

Second, the check for "simple" isolation was incomplete.  We need to
check for USE_NSPAWN, as it accurately reflects the isolation=auto case.

INFO: mock.py version 6.6 starting (python version = 3.14.2, NVR = mock-6.6-1.fc43), args: /usr/libexec/mock/mock --hermetic-build /buildroot/results/buildroot_lock.json /buildroot/results/buildroot_repo --spec /source/libecpg.spec --sources /source --resultdir /results
Traceback (most recent call last):
  File "/usr/libexec/mock/mock", line 1132, in <module>
    exitStatus = main()
  File "/usr/lib/python3.14/site-packages/mockbuild/trace_decorator.py", line 93, in trace
    result = func(*args, **kw)
  File "/usr/libexec/mock/mock", line 769, in main
    util.setup_host_resolv(bootstrap_buildroot_config)
    ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.14/site-packages/mockbuild/trace_decorator.py", line 93, in trace
    result = func(*args, **kw)
  File "/usr/lib/python3.14/site-packages/mockbuild/util.py", line 890, in setup_host_resolv
    shutil.copyfile('/etc/resolv.conf', resolv_path)
    ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.14/shutil.py", line 313, in copyfile
    with open(src, 'rb') as fsrc:
         ~~~~^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/etc/resolv.conf'

Relates: https://bugzilla.redhat.com/show_bug.cgi?id=2433808
Closes: rpm-software-management#1697
@praiskup praiskup force-pushed the praiskup-disable-networking-in-hermetic-bootstrap branch from f2dbccd to 9c3dd9f Compare February 23, 2026 16:30
praiskup
praiskup commented Feb 23, 2026
View reviewed changes
mock/py/mockbuild/util.py
''')

if config_opts['isolation'] == 'simple':
if not USE_NSPAWN:
Copy link
Member Author

@praiskup praiskup Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tkopecek This turned out to be the most important change - since we use --isolation=auto (in container we do a fallback to 'simple'), we shouldn't even execute the rest of the method ...

@praiskup
Do not fail (not just) hermetic builds for missing resolv.conf
c70e4d4 
First, Mock cannot guarantee that the host environment provides a
resolv.conf file.  We should simply warn the user instead of triggering
a hard failure.

Second, the check for "simple" isolation was incomplete.  We need to
check for USE_NSPAWN, as it accurately reflects the isolation=auto case.

INFO: mock.py version 6.6 starting (python version = 3.14.2, NVR = mock-6.6-1.fc43), args: /usr/libexec/mock/mock --hermetic-build /buildroot/results/buildroot_lock.json /buildroot/results/buildroot_repo --spec /source/libecpg.spec --sources /source --resultdir /results
Traceback (most recent call last):
  File "/usr/libexec/mock/mock", line 1132, in <module>
    exitStatus = main()
  File "/usr/lib/python3.14/site-packages/mockbuild/trace_decorator.py", line 93, in trace
    result = func(*args, **kw)
  File "/usr/libexec/mock/mock", line 769, in main
    util.setup_host_resolv(bootstrap_buildroot_config)
    ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.14/site-packages/mockbuild/trace_decorator.py", line 93, in trace
    result = func(*args, **kw)
  File "/usr/lib/python3.14/site-packages/mockbuild/util.py", line 890, in setup_host_resolv
    shutil.copyfile('/etc/resolv.conf', resolv_path)
    ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.14/shutil.py", line 313, in copyfile
    with open(src, 'rb') as fsrc:
         ~~~~^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/etc/resolv.conf'

Relates: https://bugzilla.redhat.com/show_bug.cgi?id=2433808
Closes: rpm-software-management#1697
@praiskup praiskup force-pushed the praiskup-disable-networking-in-hermetic-bootstrap branch from 9c3dd9f to c70e4d4 Compare February 23, 2026 16:35
@praiskup praiskup requested a review from tkopecek February 23, 2026 16:35
tkopecek
tkopecek approved these changes Feb 23, 2026
View reviewed changes
Copy link
Contributor

@tkopecek tkopecek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

xsuchy
xsuchy reviewed Feb 23, 2026
View reviewed changes
mock/py/mockbuild/util.py
''')

if config_opts['isolation'] == 'simple':
if not USE_NSPAWN:
Copy link
Member

@xsuchy xsuchy Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modus operandi of this line was that USE_NSPAWN is global variable. Made in rush. With knowledge that globals are bad. And one day we can replace is with propper variable. But propagating config_opt in some function will be hard. On this place we have config_opts easily accessible.

Copy link
Member Author

@praiskup praiskup Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We though don't have this specific value in config_opts (the value is result of config.py hack with globals that you described).

xsuchy
xsuchy reviewed Feb 23, 2026
View reviewed changes
@praiskup
Copy link
Member Author

praiskup commented Feb 24, 2026

@xsuchy Yes, this was a hard one.. (and I plan even a harder one as a followup). The commit message explains both remarks, I believe, but can we have quick meeting to validate things?

@xsuchy
Copy link
Member

xsuchy commented Feb 24, 2026

+1

@xsuchy xsuchy merged commit eceeb52 into rpm-software-management:main Feb 24, 2026
32 checks passed
praiskup added a commit to praiskup/mock that referenced this pull request Feb 24, 2026
@praiskup
Refactor NS resolver logic for clarity and consistency
6c4cbfd 
The NS resolver munging was previously scattered across multiple
locations in the Mock codebase.  This duplication made the logic
difficult to follow and led to bugs, such as the one addressed
in rpm-software-management#1697.  This change simplifies and consolidates the code.

Follow-up-for: rpm-software-management#1697
@praiskup praiskup mentioned this pull request Feb 24, 2026
Open
praiskup added a commit to praiskup/mock that referenced this pull request Feb 24, 2026
@praiskup
Refactor NS resolver logic for clarity and consistency
f226af7 
The NS resolver munging was previously scattered across multiple
locations in the Mock codebase.  This duplication made the logic
difficult to follow and led to bugs, such as the one addressed
in rpm-software-management#1697.  This change simplifies and consolidates the code.

Follow-up-for: rpm-software-management#1697
praiskup added a commit to praiskup/mock that referenced this pull request Feb 25, 2026
@praiskup
Refactor NS resolver logic for clarity and consistency
089c107 
The NS resolver munging was previously scattered across multiple
locations in the Mock codebase.  This duplication made the logic
difficult to follow and led to bugs, such as the one addressed
in rpm-software-management#1697.  This change simplifies and consolidates the code.

Follow-up-for: rpm-software-management#1697
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xsuchy xsuchy xsuchy left review comments

+2 more reviewers

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

@tkopecek tkopecek tkopecek approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@praiskup @xsuchy @tkopecek