mock: disable networking in bootstrap for hermetic builds#1697
Merged
xsuchy merged 1 commit intorpm-software-management:mainfrom Feb 24, 2026
Conversation
Member
Author
|
/packit test |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request disables networking for the bootstrap phase of hermetic builds by updating the hermetic-build.cfg file. The changes set rpmbuild_networking and use_host_resolv to False for the bootstrap configuration, which is the correct approach to enforce network isolation. The change is clear, correct, and improves the hermeticity of the build process. I have no further feedback.
praiskup
added a commit
to praiskup/rpmbuild-pipeline-environment-container
that referenced
this pull request
Jan 29, 2026
praiskup
added a commit
to praiskup/rpmbuild-pipeline-environment-container
that referenced
this pull request
Jan 29, 2026
xsuchy
reviewed
Jan 29, 2026
mock/py/mock.py
Outdated
| mount_point = BindMountPoint(srcpath=key_dir, bindpath=chroot_dir) | ||
| bootstrap_buildroot.mounts.add(mount_point) | ||
|
|
||
| util.setup_host_resolv(bootstrap_buildroot_config) |
Member
There was a problem hiding this comment.
Hmm. But plugins and bindmountpoint will not have a functional resolv.conf.
Member
Author
There was a problem hiding this comment.
The issue is that Mock tries to (unnecessarily) copy a non-existing resolv.conf on host into bootstrap.... (when podman run --network=none is being used).
Contributor
There was a problem hiding this comment.
Related Fedora issue https://bugzilla.redhat.com/show_bug.cgi?id=2433808
praiskup
added a commit
to praiskup/rpmbuild-pipeline-environment-container
that referenced
this pull request
Jan 29, 2026
praiskup
added a commit
to praiskup/rpmbuild-pipeline-environment-container
that referenced
this pull request
Jan 29, 2026
praiskup
added a commit
to konflux-ci/rpmbuild-pipeline-environment-container
that referenced
this pull request
Jan 29, 2026
praiskup
added a commit
to praiskup/mock
that referenced
this pull request
Feb 23, 2026
First, Mock cannot guarantee that the host environment provides a
resolv.conf file. We should simply warn the user instead of triggering
a hard failure.
Second, the check for "simple" isolation was incomplete. We need to
check for USE_NSPAWN, as it accurately reflects the isolation=auto case.
INFO: mock.py version 6.6 starting (python version = 3.14.2, NVR = mock-6.6-1.fc43), args: /usr/libexec/mock/mock --hermetic-build /buildroot/results/buildroot_lock.json /buildroot/results/buildroot_repo --spec /source/libecpg.spec --sources /source --resultdir /results
Traceback (most recent call last):
File "/usr/libexec/mock/mock", line 1132, in <module>
exitStatus = main()
File "/usr/lib/python3.14/site-packages/mockbuild/trace_decorator.py", line 93, in trace
result = func(*args, **kw)
File "/usr/libexec/mock/mock", line 769, in main
util.setup_host_resolv(bootstrap_buildroot_config)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.14/site-packages/mockbuild/trace_decorator.py", line 93, in trace
result = func(*args, **kw)
File "/usr/lib/python3.14/site-packages/mockbuild/util.py", line 890, in setup_host_resolv
shutil.copyfile('/etc/resolv.conf', resolv_path)
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.14/shutil.py", line 313, in copyfile
with open(src, 'rb') as fsrc:
~~~~^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/etc/resolv.conf'
Relates: https://bugzilla.redhat.com/show_bug.cgi?id=2433808
Closes: rpm-software-management#1697
praiskup
force-pushed
the
praiskup-disable-networking-in-hermetic-bootstrap
branch
from
f2dbccd to
9c3dd9f
Compare
praiskup
commented
Feb 23, 2026
| ''') | ||
|
|
||
| if config_opts['isolation'] == 'simple': | ||
| if not USE_NSPAWN: |
Member
Author
There was a problem hiding this comment.
@tkopecek This turned out to be the most important change - since we use --isolation=auto (in container we do a fallback to 'simple'), we shouldn't even execute the rest of the method ...
First, Mock cannot guarantee that the host environment provides a
resolv.conf file. We should simply warn the user instead of triggering
a hard failure.
Second, the check for "simple" isolation was incomplete. We need to
check for USE_NSPAWN, as it accurately reflects the isolation=auto case.
INFO: mock.py version 6.6 starting (python version = 3.14.2, NVR = mock-6.6-1.fc43), args: /usr/libexec/mock/mock --hermetic-build /buildroot/results/buildroot_lock.json /buildroot/results/buildroot_repo --spec /source/libecpg.spec --sources /source --resultdir /results
Traceback (most recent call last):
File "/usr/libexec/mock/mock", line 1132, in <module>
exitStatus = main()
File "/usr/lib/python3.14/site-packages/mockbuild/trace_decorator.py", line 93, in trace
result = func(*args, **kw)
File "/usr/libexec/mock/mock", line 769, in main
util.setup_host_resolv(bootstrap_buildroot_config)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.14/site-packages/mockbuild/trace_decorator.py", line 93, in trace
result = func(*args, **kw)
File "/usr/lib/python3.14/site-packages/mockbuild/util.py", line 890, in setup_host_resolv
shutil.copyfile('/etc/resolv.conf', resolv_path)
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.14/shutil.py", line 313, in copyfile
with open(src, 'rb') as fsrc:
~~~~^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/etc/resolv.conf'
Relates: https://bugzilla.redhat.com/show_bug.cgi?id=2433808
Closes: rpm-software-management#1697
praiskup
force-pushed
the
praiskup-disable-networking-in-hermetic-bootstrap
branch
from
9c3dd9f to
c70e4d4
Compare
xsuchy
reviewed
Feb 23, 2026
| ''') | ||
|
|
||
| if config_opts['isolation'] == 'simple': | ||
| if not USE_NSPAWN: |
Member
There was a problem hiding this comment.
Modus operandi of this line was that USE_NSPAWN is global variable. Made in rush. With knowledge that globals are bad. And one day we can replace is with propper variable. But propagating config_opt in some function will be hard. On this place we have config_opts easily accessible.
Member
Author
There was a problem hiding this comment.
We though don't have this specific value in config_opts (the value is result of config.py hack with globals that you described).
xsuchy
reviewed
Feb 23, 2026
Member
Author
|
@xsuchy Yes, this was a hard one.. (and I plan even a harder one as a followup). The commit message explains both remarks, I believe, but can we have quick meeting to validate things? |
Member
|
+1 |
praiskup
added a commit
to praiskup/mock
that referenced
this pull request
Feb 24, 2026
The NS resolver munging was previously scattered across multiple locations in the Mock codebase. This duplication made the logic difficult to follow and led to bugs, such as the one addressed in rpm-software-management#1697. This change simplifies and consolidates the code. Follow-up-for: rpm-software-management#1697
praiskup
added a commit
to praiskup/mock
that referenced
this pull request
Feb 24, 2026
The NS resolver munging was previously scattered across multiple locations in the Mock codebase. This duplication made the logic difficult to follow and led to bugs, such as the one addressed in rpm-software-management#1697. This change simplifies and consolidates the code. Follow-up-for: rpm-software-management#1697
praiskup
added a commit
to praiskup/mock
that referenced
this pull request
Feb 25, 2026
The NS resolver munging was previously scattered across multiple locations in the Mock codebase. This duplication made the logic difficult to follow and led to bugs, such as the one addressed in rpm-software-management#1697. This change simplifies and consolidates the code. Follow-up-for: rpm-software-management#1697
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.