From 11669de95de7e8a9ad8b41fa5e9be3fbb845c52e Mon Sep 17 00:00:00 2001
From: Richard Maw <richard.maw@gmail.com>
Date: Wed, 15 Oct 2014 17:47:46 +0000
Subject: deploy extensions: Don't crash if someone builds at the same time

If a build happens, it creates a new network namespace, and if this
happens while you have a disk image mounted, then you can't remove the
mount-point, because the other namespace is using it.

We can avoid the other namespace keeping this mount-point open by
creating the disk image in a private mount namespace, so it never sees
it.

The nicest way to do this is to have every extension run in a private
mount namespace, since you'd have to have extensions re-exec themselves,
since the appropriate system calls aren't exposed very well.
---
 morphlib/extensions.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/morphlib/extensions.py b/morphlib/extensions.py
index af6ba279..ef233b6f 100644
--- a/morphlib/extensions.py
+++ b/morphlib/extensions.py
@@ -223,7 +223,9 @@ class ExtensionSubprocess(object):
             def close_read_end():
                 os.close(log_read_fd)
             p = subprocess.Popen(
-                [filename] + args, cwd=cwd, env=new_env,
+                ['unshare', '-m', '--', '/bin/sh', '-c',
+                 'mount --make-rprivate / && exec "$@"', '-', filename] + args,
+                cwd=cwd, env=new_env,
                 stdout=subprocess.PIPE, stderr=subprocess.PIPE,
                 preexec_fn=close_read_end)
             os.close(log_write_fd)
-- 
cgit v1.2.1