<div dir="ltr">Hi Antoine:<div><br></div><div>2 disclosure before reading this:</div><div><br></div><div>1) i'm not part of systemd-devel team, and</div><div>2) this is also a shameless plug because i'm talking about a lib i created.</div><div><br></div><div>with that out of the way, here is my advice/solution.</div><div><br></div><div>do everything in python and use `pystemd` (pip install pystemd, just have libsystemd installed and you should be fine), and also ditch the cachedirectory in favor of PrivateTmp, that is always new when you start your unit, and always goes away with your unit.</div><div><br></div><div>pystemd is apython wrapper around a few libsystemd-dev, and it has a nice module name pystemd.run, here is a example</div><div><br></div><div><div>import sys</div><div>import pystemd.run</div><div><br></div><div>pscript = """</div><div>import os</div><div>import shutil</div><div>print(shutil.copytree('/var/cache/dnf', '/tmp/dnf'))</div><div>print(os.listdir('/tmp/dnf'))</div><div>"""</div><div><br></div><div>pystemd.run(</div><div> ['/usr/bin/python3', '-c', pscript],</div><div> stdout=sys.stdout, stderr=sys.stderr, wait=True,</div><div> env={'PYTHONUSERBASE': '/dev/null'},</div><div> extra={'DynamicUser': True, 'PrivateTmp': True},</div><div>)</div></div><div><br></div><div>this would output: something like</div><div>/tmp/dnf</div><div><div>['last_makecache', '.gpgkeyschecked.yum', 'rawhide-2d95c80a1fa0a67d', 'google-chrome-filenames.solvx', 'tempfiles.json', 'rawhide-filenames.solvx', 'google-chrome.solv', 'expired_repos.json', 'rawhide.solv', 'packages.db', 'google-chrome-eb0d6f10ccbdafba']</div></div><div><br></div><div><br></div><div>so my recommendation, create a custom script with your build process and call it using pystemd.run. Now, you could also use systemd-run to run your script, but then it would not have been a shameless plug, right?</div><div><br></div><div>hope it helps</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><br>Alvaro Leiva<br></div></div></div> <br><div class="gmail_quote">On Wed, Feb 28, 2018 at 7:03 AM, Antoine Pietri <span dir="ltr"><<a href="mailto:antoine.pietri1@gmail.com" target="_blank">antoine.pietri1@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Feb 27, 2018 at 2:37 PM, Antoine Pietri<br> <<a href="mailto:antoine.pietri1@gmail.com">antoine.pietri1@gmail.com</a>> wrote:<br> > - My current workaround is to shell-out to `systemd-run -p<br> > DynamicUser=yes ...` first to do a mkdir -p, then for a cp -R. This<br> > solution requires a lot of boilerplate from the Python wrapper and<br> > takes more time for no good reason, so I think it's not ideal.<br> ><br> > - I believe another solution would be to modify /var/cache/private<br> > directly, but I'm not sure it's a good practice to do so because I<br> > don't know if this path is reliable or just an implementation detail.<br> > Plus, it requires a weird special case compared to when I don't run<br> > makepkg with systemd-run, as I have to insert something in the middle<br> > of the copy destination path.<br> ><br> > - Maybe there's something else I'm missing that would allow me to do<br> > this more cleanly?<br> <br> </span>We came up with a third option, which looks a bit weird at first but<br> should work:<br> <br> 1) systemd-run -P \<br> -p DynamicUser=yes \<br> -p CacheDirectory=mywrapper \<br> sh -c read<br> <br> 2) do the file operations in the Python code<br> 3) send a "\n" or just kill() the systemd-run process when the setup is done.<br> <br> I am still not satisfied with any of the three options, so I would<br> love to know what you think would be best. :-)<br> <span class="HOEnZb"><font color="#888888"><br> --<br> Antoine Pietri<br> </font></span><div class="HOEnZb"><div class="h5"><br> On Tue, Feb 27, 2018 at 2:37 PM, Antoine Pietri<br> <<a href="mailto:antoine.pietri1@gmail.com">antoine.pietri1@gmail.com</a>> wrote:<br> > Hi!<br> ><br> > To experiment with systemd dynamic users, I started working on a<br> > wrapper around a program that builds user packages (Archlinux makepkg)<br> > and that refuses to be launched as root (for very good reasons). The<br> > idea is that the wrapper just calls:<br> ><br> > systemd-run --pipe \<br> > -p DynamicUser=yes \<br> > -p CacheDirectory=mywrapper \<br> > -p WorkingDirectory=/var/cache/<wbr>mywrapper/build/repo \<br> > makepkg<br> ><br> > However, to be able to run makepkg, its cache directory has to be<br> > pre-populated with a clone of the package to build. So, from my<br> > wrapper, I just did:<br> ><br> > os.makedirs(os.path.dirname(<wbr>build_dir), exist_ok=True)<br> > shutil.copytree(repo_path, build_dir)<br> ><br> > to copy the content of the repo to the build directory. But it fails with:<br> ><br> > run-u63.service: Failed to set up special execution directory in<br> > /var/cache: File exists<br> ><br> > This makes sense, because of the symbolic link shenanigans to<br> > /var/cache/private that systemd uses to keep the filesystem readonly.<br> > So, now I'm wondering what would be the best practice to prepopulate<br> > this directory:<br> ><br> > - My current workaround is to shell-out to `systemd-run -p<br> > DynamicUser=yes ...` first to do a mkdir -p, then for a cp -R. This<br> > solution requires a lot of boilerplate from the Python wrapper and<br> > takes more time for no good reason, so I think it's not ideal.<br> ><br> > - I believe another solution would be to modify /var/cache/private<br> > directly, but I'm not sure it's a good practice to do so because I<br> > don't know if this path is reliable or just an implementation detail.<br> > Plus, it requires a weird special case compared to when I don't run<br> > makepkg with systemd-run, as I have to insert something in the middle<br> > of the copy destination path.<br> ><br> > - Maybe there's something else I'm missing that would allow me to do<br> > this more cleanly?<br> ><br> > Thanks,<br> ><br> > --<br> > Antoine Pietri<br> <br> <br> <br> --<br> Antoine Pietri<br> ______________________________<wbr>_________________<br> systemd-devel mailing list<br> <a href="mailto:systemd-devel@lists.freedesktop.org">systemd-devel@lists.<wbr>freedesktop.org</a><br> <a href="https://lists.freedesktop.org/mailman/listinfo/systemd-devel" rel="noreferrer" target="_blank">https://lists.freedesktop.org/<wbr>mailman/listinfo/systemd-devel</a><br> </div></div></blockquote></div><br></div>