View on GitHub


A 'simple' chroot build environment manager for building RPMs.


Mock is a tool for building packages. It can build packages for different architectures and different Fedora, RHEL, and Mageia versions than the build host have. Mock creates chroots and builds packages in them. Its only task is to reliably populate a chroot and attempt to build a package in that chroot.

$ mock -r fedora-35-x86_64 package.src.rpm
Finish: rpmbuild packagei-1.98-1.fc35.src.rpm
Finish: build phase for package-1.98-1.fc35.src.rpm
INFO: Done(package.src.rpm) Config(fedora-35-x86_64) 2 minutes 14 seconds
INFO: Results and/or logs in: /var/lib/mock/fedora-35-x86_64/result
$  ls /var/lib/mock/fedora-35-x86_64/result
build.log  package-1.98-1.fc35.noarch.rpm  package-1.98-1.fc35.src.rpm  hw_info.log  installed_pkgs.log  root.log  state.log

$ mock -r centos-stream+epel-9-s390x package.src.rpm
$ mock -r alma+epel-8-x86_64 package.src.rpm

Mock also offers a multi-package command (--chain), that can build chains of packages that depend on each other.

Mock is capable of building SRPMs from source configuration management if the mock-scm package is present, then building the SRPM into RPMs. See --scm-enable in the documentation.




Mock is currently being used for all Fedora builds. It is called by Koji and Copr to build chroots and packages.

Versions in Linux distributions:

mock versions mock-core-configs versions

Release Notes


Tarballs can be found at

You can retrieve tarball from the command line:

git checkout --hard mock-1.4.20-1
cd mock
tito build --tgz


If you want to contribute to the code, please checkout for more information.

Otherwise, just run

dnf install mock

For nightly builds, please refer to developer documentation


All users that are to use mock must be added to the mock group.

usermod -a -G mock [User name]

:warning: Mock runs some parts of its code with root privileges. There are known ways to get root access once a user is in the mock group (and once he is able to run mock). This is possible when a user abuses the mock configuration options. Please do not add anyone who is not trustworthy to the mock group!

:notebook: To have this change take effect you have to either log out and log back in or run command newgrp -

Mock caches the downloaded rpm packages (via the yum_cache plugin), which speeds up subsequent builds by a considerable margin. Nevertheless, you may wish to change the default configuration to point to local repositories to speed up builds.

By default, builds are done in /var/lib/mock, so be sure you have room there. You can change this via the basedir config option.

Chroot config files

See a separate document.


Plugins can be enabled on command line e.g --enable-plugin=chroot_scan. And you can set plugin options using e.g. '--plugin-option=root_cache:age_check=False'

Every plugin has a corresponding wiki page with docs.

Order of plugins hooks.


Using Mock outside your git sandbox

Create your SRPM using rpmbuild -bs. Then change to the directory where your SRPM was created.

Now you can start mock with

mock -r <configname> --rebuild package-1.2-3.src.rpm

where <configname> is the name of a configuration file from /etc/mock/, without the /etc/mock path prefix and without the .cfg suffix.

Note that you can track the progress of mock using the logs stored in /var/lib/mock/<configfile>/result

Mock inside Podman, Fedora Toolbox or Docker container

First, we need to state that Mock, in a nutshell, is a tool that (a) prepares an appropriate RPM build environment (aka “build chroot” or “buildroot”), and then it (b) just executes the RPM build inside (rpmbuild run).

The build environment is (again a bit simplified) defined by a set of RPM packages that need to be installed in such environment (build dependencies, or also BuildRequires: in RPM spec files).

Mock is a generic tool to build any RPM out there. And each RPM has a different set of requirements (so we can not just pre-generate one environment for all packages and share it). Here comes the important implication: If you want to build an RPM, you need to install other RPMs, and for that, you need to have root access.

Normally, Mock uses dnf --installroot /some/directory install ... (on host) to prepare the environment. Then it switches into the environment using the systemd-nspawn container (default --isolation=nspawn, but you can fallback to --isolation=simple which is just man (2) chroot). Again simplified a bit.

The build itself (rpmbuild process) is a non-root operation, Mock intentionally drops the privileges there.

All that said, using Mock inside a container to build RPMs is totally possible! You just need to have permissions to install RPMs, and be able to switch UID when needed (from root to non-privileged and back, man (2) seteuid). As a benefit, we don’t need to run systemd-nspawn and still have even better isolation because now even the dnf --installroot is executed inside the container. This statement assumes the container is dedicated to the Mock build and no other task(s) that could be compromised by a rogue build (even subsequent builds!). So ideally, considering how easy is to start new containers from images, each build should have its own dedicated container (especially if you are a generic build system where you can not fully trust all your users, or even the packages that your users with the best intentions build or install). Then the build can only affect the container, not the whole host.

So, Mock can be run in a rootless Podman container (with user namespaces) without any special tweaks. The only necessary step is to run the container with --privileged option. Read the podman-run manual page for more info, but --privileged - by the Podman nature - can not give the process more permissions than the UID running the podman process already has; in other words

So simply, as any non-privileged system user, do:

$ podman run --rm --privileged -ti fedora:32 bash
# dnf install -y mock
# useradd mockbuilder
# usermod -a -G mock mockbuilder
# su - mockbuilder
$ mock https://some/online.src.rpm
$ mock --shell
#> ...
# etc

And similarly in toolbox enter.

But running Mock in an OpenShift POD isn’t typically allowed. Cluster admin typically keeps SETUID and SETGID capabilities dropped, allowPrivilegeEscalation disabled (no root access). User namespaces are not yet available. Per previous implications, with the default security configuration, you can not install RPMs in OpenShift POD containers and thus neither build RPMs.

You can run Mock in Docker container, however, you need to add SYS_ADMIN capability to the docker container (or use --privileged). I.e. run the container like:

docker run --cap-add=SYS_ADMIN ...

:warning: Please note that Mock run inside of Docker container skips unsharing of a namespace, so it runs in the same namespace as any other program in the same container. That means you should not run any other application inside of that container. Mock prints warning about this. You can suppress this warning when you put in the config

config_opts['docker_unshare_warning'] = False


See separate page: FAQ

Exit codes

Mock has various exit codes to signal a problem in the build. See


List of known issues

If you encounter a bug running mock, please file it in Bugzilla: product “Fedora”, component mock (Open Bugs).

If your problem is specific to EPEL, then file it against the “Fedora EPEL” product instead (Open Bugs).


If you use Mock, we’d love to hear from you and add you to this wiki page. It will motivate our future work.

See Also