Run retrace in a podman container instead of mock #277
Conversation
|
Why remove the exploitable check? |
michalfabik
force-pushed
the
use-podman
branch
3 times, most recently
from
98179b5
to
74ae6c7
Compare
I don't remember quite precisely to be honest but the gist is that the exploitable plugin ( Now I see I shoud remove the |
michalfabik
force-pushed
the
use-podman
branch
from
74ae6c7
to
9aa5d86
Compare
michalfabik
changed the title
Right, that makes sense. Which checks did Martin want to get rid of, exactly? |
|
I would add a weak dependecy on |
retrace-server.spec.in
Outdated
| @@ -99,7 +100,42 @@ rm -f %{buildroot}%{_infodir}/dir | |||
| #retrace uid/gid reserved in setup, rhbz #706012 | |||
| %define retrace_gid_uid 174 | |||
| getent group retrace > /dev/null || groupadd -f -g %{retrace_gid_uid} --system retrace | |||
| getent passwd retrace > /dev/null || useradd --system -g retrace -u %{retrace_gid_uid} -d %{_datadir}/%{name} -s /sbin/nologin retrace | |||
| getent passwd retrace > /dev/null || useradd --system -g retrace -u %{retrace_gid_uid} -b %{_sharedstatedir} -s /sbin/nologin retrace | |||
There was a problem hiding this comment.
I encourted a problem with this. I already have a retrace user on my system (from older installation) with a home dir /usr/share/retrace.
Upgrading retrace-server does not change the home dir to /var/lib/retrace.
https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/
There was a problem hiding this comment.
Seems to be working now. It's quite ugly because simple usermod -m -d will fail if there is a process run by the user retrace. So I just userdel -f the user and then add it again with a different home dir.
Side note for @ernestask: userdel removes the appropriate entries from /etc/sub[ug]id but it leaves the empty lines in place, meaning that the files did end up slightly malformed. After many testing installs and uninstalls they contained one entry for my user followed by many \n's. Fortunately, sort -n puts the blank lines at the top but I added a sed call to get rid of those anyway.
There was a problem hiding this comment.
In cut(1):
-s, --only-delimited
do not print lines not containing delimiters
That should do the trick as well.
There was a problem hiding this comment.
By “malformed” I meant anything that isn’t empty or in the right format. Probably should have clarified.
There was a problem hiding this comment.
I dropped this whole part from the .spec file altogether and just documented it instead.
michalfabik
force-pushed
the
use-podman
branch
from
9aa5d86
to
a8c93d5
Compare
michalfabik
force-pushed
the
use-podman
branch
from
a8c93d5
to
c2a8092
Compare
michalfabik
changed the title
|
Can one of the admins verify this patch? |
|
@trapas add to whitelist |
michalfabik
force-pushed
the
use-podman
branch
from
c938863
to
8c40515
Compare
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]> foo Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
Signed-off-by: Michal Fabik <[email protected]>
michalfabik
force-pushed
the
use-podman
branch
from
ac2802a
to
2a00fdd
Compare
|
Thank you @michalfabik |
|
This is very good work! Unfortunately there must be something missed here because I'm seeing regressions in my testing which does not use either mock or podman but just vmcores and crash directly. If I build on 45ed3a6 it gives "not enough arguments for format string" Earlier commits will fail with "local variable 'container_id' referenced before assignment: Here is the bisect log for the first failing commit about 'container_id': |
|
FWIW, I think we can remove the 'set_mock' and 'get_mock' and related logic as that is legacy code that was a wart anyway and it's not needed anymore. That might be related to this failure but I'm not sure yet. |
Remove the ability to run the 32-bit version of crash if it is installed. This was a one-off stopgap because mock could not be used. It is no longer important so remove the logic surrounding this which simplifies the new RetraceEnvironment selection logic. This fixes a regression introduced with abrt#277 where tasks would fail with either [2020-01-29 14:56:52] [I] Searching for kernel-debuginfo package for 2.6.32-504.el6.x86_64 [2020-01-29 14:56:57] [I] Generating backtrace [2020-01-29 14:56:57] [I] Stripping to 1 would have no effect [2020-01-29 14:57:02] [E] local variable 'container_id' referenced before assignment or [2020-01-29 15:14:06] [I] Calling prepare_debuginfo [2020-01-29 15:14:06] [I] Version: '2.6.32'; Release: '504.el6'; Arch: 'x86_64'; _arch: 'x86_64'; Flavour: 'None'; Realtime: False [2020-01-29 15:14:06] [I] Found cached vmlinux at path: /cores/retrace/repos/kernel/x86_64/usr/lib/debug/lib/modules/2.6.32-504.el6.x86_64/vmlinux [2020-01-29 15:14:06] [I] Searching for kernel-debuginfo package for 2.6.32-504.el6.x86_64 [2020-01-29 15:14:06] [E] prepare_debuginfo failed: not enough arguments for format string Signed-off-by: Dave Wysochanski <[email protected]>
|
Well a bug in run_crash_cmd exception handling code does not help (facepalm) |
|
Something in fd40267 needs fixed up I think. |
|
Simple fixup b319f0a |
- Spool dir was changed in abrt/retrace-server#277 - Workdirs were removed in abrt/retrace-server#271 - Hooks were replaced in abrt/retrace-server#278 - Kmem was removed in abrt/retrace-server#252 Signed-off-by: Martin Kutlak <[email protected]>
This PR uses the existing mechanisms currently used for mock config to create a Dockerfile in the crash directory. This is then used to create a podman container into which the coredump and metadata and a
gdb.shscript are copied and where the retrace itself is run. The use of podman is optional and enabled by setting the newly introducedRetraceEnvironmentconfig variable to"podman". Changes to theretraceuser are required during deployment in order to run retrace in a podman container, as described in DEPLOYING.md.