Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Try entering namespace if chroot fails #42

Merged
merged 2 commits into from
Oct 27, 2023
Merged

Try entering namespace if chroot fails #42

merged 2 commits into from
Oct 27, 2023

Conversation

DrDaveD
Copy link
Contributor

@DrDaveD DrDaveD commented Oct 25, 2023

LIGO has found that on el8, access from within an unprivileged apptainer container fails to be able to read a proxy if it is at a non-standard path specified by X509_USER_PROXY. That's because the chroot into the root path of the process fails. This adds an alternative, an equivalent of nsenter -U --preserve-credentials -m, and opens the file there.

@DrDaveD
Copy link
Contributor Author

DrDaveD commented Oct 26, 2023
edited
Loading

I confirmed that this problem was due to a recent change in kernels, as I had previously suspected. It was probably a security fix. I tested it on my rocky9 vagrant box and at first the chroot succeeded, but then I did a dnf update to update it to the latest kernel and it started failing. This fix works there too.

@DrDaveD
Copy link
Contributor Author

DrDaveD commented Oct 27, 2023

I updated my sl7 machine to the latest kernel and it still does not fail the chroot.

djw8605
djw8605 approved these changes Oct 27, 2023
View reviewed changes
Copy link
Collaborator

@djw8605 djw8605 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Discussed in slack.

@djw8605 djw8605 merged commit eb3d258 into cvmfs-contrib:master Oct 27, 2023
@DrDaveD DrDaveD deleted the enter-unpriv-ns branch October 27, 2023 20:09
@stuartthebruce
Copy link

What kernel version triggers this problem? And do you know yet what version of cvmfs-x509-helper will include the fix?

@DrDaveD
Copy link
Contributor Author

DrDaveD commented Oct 27, 2023

I'm not sure exactly which older kernel versions don't trigger it, but at least 4.18.0-477.27.1.el8_8.x86_64 and 5.14.0-284.30.1.el9_2.x86_64 have the problem. The fix is in cvmfs-x509-helper-2.4.

@DrDaveD DrDaveD mentioned this pull request Nov 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djw8605 djw8605 djw8605 approved these changes

@bbockelm bbockelm Awaiting requested review from bbockelm

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DrDaveD @stuartthebruce @djw8605