-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oliver Falk wrote: Hi back Oliver! Good point. Attached is a 'cvs diff" of my tree, plus the new source file src/mock.c Comments welcome. Clark

williams(a)redhat.com (Clark Williams) writes: NFS & similar filesystem types which require e.g. RPC are the only "corner-case" I am aware of. A native mount(2) would require | chdir(new_chroot); | chrootChdir("/dev/pts"); | mount("none", ".", "devpts", "gid=5,mode=620"); or | chroot(new_chroot); | mount("none", "/dev/pts", "devpts", "gid=5,mode=620"); while mount(8) requires significantly more written and executed code (think of cmdline escaping, loading the 9 libraries /bin/mount is linked against, ...). The comment above was about 'rm -rf'. After a quick look into its code, I really can not tell whether it is implemented race-free. E.g. whether rm -rf chroot attacker | chdir("chroot"); | lstat("bin"); --> is-dir | rmdir("bin"); | symlink("/etc", "bin"); | chdir("bin"); | remove-all-what-I-can-find will be prevented. do it in a safe manner... | chdir(rootdir); | chrootChdir("/dev/pts"); | mount("none", ".", "devpts", "gid=5,mode=620"); with | chrootChdir(char const *dir) | { | int root_fd = open("/", O_RDONLY); | chroot("."); | chdir(dir); | int tgt_fd = open(".", O_RDONLY); | fchdir(root_fd); | chroot("."); | fchdir(tgt_fd); | close(tgt_fd); | close(root_fd); | } [obviously, error-checking must be added at every line] As shown above, mount(2) results in significantly less written and executed code than mount(8). This is resulting both in faster and more secure code. And I really do not know how people came to the idea to use system(3) at this place. Even prototyping languages like perl or python know execve(2) equivalences. Sorry; my comment was not about the mkdir stuff with the (IMO unneeded) test-if-exists. It just stepped in more or less inadvertently. no; only the underlined part. When 'install' was compiled with (or without ... I can not remember the exact conditions) AFS support, the 'make install' will fail as non-root user. We are in userspace where we have 8MB stack or so by default... And I do not think that somebody wants to implement mock-helper as a kernel module with only 4KB stack... ;) We are speaking about SUID programs. Every additional and unneeded line of code increases complexity and complicates an audit. Your original code showed that the unneeded memory-allocating is error-prone too. Why write complicated code, when same thing can be done shorter, faster and less error-prone? Enrico

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Enrico Scholz wrote: It took me a little while to track down the mount interface (I've never used diskutils), so I feel better about it now. I'm not against using the mount(2)/umount(2) calls to manage stuff in our chroot. Also, I haven't heard anyone jump in here screaming that we shouldn't do that (could be you, me, Michael and Dan are the only ones on this channel :). I'll look at modifying things to use the diskutils mount. I have some reservations about chroot though... <snip> I'd like to hold off a bit on attempting to use os.chroot() rather than using the chroot program. As I'm sure you are aware, moving to os.chroot() entails a fairly big philosophical shift from a design perspective. Currently we only format commands to be run within the chroot and feed them to the chroot program. Shifting over to os.chroot() means that we'll need to os.fork() and wait for child completion. I'd rather take this in small steps, that is release a version of mock that uses the new launcher mechanism, let that settle, then consider getting more fine grained by actually crossing the chroot barrier in python code. I'm not saying I'm against doing it, rather I'd like to get this first step out of the way before we try. In the mean time we can argue about it to our hearts content :). You know, I really didn't mean for those spec file modifications to see the light of day. That's what I get for being lazy and doing a 'cvs diff'. Bah! Child's play! Let's implement mock as a kernel thread! Hoist on my own petard. When it comes down to it, I'm all about less code. I'll go rework mock.c (the mock-helper replacement) and post a new one for further review. Clark P.S. I was really kidding about the kernel thread thing...

On Sat, 2006-06-24 at 11:26 -0400, Dan Williams wrote: Wild/Crazy idea: Why not use xml-rpc calls between the two? If mock sent out status information via xml-rpc, any other wrapper around mock would be able to gather that information up and act upon it. I have no idea what amount of work this would entail. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub)

On Sat, 2006-06-24 at 15:57 -0500, Clark Williams wrote: Does it really have to be a server? Could it be a push rather than a poll? Mock could make xml-rpc calls to whatever wraps around it. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub)

On Mon, 2006-06-26 at 09:42 -0500, Clark Williams wrote: What about using dbus? Its not "simple" per se, but should scale pretty well and allow for pretty good interaction. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub)

On Mon, 26 Jun 2006, Jesse Keating wrote: Please don't. As Seth correctly stated, there are people using RHEL4 as the buildserver. We do. As far as I understood dbus, I need a daemon running for the message passing to work. This will not do on a buildserver. I don't really care _how_ communication is done, but please do not require additional software running for that. And no dependencies on gnome-* or xorg-* stuff as well. Please. regards, andreas

On Mon, 2006-06-26 at 11:10 -0500, Clark Williams wrote: That's what branching the tree is for no? We don't want to stifle advancements in mock because it has to continue to run on RHEL3. A stable version of Mock could continue to run there, while developmental versions of mock march forward into the current century. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub)

Just catching up on weekend traffic here. XMLRPC is a great idea. I have implemented several xmlrpc servers in the past, and this is an idea that could work out well. Given the nature of mock, it would probably be best if it made calls into plague, rather than the other way around, but it wouldn't be _too_ much overhead to have a server that could be polled for status. I have mock hacking on my todo list for this week, so after I finish catching up with list traffic and get the latest prototype downloaded and building, I'll take a look at this. -- Michael

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael_E_Brown(a)Dell.com wrote: Ugh. I get the feeling that this is a case of "Oooo shiny!". What benefit is it to mock to add either client or server RPC capabilities so that someone can determine mock's state? Are we talking about communicating something besides a string? XML-RPC works GREAT as a marshaling/unmarshaling mechanism to describe complex data structures. In this case however we're talking about telling someone that we're in the "prep" state, or in the "cache_unpack" state. If there is a wealth of information that we're not making available to the outside world (i.e. distributed build systems) then yeah, lets set up a series of remote procedure calls and publish them; I'll gladly work on client/server code in the mock codebase if it's justified. But if we're only changing state and not allowing the outside world to interact with us to change our behavior while building, then let's keep it simple. Clark

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Clark Williams wrote: In between whining about complexity, I modified the new launcher to use stack instead of heap for the argument vector. Attached is the source for the modified launcher, mock.c Comments please. Clark

On Mon, 2006-06-26 at 14:45 -0500, Clark Williams wrote: Just for 2cents, I'd like to make sure we don't forget the other use cases of mock: 1. in brew 2. standalone with just a person in front of a terminal -sv

Yes, feedback from Dan would be good. My initial thoughts are that a client implementation would be best at this point, due to the security implications of a server. Something where we call a server API provided by plague like: server.begin_mock_status( "my.src.rpm", MY_PID) server.set_mock_status( "my.src.rpm", "status_string", MY_PID) ... server.end_mock_status( "my.src.rpm", return_code, MY_PID) I don't know what brew is. Link? Xmlrpc would be an optional behaviour, invoked via something like: mock -r CFG --status_server=http://localhost:8080/ my.src.rpm Default behaviour would be no change. -- Michael

On Mon, 2006-06-26 at 15:55 -0400, Jesse Keating wrote: sounds perfect. I just wanted to mention it. I'm sure you understand. :) -sv

On Mon, 2006-06-26 at 14:57 -0500, Michael_E_Brown(a)Dell.com wrote: Brew is the Red Hat buildsystem that replaces Beehive. Work on brew started at last years summit, before Extras was really off the ground, and before plague had seen the light of day. Brew does a lot of things around package and chroot tracking that plague doesn't, and it was thought best to keep the two separate. Brew still uses mock as the workhorse though. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub)

On Mon, 2006-06-26 at 15:02 -0500, Michael_E_Brown(a)Dell.com wrote: I'm not sure how that will effect us (Red Hat). The user that calls our mock is always trusted I suppose, in our locked down build environment. I'm not sure if 'mach' was reviewed for use, or if we just went straight to mock, since plague did. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub)

I would like to foster discussion. It would be bad if one of the co-maintainers failed to voice their concerns over project direction, so no, I would hope that you never shut up. My initial thoughts around this is that having an xmlrpc server exposes too much of our (running with elevated privs) internals to random, untrusted strangers. There has already been one reported vulnerability in the python xmlrpc code. Both code-wise (7-10 lines for client, vs at least 20 for server), and security-wise, I think a client would be 'simpler'. Also, adding a server entices future additions along the lines you already said we don't want to go, and starts to supplant plague/brews role. -- Michael

I have some stock timeout and exception handling code that we can cut and paste in. It adds another 5-10 lines of code, and should make the code robust against what you describe. First order of business would be to get Dan's opinion on the matter, then settle on an API. I can code this up, along with a test harness. -- Michael

All good ideas. That was sort of an implicit placeholder in the server.begin_mock_status(...) API. We can munge that call to do whatever pre-processing that Dan would like to see implemented. I'm sort of a "implement what we are going to actually use _now_" kind of guy, so I like to build the API to be minimal but expandable. Something like python named args we can add later if plague/brew request them. We probably also want to include our API version expectations in the initial call. Revised proposed API: server.begin_mock_status(api_ver=1, srpm="my.src.rpm", pid=MY_PID) server.set_mock_status(srpm="my.src.rpm", status_str="status", pid=MY_PID) server.end_mock_status(srpm="my.src.rpm", return_code=retcode, pid=MY_PID) With Clark's suggestion, begin would look like this: server.begin_mock_status(api_ver=1, srpm="my.src.rpm", pid=MY_PID, expected_status_codes=[codes,...]) -- Michael

One of the signs of project maturity and good leadership is knowing when to say 'No', and not be afraid to point potential users to better alternativest to solve their problem. At this point, your request is right on the border, but I think we can accommodate so far. What I don't want to run into, though, is the point where we use mock for things like this: http://thomas.apestaart.org/log/?p=360. That is what 'mach' is for, and I don't care to try to compete. -- Michael

On Mon, 2006-06-26 at 17:07 -0500, Michael_E_Brown(a)Dell.com wrote: heh, i don't think we'll be doing anything crazy like that. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub)

On Mon, 2006-06-26 at 16:19 -0500, Michael_E_Brown(a)Dell.com wrote: I hate to throw water on the fire, but to me XML-RPC seems like a sledgehammer. There's actually a ton of code in xmlrpclib.py and for this specific instance of pushing status information back to a controlling process, I think it's somewhat heavy-handed. Stepping back a second, what are we trying to do with this? We're only trying to push a status string, and possibly a UID/PID, back to some other process. I don't have a good idea what might be functionality might be wanted in the future here though, but having mock as a discrete program that's fairly uncomplicated seems like a good thing to me. XML-RPC is quite nice, especially from Python, but it doesn't feel like the solution that fits the problem here. So, either of the two other proposed solutions would work for me: 1) Status file with locking. If there's locking, I can stat() the file and find out how big it is before trying to read it. Hence, no need for non-blocking IO here, though the previous blocking problems could be a stupid problem on my part in plague. 2) Unix socket provided by plague-builder, which mock writes to. Pass mock a --status-socket argument pointing to the location of a status socket. We can also use Unix socket peer credentials (like dbus and gnome-keyring) here to verify that the writer to the socket is actually the 'mock' user or whatever, in addition to setting permissions on the socket itself. I'd vote to #1 to start with since it's the simplest, then #2 if we have issues with #1. Either of these starts falling down fairly quickly if we want to push more than a few items of status information to the controlling process from mock. But in that case, we should ask _why_ we're trying to push so much info back, and if we need to. If we decide we need to, then I think we should investigate XML-RPC, possibly over TCP/IP, but most likely over a local unix socket. I just don't think mock needs to be network-enabled. Dan

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremy Katz wrote: So where were you guys when I was playing Horatius at the bridge? :) Clark

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greg DeKoenigsberg wrote: Not smart enough to argue that we should wait for our build system clients to weigh in. Sigh... Dan/Jeremy/Mike/Andreas/et al How are you going to use file locking? Do you just want mock to lock the status file when we're changing state, or is there something else I'm missing? Clark P.S. Who let the marketing dweeb on this channel? :) Clark

On Tue, 2006-06-27 at 10:13 -0500, Clark Williams wrote: I'd like to take this opportunity to point to lesscode.org thanks, -sv

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike McLean wrote: Something like : flock(fileno, LOCK_EX) <write new status> flock(fileno, LOCK_UN) That what you're looking for? Clark

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dan Williams wrote: What, you couldn't tell that was pseudo-python? :) Clark

<aside>Sorry for the format of the posts today, forced to use stupid webmail which is slow and ugly.</aside> How about the old unix everything is a file concept? We could just have a --status_file parameter that could take a file or a named pipe as input, it would look the same to us, whether it was a pipe or a regular file. Either that, or we could even have a --status_fd parameter for people that might want to pre-open a file and pass it to us as an fd when they fork/exec. We might want to consider removing the open()/close() and instead just flush() it. We still shouldnt really need locking. -- Michael -----Original Message----- From: fedora-buildsys-list-bounces(a)redhat.com on behalf of Dan Williams Sent: Tue 6/27/2006 9:12 AM To: Discussion of Fedora build system Subject: RE: New version of mock working (I think) On Mon, 2006-06-26 at 16:19 -0500, Michael_E_Brown(a)Dell.com wrote: I hate to throw water on the fire, but to me XML-RPC seems like a sledgehammer. There's actually a ton of code in xmlrpclib.py and for this specific instance of pushing status information back to a controlling process, I think it's somewhat heavy-handed. Stepping back a second, what are we trying to do with this? We're only trying to push a status string, and possibly a UID/PID, back to some other process. I don't have a good idea what might be functionality might be wanted in the future here though, but having mock as a discrete program that's fairly uncomplicated seems like a good thing to me. XML-RPC is quite nice, especially from Python, but it doesn't feel like the solution that fits the problem here. So, either of the two other proposed solutions would work for me: 1) Status file with locking. If there's locking, I can stat() the file and find out how big it is before trying to read it. Hence, no need for non-blocking IO here, though the previous blocking problems could be a stupid problem on my part in plague. 2) Unix socket provided by plague-builder, which mock writes to. Pass mock a --status-socket argument pointing to the location of a status socket. We can also use Unix socket peer credentials (like dbus and gnome-keyring) here to verify that the writer to the socket is actually the 'mock' user or whatever, in addition to setting permissions on the socket itself. I'd vote to #1 to start with since it's the simplest, then #2 if we have issues with #1. Either of these starts falling down fairly quickly if we want to push more than a few items of status information to the controlling process from mock. But in that case, we should ask _why_ we're trying to push so much info back, and if we need to. If we decide we need to, then I think we should investigate XML-RPC, possibly over TCP/IP, but most likely over a local unix socket. I just don't think mock needs to be network-enabled. Dan -- Fedora-buildsys-list mailing list Fedora-buildsys-list(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list