On pe, 13 marras 2020, Alexander Bokovoy via FreeIPA-devel wrote:
On ke, 11 marras 2020, Stanislav Levin via FreeIPA-devel wrote:
>11.11.2020 14:11, Alexander Bokovoy via FreeIPA-devel пишет:
>>On ke, 11 marras 2020, Stanislav Levin wrote:
>>>>On top of that we have a worrying behavior of the Azure CI with regards
>>>>to DNSSEC that waits for investigation.
>>>please, where to see the failure?
>>You can look, for example, at https://github.com/freeipa/freeipa/pull/5248
>It is like https://pagure.io/freeipa/issue/8538
>At least, 389-ds logging may be raised to 8192 from the current one (0)
We already have debugging enabled in Azure CI builds. I uploaded logs to
the issue 8538.
To me this looks like 389-ds issue 4363 is not really fixed yet.
I ran few experiments with Rawhide and git master over weekend. Here is
my status before 4.9.0-rc1 release preparation:
- Master branch seems to be no worse than 4.8.0 in terms of running on
Fedora 32 in Azure Pipelines CI and PR CI.
- Rawhide has fixes for certmonger and 389-ds-base but I was unable to
get them fully tested due to upgrade of glibc that made impossible to
use Azure Pipelines with Rawhide anymore on kernels less than v5.8.
glibc changed implementation of faccessat() to use faccessat2() if this
syscall is available at the compile time -- requires kernel v5.8 or
later. As a result, systemd cannot start anymore in unprivileged
container on Azure Pipelines CI even with host Ubuntu 20.04 which uses
v5.4. The exact solution is unclear yet because it is a general issue
with libseccomp not knowing about newer syscalls and not being able to
filter out unknown syscalls in a way that would trigger a fallback to
faccessat() in glibc.
This is a generic issue -- other projects saw a similar fallout when
coreutils and other projects started to use statx() syscall. For
this for libuv which is used by Node.js.
libseccomp only added support for faccessat2() in version 2.5:
this version is available in Debian Sid already, so one option would be
to try to update the host image at runtime to use newer libseccomp2
package from Sid (it is easily installable on top of Focal repositories,
I checked), then restart docker and reuse our unprivileged containers.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland