Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
- Date: Wed, 27 Feb 2019 15:53:26 +0100
- From: Steffen Grunewald <steffen.grunewald@xxxxxxxxxx>
- Subject: Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
On Wed, 2019-02-27 at 15:19:24 +0100, Oliver Freyermuth wrote:
> Am 27.02.19 um 15:12 schrieb Steffen Grunewald:
> > On Wed, 2019-02-27 at 13:56:30 +0100, Oliver Freyermuth wrote:
> > >
> > > Please keep in mind (see my earlier mail for more details) that forcing "-U" will break Singularity with setuid root (which is the default).
> > > "-a" enables "-U" dynamically (which the manpage does not state, but the code reveals).
> >
> > So basically you claim that the current behaviour is broken, even for systems
> > that support the -a flag?
>
> No. Using "-a" (if supported) works correctly, since it is *not* equivalent to
> "-m -u -i -n -p -U", but in fact, as you can find here:
> https://github.com/karelzak/util-linux/commit/974cc006f122f36e2187cedb9d3e58dc2d24814c
> both in the comment in the manpage change and in the code, "-U" is
> "ignored if the same as the caller's current user namespace.". This is the case for singularity with setuid root.
>
> I.e. "-a" works (I think, I cannot test), but forcing "-m -u -i -n -p -U" as your patch does fails.
Oh well. Re-reading the source code of nsenter, I must agree you're right -
indeed, in the case of "--all" (-a) there's a check for identical namespaces
which is not there for the "--user" (-U) flag alone.
This means that the behaviour of the "-a" flag cannot be fully reproduced
with older nsenter versions :(
According to my analyses, the "-a" flag was added between versions 2.29.2
and 2.30.2 - the commit is dated Dec 13, 2016, and apparently was released
with 2.30. (It's not in 2.29.2 although that was released in Feb 2017.)
The only feasible cure would be to depend on util-linux >= 2.30, but since
util-linux is a quite basic package one would have to watch out for subtle
breakage (otherwise there might be a backport of 2.30.2 now in Buster to
Stretch - currently at 2.29.2 -, and Jessie - at 2.25.2 -, any volunteers?)
If the build was able to detect whether nsenter supported "-a" or not, and
set some defines to switch from "-a" to "-m ..." (with the correct selection
of flags), that would be the best solution IMHO, without having to backport
anything else.
Cheers,
Steffen
--
Steffen Grunewald, Cluster Administrator
Max Planck Institute for Gravitational Physics (Albert Einstein Institute)
Am Mühlenberg 1 * D-14476 Potsdam-Golm * Germany
~~~
Fon: +49-331-567 7274
Mail: steffen.grunewald(at)aei.mpg.de
~~~