Am 27.02.19 um 15:53 schrieb Steffen Grunewald:
On Wed, 2019-02-27 at 15:19:24 +0100, Oliver Freyermuth wrote:Am 27.02.19 um 15:12 schrieb Steffen Grunewald:On Wed, 2019-02-27 at 13:56:30 +0100, Oliver Freyermuth wrote:Please keep in mind (see my earlier mail for more details) that forcing "-U" will break Singularity with setuid root (which is the default). "-a" enables "-U" dynamically (which the manpage does not state, but the code reveals).So basically you claim that the current behaviour is broken, even for systems that support the -a flag?No. Using "-a" (if supported) works correctly, since it is *not* equivalent to "-m -u -i -n -p -U", but in fact, as you can find here: https://github.com/karelzak/util-linux/commit/974cc006f122f36e2187cedb9d3e58dc2d24814c both in the comment in the manpage change and in the code, "-U" is "ignored if the same as the caller's current user namespace.". This is the case for singularity with setuid root. I.e. "-a" works (I think, I cannot test), but forcing "-m -u -i -n -p -U" as your patch does fails.Oh well. Re-reading the source code of nsenter, I must agree you're right - indeed, in the case of "--all" (-a) there's a check for identical namespaces which is not there for the "--user" (-U) flag alone. This means that the behaviour of the "-a" flag cannot be fully reproduced with older nsenter versions :(
Well, at least not by just rewriting the flag to a list of flags ;-). You could of course add a check if /proc/self/ns/user points to the same place as /proc/<pidOfTheJob>/ns/user, and if so, not add "-U". This seems to be what nsenter is doing, basically.
According to my analyses, the "-a" flag was added between versions 2.29.2 and 2.30.2 - the commit is dated Dec 13, 2016, and apparently was released with 2.30. (It's not in 2.29.2 although that was released in Feb 2017.) The only feasible cure would be to depend on util-linux >= 2.30, but since util-linux is a quite basic package one would have to watch out for subtle breakage (otherwise there might be a backport of 2.30.2 now in Buster to Stretch - currently at 2.29.2 -, and Jessie - at 2.25.2 -, any volunteers?)
I guess that's also not feasible for RHEL 6 / RHEL 7, so I'd rather wait for Greg to take a shot at a good fix in HTCondor, e.g. by rewriting "-a" to the list of flags (as you proposed) and making the addition of "-U" conditional. If I had more time at hand, I'd propose a patch myself, but as it is now, our users are wildly submitting various kinds of differently broken jobs in preparation of conferences. Cheers, Oliver
If the build was able to detect whether nsenter supported "-a" or not, and set some defines to switch from "-a" to "-m ..." (with the correct selection of flags), that would be the best solution IMHO, without having to backport anything else. Cheers, Steffen
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature