Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7

[Oliver Freyermuth <freyermuth@xxxxxxxxxxxxxxxxxx>]

Am 27.02.19 um 15:53 schrieb Steffen Grunewald:
> On Wed, 2019-02-27 at 15:19:24 +0100, Oliver Freyermuth wrote:
> > Am 27.02.19 um 15:12 schrieb Steffen Grunewald:
> > > On Wed, 2019-02-27 at 13:56:30 +0100, Oliver Freyermuth wrote:
> > > > Please keep in mind (see my earlier mail for more details) that forcing "-U" will break Singularity with setuid root (which is the default).
> > > > "-a" enables "-U" dynamically (which the manpage does not state, but the code reveals).
> > >
> > > So basically you claim that the current behaviour is broken, even for systems
> > > that support the -a flag?
> >
> > No. Using "-a" (if supported) works correctly, since it is *not* equivalent to
> > "-m -u -i -n -p -U", but in fact, as you can find here:
> > https://github.com/karelzak/util-linux/commit/974cc006f122f36e2187cedb9d3e58dc2d24814c
> > both in the comment in the manpage change and in the code, "-U" is
> > "ignored if the same as the caller's current user namespace.". This is the case for singularity with setuid root.
> >
> > I.e. "-a" works (I think, I cannot test), but forcing "-m -u -i -n -p -U" as your patch does fails.
>
> Oh well. Re-reading the source code of nsenter, I must agree you're right -
> indeed, in the case of "--all" (-a) there's a check for identical namespaces
> which is not there for the "--user" (-U) flag alone.
>
> This means that the behaviour of the "-a" flag cannot be fully reproduced
> with older nsenter versions :(

Well, at least not by just rewriting the flag to a list of flags ;-).
You could of course add a check if /proc/self/ns/user points to the same place
as /proc/<pidOfTheJob>/ns/user, and if so, not add "-U". This seems to be
what nsenter is doing, basically.

> According to my analyses, the "-a" flag was added between versions 2.29.2
> and 2.30.2 - the commit is dated Dec 13, 2016, and apparently was released
> with 2.30. (It's not in 2.29.2 although that was released in Feb 2017.)
> The only feasible cure would be to depend on util-linux >= 2.30, but since
> util-linux is a quite basic package one would have to watch out for subtle
> breakage (otherwise there might be a backport of 2.30.2 now in Buster to
> Stretch - currently at 2.29.2 -, and Jessie - at 2.25.2 -, any volunteers?)

I guess that's also not feasible for RHEL 6 / RHEL 7, so I'd rather wait
for Greg to take a shot at a good fix in HTCondor, e.g. by rewriting "-a" to the list of flags
(as you proposed) and making the addition of "-U" conditional.

If I had more time at hand, I'd propose a patch myself, but as it is now, our users
are wildly submitting various kinds of differently broken jobs in preparation of conferences.

Cheers,
	Oliver

> If the build was able to detect whether nsenter supported "-a" or not, and
> set some defines to switch from "-a" to "-m ..." (with the correct selection
> of flags), that would be the best solution IMHO, without having to backport
> anything else.
>
> Cheers,
>   Steffen

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature