Quoting Roger Leigh (2016-10-15 21:08:04)
> On 15/10/2016 19:47, Ian Jackson wrote:
> > If some program is run within an schroot which invokes gpg (for
> > example, as part of a package build, or a DEP-8 test suite), schroot
> > can fail to tear the chroot down.  As an example, dgit's DEP-8 test
> > suite currently fails for this reason when run with adt-virt-schroot
> > specifying an lvm snapshot sid chroot.
> >
> > (See #840669 for more details.)
> >
> > I suggest that schroot ought to kill gpg-agents when tearing down the
> > chroot.  On my own computer I have done this with the attached script,
> > which might serve as a starting point.
> >
> > I suspect that this script is not quite what is needed.  Things which
> > are perhaps wrong with it:
> >  * It always prints output (good for me to help debug this problem,
> >    but not good for a default shipped with schroot)
> >  * I am not sure whether the --exec test will DTRT.  ISTM that it
> >    will almost certainly do a wrong thing for tarball chroots, but
> >    it's probably right for lvm snapshot ones (or any other that has
> >    its own separately mounted /usr filesystem).
> >  * Other things I haven't thought of.
> Thanks, I'll take a look at the script.
> However, I wonder why the existing killprocs script isn't finding and 
> killing the agent on session end.  It should take care of any processes
> running inside the chroot whether or not they are daemons.

sbuild used to suffer from the same problem from two different sources.

The first one was from gpg as executed by sbuild itself inside the chroot. You
can have a look at the kill_gpgagent function to see how I kill the gpg-agent.
It is important to pass the $GNUPGHOME environment variable because without it,
gpgconf will be unable to figure out which gpg-agent process to kill.

The second one was more tricky. Sbuild used to use apt-key to put gpg keys into
/etc/apt/trusted.gpg.d. But apt-key is calling gpg itself and will thus leave a
gpgagent process running. For its execution, apt-key is creating a temporary
$GNUPGHOME in /tmp which it removes once it quits. Thus, there is no way for
the apt-key user to kill the gpg-agent process spawned by gpg used by apt key
(unless one searches all running processes for those named gpg-agent and tries
to kill them but one might kill too much with this approach). Since
programmatic usage of apt-key is discouraged anyway, I completely removed
apt-key from sbuild and replaced it by some more Perl code. The problem is now
supposedly fixed with recent versions of apt-key.

The problem I faced with schroot here was, that with the gpg-agent process
still running, it was impossible for schroot to unmount /dev. I don't remember
what gpg-agent was using but there were some open file handles in /dev that
gpg-agent used.


cheers, josch

Attachment: signature.asc
Description: signature

Reply via email to