Package: runit-helper
Version: 2.16.6
Severity: critical

Hi,

(rationale for critical severity: makes unrelated software break)

/usr/lib/runit-helper/runit-helper only performs requested runit service 
operations if the following test succeeds:

ok_pipe () {
        [ -p "/etc/sv/$NAME/supervise/ok" ]
}

This test can yield both false positives and false negatives.

 * False positive: /etc/sv/$NAME was a runit service, but is no longer 
symlinked into the directory runsvdir monitors (e.g. due to runsvchdir), so the 
supervise/ok pipe still exists but there is no process attached to it.
 * False negative: if a runit service is installed in any directory other than 
/etc/sv, /etc/service/$NAME/supervise/ok may exist and be a pipe without 
/etc/sv/$NAME/supervise/ok existing.

I have been hit by the false-negative error on two openssh-server upgrades, 
once when upgrading to 10.0p1 and once (today) with 10.4p1 -- in both cases, if 
ssh is not restarted after the package upgrade, it can't accept new 
connections. (If being able to ssh into a system is the entire purpose of the 
system, then this even "breaks the entire system".)

My ssh runit service is not /etc/sv/ssh, so even though the openssh-server 
postinst script did try to issue a runit restart command like this:

    NAME='ssh' ENABLE='yes' ONUPGRADE='restart' 
/usr/lib/runit-helper/runit-helper postinst "$@"

This was ineffective because runit-helper decided not to perform the restart.

If runit helper were less (unnecessarily?) complex and had just tried to "sv 
restart $NAME", ssh would just have worked after the upgrade.

(On a philosophical level, I think it's better for such critical, low-level 
system software to just attempt requested operations instead of trying to 
anticipate all possible errors and not even making the attempt if it looks like 
it might fail.)

My recommendation would be to lose 90% of the complexity in runit-helper that 
deals with potentially not doing what it was asked to do; and instead 
handle/mask errors (if any) after they happen.

AndrĂ¡s

-- System Information:
Distributor ID: Devuan
Description:    Devuan GNU/Linux 7 (freia/ceres)
Release:        7
Codename:       freia ceres
Architecture: x86_64

Kernel: Linux 7.0.13+deb14-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: runit (via /run/runit.stopit)
LSM: AppArmor: enabled

-- no debconf information

-- 
                    In DBLSPACE no one can hear you scream.

Reply via email to