Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-11 Thread nicolas . mailhot 
Hi,

BTW since we are talking about debug and future tech, what is the correct way 
(as of rawhide and EPEL 7) to handle 

extracting debug info from 
/builddir/build/BUILDROOT/golang-github-performancecopilot-speed-2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump
*** ERROR: No build ID note found in 
/builddir/build/BUILDROOT/golang-github-performancecopilot-speed-2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump

(I have those in all Go packages that build something)

I can sprinkle %global debug_package   %{nil} everywhere, but that's not overly 
satisfying.

Regards,

-- 
Nicolas Mailhot

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-11 Thread Mark Wielaard 
Hi Tomas,

On Fri, 2017-10-06 at 20:09 +0200, Tomas Tomecek wrote:
> Mark, thanks for feedback!
> 
> I'll be honest that I left gcc and gdb in there by accident. As Dan
> said, we are trying to reduce size of that container so it's easier
> to use. Who decides what's in it?

> This was an internal collaboration with multiple
> people -- in the end, everyone can express themselves and provide
> feedback or suggestions.
> 
> Would you be able to come up with a complete list of packages you
> have in mind? Creating a new issue in Atomic WG issue tracker would
> be really helpful to us: https://pagure.io/atomic-wg/issues
> 
> I agree with Dan that this could be a good candidate for a debugging
> container -- tools container could contain sysadmin tools and the
> debugging container could be used for debugging applications and
> maybe even C-development.

Aha. Interesting. I think the name "tools" is a little misleading.
Seeing some of the "tools" in there I assumed it was actually the
development tools container. The name tools might be a bit overloaded
:)

I am not sure debugging container on itself is that useful, it probably
should be a developer tools container, containing everything you would
use for your normal edit-compile-debug cycle. Or maybe a group of
"stacked" containers might be nice, one for the core native toolchain,
one for development debug tools and one for production monitoring,
tracing and profiling?

Maybe the packages from the Developer Toolset software collection (for
CentOS, but then for current Fedora) might be a good starting point:
https://www.softwarecollections.org/en/scls/rhscl/devtoolset-6/
Those come with a toolchain and perftools collection, also available as
docker image. But designed to be parallel installable, something which
you might not care for for the atomic containers. But the package lists
might be a good starting point.
http://mirror.centos.org/centos/7/sclo/x86_64/rh/devtoolset-7/

Cheers,

Mark

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-06 Thread Tomas Tomecek 
Mark, thanks for feedback!

I'll be honest that I left gcc and gdb in there by accident. As Dan said,
we are trying to reduce size of that container so it's easier to use. Who
decides what's in it? This was an internal collaboration with multiple
people -- in the end, everyone can express themselves and provide feedback
or suggestions.

Would you be able to come up with a complete list of packages you have in
mind? Creating a new issue in Atomic WG issue tracker would be really
helpful to us: https://pagure.io/atomic-wg/issues

I agree with Dan that this could be a good candidate for a debugging
container -- tools container could contain sysadmin tools and the debugging
container could be used for debugging applications and maybe even
C-development.


Tomas

On Fri, Oct 6, 2017 at 4:14 PM, Mark Wielaard  wrote:

> On Mon, 2017-09-18 at 16:48 +0200, Tomas Tomecek wrote:
> > we managed to move tools container from Fedora Dockerfiles github
> > repo to Fedora infra [1]. As a side effects, we put systemtap in a
> > dedicated container.
> >
> > We would very much appreciate your feedback here
>
> What determines what goes into tools and what in a separate container
> (like systemtap). I see the tools container has strace, gcc, gdb, perf,
> etc. But not other development tools like binutils, elfutils and
> valgrind. Will those be added or will they come in some separate
> container?
>
> Thanks,
>
> Mark
> ___
> devel mailing list -- de...@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-06 Thread Daniel Walsh 

On 10/06/2017 10:14 AM, Mark Wielaard wrote:

On Mon, 2017-09-18 at 16:48 +0200, Tomas Tomecek wrote:

we managed to move tools container from Fedora Dockerfiles github
repo to Fedora infra [1]. As a side effects, we put systemtap in a
dedicated container.

We would very much appreciate your feedback here

What determines what goes into tools and what in a separate container
(like systemtap). I see the tools container has strace, gcc, gdb, perf,
etc. But not other development tools like binutils, elfutils and
valgrind. Will those be added or will they come in some separate
container?

Thanks,

Mark

Right now there is a an effort going on to shrink the tools container, 
it has grown huge.


I would prefer you create a debug container and put all of these tools 
in there.

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-06 Thread Mark Wielaard 
On Mon, 2017-09-18 at 16:48 +0200, Tomas Tomecek wrote:
> we managed to move tools container from Fedora Dockerfiles github
> repo to Fedora infra [1]. As a side effects, we put systemtap in a
> dedicated container.
> 
> We would very much appreciate your feedback here

What determines what goes into tools and what in a separate container
(like systemtap). I see the tools container has strace, gcc, gdb, perf,
etc. But not other development tools like binutils, elfutils and
valgrind. Will those be added or will they come in some separate
container?

Thanks,

Mark

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-06 Thread Tomas Tomecek 
Thank you for figuring this out!

I fixed in dist-git:
https://src.fedoraproject.org/container/systemtap/c/a8a59cacb440aacc150fad8a94d264d53a341baf?branch=master

Can't build in OSBS, seems like the service is having issues.


Tomas

On Thu, Oct 5, 2017 at 7:50 PM, Jeremy Eder  wrote:

> Woops, sorry Dan,  my bad.  That was a relic from earlier, when I tried
> sys_admin.
>
> Looks like --security-opt label:disable is enough to get it going.
>
> # docker run --security-opt label:disable --cap-add SYS_MODULE -v
> /sys/kernel/debug:/sys/kernel/debug -v /usr/src/kernels:/usr/src/kernels
> -v /usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug
> -t -i --name systemtap candidate-registry.fedoraproject.org/f26/systemtap
>
> On Thu, Oct 5, 2017 at 1:47 PM, Frank Ch. Eigler  wrote:
>
>> Hi, Dan -
>>
>>
>> > Could you show the docker line that atomic run is executing?
>>
>> % atomic run --spc candidate-registry.fedoraproject.org/f26/systemtap
>> /usr/share/systemtap/examples/io/iotop.stp
>> docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug
>> -v /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/
>> -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc
>> candidate-registry.fedoraproject.org/f26/systemtap
>> /usr/share/systemtap/examples/io/iotop.stp
>>
>> ... which fails.  But a hand-run % docker run, with "--security-opt
>> label:disable" added in the front works for me.
>>
>>
>> > The LABEL would be the preferred way.
>>
>> Sure, just someone(tm) needs to find the Dockerfile in git.  I
>> couldn't find it from a dozen minutes reading
>> https://fedoraproject.org/wiki/Changes/Layered_Docker_Image_Build_Service
>> and pals.
>>
>>
>> - FChE
>>
>
>
>
> --
>
> -- Jeremy Eder
>

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:55 PM, Frank Ch. Eigler wrote:

Hi, Dan -

On Thu, Oct 05, 2017 at 01:49:48PM -0400, Daniel Walsh wrote:

[...]
But really for something like this, it would be better to just run
it --privileged.  There is [no] security confinement present in what
you are doing.

Yup.  I thought "atomic run --spc" would imply "docker run --privileged"
but it doesn't seem to.

- FChE
___
devel mailing list -- de...@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org


No it looks like it is just running the label that is in the container 
image.

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Jeremy Eder 
Woops, sorry Dan,  my bad.  That was a relic from earlier, when I tried
sys_admin.

Looks like --security-opt label:disable is enough to get it going.

# docker run --security-opt label:disable --cap-add SYS_MODULE -v
/sys/kernel/debug:/sys/kernel/debug -v /usr/src/kernels:/usr/src/kernels -v
/usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug -t -i
--name systemtap candidate-registry.fedoraproject.org/f26/systemtap

On Thu, Oct 5, 2017 at 1:47 PM, Frank Ch. Eigler  wrote:

> Hi, Dan -
>
>
> > Could you show the docker line that atomic run is executing?
>
> % atomic run --spc candidate-registry.fedoraproject.org/f26/systemtap
> /usr/share/systemtap/examples/io/iotop.stp
> docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug -v
> /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/
> -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc
> candidate-registry.fedoraproject.org/f26/systemtap
> /usr/share/systemtap/examples/io/iotop.stp
>
> ... which fails.  But a hand-run % docker run, with "--security-opt
> label:disable" added in the front works for me.
>
>
> > The LABEL would be the preferred way.
>
> Sure, just someone(tm) needs to find the Dockerfile in git.  I
> couldn't find it from a dozen minutes reading
> https://fedoraproject.org/wiki/Changes/Layered_Docker_Image_Build_Service
> and pals.
>
>
> - FChE
>



-- 

-- Jeremy Eder

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:47 PM, Frank Ch. Eigler wrote:

Hi, Dan -



Could you show the docker line that atomic run is executing?

% atomic run --spc candidate-registry.fedoraproject.org/f26/systemtap 
/usr/share/systemtap/examples/io/iotop.stp
docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug -v 
/usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ -v 
/usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc 
candidate-registry.fedoraproject.org/f26/systemtap 
/usr/share/systemtap/examples/io/iotop.stp

... which fails.  But a hand-run % docker run, with "--security-opt
label:disable" added in the front works for me.



The LABEL would be the preferred way.

Sure, just someone(tm) needs to find the Dockerfile in git.  I
couldn't find it from a dozen minutes reading
https://fedoraproject.org/wiki/Changes/Layered_Docker_Image_Build_Service
and pals.


- FChE


But really for something like this, it would be better to just run it 
--privileged.  There is on security confinement present in what you are 
doing.

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:38 PM, Jeremy Eder wrote:

I don't see any avc when it fails while label:disable is set.
I ran semodule -DB and retried.  I now see dontaudit stuff but still 
no interesting denials.


I'm not sure if you were talking to me or Frank with the atomic 
command line...


I pulled the label out docker inspect on the systemtap image so I can 
run it manually.  Here is what I am running.

All I have added is the --security-opt label:disable part.

# docker run --security-opt label:disable --cap-add SYS_ADMIN -v 
/sys/kernel/debug:/sys/kernel/debug -v 
/usr/src/kernels:/usr/src/kernels -v 
/usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug 
-t -i --name systemtap 
candidate-registry.fedoraproject.org/f26/systemtap 




Should be SYS_MODULE not SYS_ADMIN or maybe both.

I also tried with --security-opt seccomp:unconfimed.  That did not help.

Adding --privileged to the above command line, and systemtap works.

This is likely the key difference between why systemtap has always 
worked in the rhel-tools container...the label on that image includes 
--privileged.




On Thu, Oct 5, 2017 at 1:25 PM, Daniel Walsh > wrote:


On 10/05/2017 01:18 PM, Jeremy Eder wrote:

setenforce 0 works...security-opt label:disable does not.

On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh > wrote:

On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote:

wcohen forwarded:

[...]

 [root@dhcp23-91 ~]# atomic run --spc
candidate-registry.fedoraproject.org/f26/systemtap

>
 docker run --cap-add SYS_MODULE -v
/sys/kernel/debug:/sys/kernel/debug -v
/usr/src/kernels:/usr/src/kernels -v
/usr/lib/modules/:/usr/lib/modules/ -v
/usr/lib/debug:/usr/lib/debug -t -i --name
systemtap-spc
candidate-registry.fedoraproject.org/f26/systemtap

>
  [...]
 ERROR: Couldn't insert module

'/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko':
Operation not permitted
[...]

I bet
# setenforce 0
makes it work for you.  As per audit.log:

type=AVC msg=audit(1507222590.683:7940): avc:  denied  {
module_load }
for  pid=7595 comm="staprun"
scontext=system_u:system_r:container_t:s0:c534,c921
tcontext=system_u:system_r:container_t:s0:c534,c921
tclass=system permissive=1


- FChE
___
devel mailing list -- de...@lists.fedoraproject.org

To unsubscribe send an email to
devel-le...@lists.fedoraproject.org



Rather then putting the system into permissive mode, you
should run a privileged container or at least disable SELinux
protections.


docker run -ti --security-opt label:disable ...





-- 


-- Jeremy Eder


Could you show me the AVC you get when you do the label:disable?





--

-- Jeremy Eder

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Jeremy Eder 
I don't see any avc when it fails while label:disable is set.
I ran semodule -DB and retried.  I now see dontaudit stuff but still no
interesting denials.

I'm not sure if you were talking to me or Frank with the atomic command
line...

I pulled the label out docker inspect on the systemtap image so I can run
it manually.  Here is what I am running.
All I have added is the --security-opt label:disable part.

# docker run --security-opt label:disable --cap-add SYS_ADMIN -v
/sys/kernel/debug:/sys/kernel/debug -v /usr/src/kernels:/usr/src/kernels -v
/usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug -t -i
--name systemtap candidate-registry.fedoraproject.org/f26/systemtap

I also tried with --security-opt seccomp:unconfimed.  That did not help.

Adding --privileged to the above command line, and systemtap works.

This is likely the key difference between why systemtap has always worked
in the rhel-tools container...the label on that image includes --privileged.



On Thu, Oct 5, 2017 at 1:25 PM, Daniel Walsh  wrote:

> On 10/05/2017 01:18 PM, Jeremy Eder wrote:
>
> setenforce 0 works...security-opt label:disable does not.
>
> On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh  wrote:
>
>> On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote:
>>
>>> wcohen forwarded:
>>>
>>> [...]

>[root@dhcp23-91 ~]# atomic run --spc candidate-registry.fedoraproje
> ct.org/f26/systemtap  oraproject.org/f26/systemtap>
>  docker run --cap-add SYS_MODULE -v 
> /sys/kernel/debug:/sys/kernel/debug
> -v /usr/src/kernels:/usr/src/kernels -v 
> /usr/lib/modules/:/usr/lib/modules/
> -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc
> candidate-registry.fedoraproject.org/f26/systemtap <
> http://candidate-registry.fedoraproject.org/f26/systemtap>
>   [...]
>  ERROR: Couldn't insert module '/tmp/stapNEjJDX/stap_4f013e75
> 62b546a0316af840de9f0713_8509.ko': Operation not permitted
> [...]
>
 I bet
>>> # setenforce 0
>>> makes it work for you.  As per audit.log:
>>>
>>> type=AVC msg=audit(1507222590.683:7940): avc:  denied  { module_load }
>>> for  pid=7595 comm="staprun" scontext=system_u:system_r:con
>>> tainer_t:s0:c534,c921
>>> tcontext=system_u:system_r:container_t:s0:c534,c921 tclass=system
>>> permissive=1
>>>
>>>
>>> - FChE
>>> ___
>>> devel mailing list -- de...@lists.fedoraproject.org
>>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>>>
>>
>> Rather then putting the system into permissive mode, you should run a
>> privileged container or at least disable SELinux protections.
>>
>>
>> docker run -ti --security-opt label:disable ...
>>
>>
>>
>
>
> --
>
> -- Jeremy Eder
>
> Could you show me the AVC you get when you do the label:disable?
>
>
>


-- 

-- Jeremy Eder

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:18 PM, Jeremy Eder wrote:

setenforce 0 works...security-opt label:disable does not.

On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh > wrote:


On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote:

wcohen forwarded:

[...]

   [root@dhcp23-91 ~]# atomic run --spc
candidate-registry.fedoraproject.org/f26/systemtap

>
 docker run --cap-add SYS_MODULE -v
/sys/kernel/debug:/sys/kernel/debug -v
/usr/src/kernels:/usr/src/kernels -v
/usr/lib/modules/:/usr/lib/modules/ -v
/usr/lib/debug:/usr/lib/debug -t -i --name
systemtap-spc
candidate-registry.fedoraproject.org/f26/systemtap

>
  [...]
 ERROR: Couldn't insert module
'/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko':
Operation not permitted
[...]

I bet
# setenforce 0
makes it work for you.  As per audit.log:

type=AVC msg=audit(1507222590.683:7940): avc: denied  {
module_load }
for  pid=7595 comm="staprun"
scontext=system_u:system_r:container_t:s0:c534,c921
tcontext=system_u:system_r:container_t:s0:c534,c921
tclass=system permissive=1


- FChE
___
devel mailing list -- de...@lists.fedoraproject.org

To unsubscribe send an email to
devel-le...@lists.fedoraproject.org



Rather then putting the system into permissive mode, you should
run a privileged container or at least disable SELinux protections.


docker run -ti --security-opt label:disable ...





--

-- Jeremy Eder


Could you show me the AVC you get when you do the label:disable?

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:11 PM, Frank Ch. Eigler wrote:

Hi, Dan -


[...]
Rather then putting the system into permissive mode, you should run
a privileged container

"atomic run --spc " fails similarly on f26, despite its
underlying "docker run --cap-add SYS_MODULE ..." parts.


or at least disable SELinux protections.

docker run -ti --security-opt label:disable ...

Is there an atomic(1) command line equivalent for this?  Or would
one have to put the security-option bits into the Dockerfile LABEL?


- FChE
___
devel mailing list -- de...@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org


Could you show the docker line that atomic run is executing?  The LABEL 
would be the


preferred way.

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread William Cohen 
On 10/05/2017 10:33 AM, Jeremy Eder wrote:
> Forgot to add Will Cohen (discussed stap errors with him briefly).  Also my 
> replies won't make it to the dev list since I am not subscribed (just fyi I 
> guess).
> 
> On Thu, Oct 5, 2017 at 9:10 AM, Jeremy Eder  > wrote:
> 
> First of all, that readme is awesome.
> 
> spot checking the tools container...seems to all "just work" when I run 
> it with atomic run ...
> blktrace works
> ethtool works (-K -i -c -S specifically)
> netstat works
> pstack works
> perf top,record,report works
> iotop works
> slabtop works
> lstopo works
> htop works (wish this was in rhel)
> nstat works
> ss works (-tmpie)
> ifpps works (wish this was in rhel)
> numastat works (-mczs)
> pmap works
> all the sysstat tools work
> strace works
> tcpdump works
> sar works but you have to prepend the /host directory (so, sar -f 
> /host/var/log/sa/sa05)
> my god tmux is in here?? yes!
> 
> 
> ​systemtap (aww, no readme?)
> 
> doesnt work:
> ​[root@8b7437fed211 /]# cd /usr/share/systemtap/examples/process/         
>                                                                               
>                                       
> [root@8b7437fed211 process]# stap cycle_thief.stp
> ERROR: Couldn't insert module 
> '/tmp/stapslabb9/stap_0811c9eea1bbb81f2fbc5f7bf9df4506_8509.ko': Operation 
> not permitted
> WARNING: /usr/bin/staprun exited with status: 1
> Pass 5: run failed.  [man error::pass5]
> [root@8b7437fed211 process]# 
> 
> 
> 
> [root@dhcp23-91 ~]# atomic run --spc 
> candidate-registry.fedoraproject.org/f26/systemtap 
> 
> docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug -v 
> /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ -v 
> /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc 
> candidate-registry.fedoraproject.org/f26/systemtap 
> 
> 
> This container uses privileged security switches:
> 
> INFO: --cap-add 
>       Adding capabilities to your container could allow processes from 
> the container to break out onto your host system.
> 
> For more information on these switches and their security implications, 
> consult the manpage for 'docker run'.
> 
> [root@10accce504c2 /]# cd /usr/share/systemtap/examples/process/
> [root@10accce504c2 process]# stap cycle_thief.stp 
> ERROR: Couldn't insert module 
> '/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko': Operation 
> not permitted
> WARNING: /usr/bin/staprun exited with status: 1
> Pass 5: run failed.  [man error::pass5]
> 
> 
> 
> On Thu, Oct 5, 2017 at 3:09 AM, Tomas Tomecek  > wrote:
> 
> Not sure if the question is for me -- I literally have no idea how to 
> do that.
> 
> 
> Let me know how I can help,
> 
> Tomas
> 
> 
> On Thu, Oct 5, 2017 at 5:04 AM, Dusty Mabe  > wrote:
> 
> 
> 
> On 09/18/2017 10:48 AM, Tomas Tomecek wrote:
> > Hello,
> >
> > we managed to move tools container from Fedora Dockerfiles 
> github repo to Fedora infra [1]. As a side effects, we put systemtap in a 
> dedicated container.
> >
> > We would very much appreciate your feedback here: so if you 
> have some time to take a look at these containers and try them out, it would 
> mean a lot to us.
> >
> > Repos:
> > https://src.fedoraproject.org/container/systemtap 
> 
> > https://src.fedoraproject.org/container/tools 
> 
> >
> > The way to access the images:
> > docker pull candidate-registry.fedoraproject.org/f26/tools 
>  
>  >
> 
> just tested out the tools container. can we get this into the 
> official registry?
> 
> > docker pull candidate-registry.fedoraproject.org/f26/systemtap 
>  
>  >
> >
> > Both images have help files, so please read them prior using 
> the containers:
> > 
> https://src.fedoraproject.org/container/tools/blob/master/f/root/README.md 
> 
> > 
>

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Tomas Tomecek 
Jeremy, thanks a lot for trying this out!

> my god tmux is in here?? yes!

That's the reason I added it :D

> ​systemtap (aww, no readme?)

There should be this [1] help file (in roff format) placed in the container.


I didn't run into the issue you are experencing. I think it could be
related to SELinux, I'll try to reproduce myself.

[1]
https://src.fedoraproject.org/container/systemtap/blob/master/f/root/help.1

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Jeremy Eder 
Forgot to add Will Cohen (discussed stap errors with him briefly).  Also my
replies won't make it to the dev list since I am not subscribed (just fyi I
guess).

On Thu, Oct 5, 2017 at 9:10 AM, Jeremy Eder  wrote:

> First of all, that readme is awesome.
>
> spot checking the tools container...seems to all "just work" when I run it
> with atomic run ...
> blktrace works
> ethtool works (-K -i -c -S specifically)
> netstat works
> pstack works
> perf top,record,report works
> iotop works
> slabtop works
> lstopo works
> htop works (wish this was in rhel)
> nstat works
> ss works (-tmpie)
> ifpps works (wish this was in rhel)
> numastat works (-mczs)
> pmap works
> all the sysstat tools work
> strace works
> tcpdump works
> sar works but you have to prepend the /host directory (so, sar -f
> /host/var/log/sa/sa05)
> my god tmux is in here?? yes!
>
>
> ​systemtap (aww, no readme?)
>
> doesnt work:
> ​[root@8b7437fed211 /]# cd /usr/share/systemtap/examples/process/
>
>
> [root@8b7437fed211 process]# stap cycle_thief.stp
> ERROR: Couldn't insert module '/tmp/stapslabb9/stap_
> 0811c9eea1bbb81f2fbc5f7bf9df4506_8509.ko': Operation not permitted
> WARNING: /usr/bin/staprun exited with status: 1
> Pass 5: run failed.  [man error::pass5]
> [root@8b7437fed211 process]#
>
>
>
> [root@dhcp23-91 ~]# atomic run --spc candidate-registry.
> fedoraproject.org/f26/systemtap
> docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug -v
> /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/
> -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc
> candidate-registry.fedoraproject.org/f26/systemtap
>
> This container uses privileged security switches:
>
> INFO: --cap-add
>   Adding capabilities to your container could allow processes from the
> container to break out onto your host system.
>
> For more information on these switches and their security implications,
> consult the manpage for 'docker run'.
>
> [root@10accce504c2 /]# cd /usr/share/systemtap/examples/process/
> [root@10accce504c2 process]# stap cycle_thief.stp
> ERROR: Couldn't insert module '/tmp/stapNEjJDX/stap_
> 4f013e7562b546a0316af840de9f0713_8509.ko': Operation not permitted
> WARNING: /usr/bin/staprun exited with status: 1
> Pass 5: run failed.  [man error::pass5]
>
>
>
> On Thu, Oct 5, 2017 at 3:09 AM, Tomas Tomecek  wrote:
>
>> Not sure if the question is for me -- I literally have no idea how to do
>> that.
>>
>>
>> Let me know how I can help,
>>
>> Tomas
>>
>>
>> On Thu, Oct 5, 2017 at 5:04 AM, Dusty Mabe  wrote:
>>
>>>
>>>
>>> On 09/18/2017 10:48 AM, Tomas Tomecek wrote:
>>> > Hello,
>>> >
>>> > we managed to move tools container from Fedora Dockerfiles github repo
>>> to Fedora infra [1]. As a side effects, we put systemtap in a dedicated
>>> container.
>>> >
>>> > We would very much appreciate your feedback here: so if you have some
>>> time to take a look at these containers and try them out, it would mean a
>>> lot to us.
>>> >
>>> > Repos:
>>> > https://src.fedoraproject.org/container/systemtap
>>> > https://src.fedoraproject.org/container/tools
>>> >
>>> > The way to access the images:
>>> > docker pull candidate-registry.fedoraproject.org/f26/tools <
>>> http://candidate-registry.fedoraproject.org/f26/tools>
>>>
>>> just tested out the tools container. can we get this into the official
>>> registry?
>>>
>>> > docker pull candidate-registry.fedoraproject.org/f26/systemtap <
>>> http://candidate-registry.fedoraproject.org/f26/systemtap>
>>> >
>>> > Both images have help files, so please read them prior using the
>>> containers:
>>> > https://src.fedoraproject.org/container/tools/blob/master/f/
>>> root/README.md
>>> > https://github.com/container-images/systemtap/blob/master/help/help.md
>>> >
>>> > (or `atomic help $the_container_image`)
>>> >
>>> > [1] https://pagure.io/atomic-wg/issue/214
>>>
>>
>>
>
>
> --
>
> -- Jeremy Eder
>



-- 

-- Jeremy Eder

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Jeremy Eder 
First of all, that readme is awesome.

spot checking the tools container...seems to all "just work" when I run it
with atomic run ...
blktrace works
ethtool works (-K -i -c -S specifically)
netstat works
pstack works
perf top,record,report works
iotop works
slabtop works
lstopo works
htop works (wish this was in rhel)
nstat works
ss works (-tmpie)
ifpps works (wish this was in rhel)
numastat works (-mczs)
pmap works
all the sysstat tools work
strace works
tcpdump works
sar works but you have to prepend the /host directory (so, sar -f
/host/var/log/sa/sa05)
my god tmux is in here?? yes!


​systemtap (aww, no readme?)

doesnt work:
​[root@8b7437fed211 /]# cd /usr/share/systemtap/examples/process/


[root@8b7437fed211 process]# stap cycle_thief.stp
ERROR: Couldn't insert module
'/tmp/stapslabb9/stap_0811c9eea1bbb81f2fbc5f7bf9df4506_8509.ko': Operation
not permitted
WARNING: /usr/bin/staprun exited with status: 1
Pass 5: run failed.  [man error::pass5]
[root@8b7437fed211 process]#



[root@dhcp23-91 ~]# atomic run --spc
candidate-registry.fedoraproject.org/f26/systemtap
docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug -v
/usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ -v
/usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc
candidate-registry.fedoraproject.org/f26/systemtap

This container uses privileged security switches:

INFO: --cap-add
  Adding capabilities to your container could allow processes from the
container to break out onto your host system.

For more information on these switches and their security implications,
consult the manpage for 'docker run'.

[root@10accce504c2 /]# cd /usr/share/systemtap/examples/process/
[root@10accce504c2 process]# stap cycle_thief.stp
ERROR: Couldn't insert module
'/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko': Operation
not permitted
WARNING: /usr/bin/staprun exited with status: 1
Pass 5: run failed.  [man error::pass5]



On Thu, Oct 5, 2017 at 3:09 AM, Tomas Tomecek  wrote:

> Not sure if the question is for me -- I literally have no idea how to do
> that.
>
>
> Let me know how I can help,
>
> Tomas
>
>
> On Thu, Oct 5, 2017 at 5:04 AM, Dusty Mabe  wrote:
>
>>
>>
>> On 09/18/2017 10:48 AM, Tomas Tomecek wrote:
>> > Hello,
>> >
>> > we managed to move tools container from Fedora Dockerfiles github repo
>> to Fedora infra [1]. As a side effects, we put systemtap in a dedicated
>> container.
>> >
>> > We would very much appreciate your feedback here: so if you have some
>> time to take a look at these containers and try them out, it would mean a
>> lot to us.
>> >
>> > Repos:
>> > https://src.fedoraproject.org/container/systemtap
>> > https://src.fedoraproject.org/container/tools
>> >
>> > The way to access the images:
>> > docker pull candidate-registry.fedoraproject.org/f26/tools <
>> http://candidate-registry.fedoraproject.org/f26/tools>
>>
>> just tested out the tools container. can we get this into the official
>> registry?
>>
>> > docker pull candidate-registry.fedoraproject.org/f26/systemtap <
>> http://candidate-registry.fedoraproject.org/f26/systemtap>
>> >
>> > Both images have help files, so please read them prior using the
>> containers:
>> > https://src.fedoraproject.org/container/tools/blob/master/f/
>> root/README.md
>> > https://github.com/container-images/systemtap/blob/master/help/help.md
>> >
>> > (or `atomic help $the_container_image`)
>> >
>> > [1] https://pagure.io/atomic-wg/issue/214
>>
>
>


-- 

-- Jeremy Eder

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Tomas Tomecek 
Not sure if the question is for me -- I literally have no idea how to do
that.


Let me know how I can help,

Tomas


On Thu, Oct 5, 2017 at 5:04 AM, Dusty Mabe  wrote:

>
>
> On 09/18/2017 10:48 AM, Tomas Tomecek wrote:
> > Hello,
> >
> > we managed to move tools container from Fedora Dockerfiles github repo
> to Fedora infra [1]. As a side effects, we put systemtap in a dedicated
> container.
> >
> > We would very much appreciate your feedback here: so if you have some
> time to take a look at these containers and try them out, it would mean a
> lot to us.
> >
> > Repos:
> > https://src.fedoraproject.org/container/systemtap
> > https://src.fedoraproject.org/container/tools
> >
> > The way to access the images:
> > docker pull candidate-registry.fedoraproject.org/f26/tools <
> http://candidate-registry.fedoraproject.org/f26/tools>
>
> just tested out the tools container. can we get this into the official
> registry?
>
> > docker pull candidate-registry.fedoraproject.org/f26/systemtap <
> http://candidate-registry.fedoraproject.org/f26/systemtap>
> >
> > Both images have help files, so please read them prior using the
> containers:
> > https://src.fedoraproject.org/container/tools/blob/master/f/
> root/README.md
> > https://github.com/container-images/systemtap/blob/master/help/help.md
> >
> > (or `atomic help $the_container_image`)
> >
> > [1] https://pagure.io/atomic-wg/issue/214
>

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-04 Thread Dusty Mabe 


On 09/18/2017 10:48 AM, Tomas Tomecek wrote:
> Hello,
> 
> we managed to move tools container from Fedora Dockerfiles github repo to 
> Fedora infra [1]. As a side effects, we put systemtap in a dedicated 
> container.
> 
> We would very much appreciate your feedback here: so if you have some time to 
> take a look at these containers and try them out, it would mean a lot to us.
> 
> Repos:
> https://src.fedoraproject.org/container/systemtap
> https://src.fedoraproject.org/container/tools
> 
> The way to access the images:
> docker pull candidate-registry.fedoraproject.org/f26/tools 
> 

just tested out the tools container. can we get this into the official registry?

> docker pull candidate-registry.fedoraproject.org/f26/systemtap 
> 
> 
> Both images have help files, so please read them prior using the containers:
> https://src.fedoraproject.org/container/tools/blob/master/f/root/README.md
> https://github.com/container-images/systemtap/blob/master/help/help.md
> 
> (or `atomic help $the_container_image`)
> 
> [1] https://pagure.io/atomic-wg/issue/214