Bug#908092: dbus: skip autopkgtest ulimit test when in a container
On Fri, Sep 07, 2018 at 08:46:23PM +0100, Simon McVittie wrote: > On Wed, 05 Sep 2018 at 22:02:01 -0700, Steve Langasek wrote: > > This is because armhf is the single architecture on which Ubuntu runs its > > autopkgtests in containers rather than in VMs, and these are unprivileged > > containers, which means "root" processes don't actually have the > > capabilities necessary to re-raise limits after they've been lowered. > I'm not sure whether such a container should be considered to satisfy the > needs-root restriction. How much root does/should needs-root guarantee? FWIW this particular capability restriction hasn't been a problem for any other needs-root packages before now, that I've seen. > Perhaps there should be separate restrictions for "needs fully privileged > root" and "needs unprivileged-container root"? (But I'm not sure which > one needs-root should be.) > > I've uploaded the attached patch to Ubuntu in order to have passing tests > > again on armhf. I'm not sure if you would consider it sufficiently correct > > for Debian, since this means we're also skipping this test on privileged > > containers, but I guess it should be a starting point for discussion. > > Can we probe for the required capability, perhaps with > capsh | grep '^Current:.*\' > or something? Not sure about that syntax, but anyway here's what I see: # capsh --print | grep ^Current:.*\\bcap_sys_resource\\b Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep # ulimit -n 1024 # ulimit -n 4096 bash: ulimit: open files: cannot modify limit: Operation not permitted # So it looks like the kernel lies about the capability as well. You could do a probe with sh before running the actual test, e.g.: sh -c ulimit -n 1024; ulimit -n 4096' || skip_ulimits -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature
Bug#908092: dbus: skip autopkgtest ulimit test when in a container
On Wed, 05 Sep 2018 at 22:02:01 -0700, Steve Langasek wrote: > This is because armhf is the single architecture on which Ubuntu runs its > autopkgtests in containers rather than in VMs, and these are unprivileged > containers, which means "root" processes don't actually have the > capabilities necessary to re-raise limits after they've been lowered. I'm not sure whether such a container should be considered to satisfy the needs-root restriction. How much root does/should needs-root guarantee? Perhaps there should be separate restrictions for "needs fully privileged root" and "needs unprivileged-container root"? (But I'm not sure which one needs-root should be.) > I've uploaded the attached patch to Ubuntu in order to have passing tests > again on armhf. I'm not sure if you would consider it sufficiently correct > for Debian, since this means we're also skipping this test on privileged > containers, but I guess it should be a starting point for discussion. Can we probe for the required capability, perhaps with capsh | grep '^Current:.*\' or something? Thanks, smcv
Bug#908092: dbus: skip autopkgtest ulimit test when in a container
Package: dbus Version: 1.12.10-1 Severity: minor Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu cosmic ubuntu-patch Dear maintainers, After merging dbus 1.12.10-1 from Debian into Ubuntu, the autopkgtests were failing on armhf: [...] # our RLIMIT_NOFILE: rlim_cur: 1024, rlim_max: 1024 # dbus-daemon's RLIMIT_NOFILE: rlim_cur: 1024, rlim_max: 1024 Bail out! ERROR:../../../test/dbus-daemon.c:2085:test_fd_limit: assertion fa iled (lim.rlim_cur >= DESIRED_RLIMIT): (1024 >= 65536) /tmp/autopkgtest.GG6gs6/build.iea/src/debian/tests/root: line 28: 638 Aborted $timeout $t --tap [...] autopkgtest [20:05:11]: test root: ---] autopkgtest [20:05:14]: test root: - - - - - - - - - - results - - - - - - - - - - root FAIL non-zero exit status 1 (https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-cosmic/cosmic/armhf/d/dbus/20180905_201152_67b80@/log.gz) This is because armhf is the single architecture on which Ubuntu runs its autopkgtests in containers rather than in VMs, and these are unprivileged containers, which means "root" processes don't actually have the capabilities necessary to re-raise limits after they've been lowered. I've uploaded the attached patch to Ubuntu in order to have passing tests again on armhf. I'm not sure if you would consider it sufficiently correct for Debian, since this means we're also skipping this test on privileged containers, but I guess it should be a starting point for discussion. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org diff -Nru dbus-1.12.10/debian/tests/root dbus-1.12.10/debian/tests/root --- dbus-1.12.10/debian/tests/root 2018-08-03 03:18:18.0 -0700 +++ dbus-1.12.10/debian/tests/root 2018-09-05 20:56:03.0 -0700 @@ -35,9 +35,14 @@ echo "x" > "$AUTOPKGTEST_TMP/result" ( set +e -# One test needs us to have a small fd limit -ulimit -S -n 1024 -ulimit -H -n 1024 +# Don't change limits in containers, as we're not guaranteed to be +# able to re-raise them due to unprivileged containers. This test +# will be auto-skipped instead. +if ! grep -q container= /proc/1/environ; then +# One test needs us to have a small fd limit +ulimit -S -n 1024 +ulimit -H -n 1024 +fi $timeout $t --tap echo "$?" > "$AUTOPKGTEST_TMP/result" ) | sed 's/^//'