Re: Infrastructure | Run CI containers with --cap-add SYS_PTRACE (#370)
Philip Chimento commented: I'm so happy this could be done. It's really going to save me a lot of time, and prevent a lot of frustration from contributors. -- Reply to this email directly or view it on GitLab: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370#note_870994 You're receiving this email because of your account on gitlab.gnome.org. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
Re: Infrastructure | Run CI containers with --cap-add SYS_PTRACE (#370)
Michael Catanzaro commented: Thanks! -- Reply to this email directly or view it on GitLab: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370#note_870856 You're receiving this email because of your account on gitlab.gnome.org. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
Re: Infrastructure | Run CI containers with --cap-add SYS_PTRACE (#370)
Bartłomiej Piotrowski commented: @mcatanzaro @pwithnall There are 4 shared runners with `asan` tag which have SYS_PTRACE passed to Docker. I have submitted MRs to glib-networking and gjs enabling them; please poke me somewhere if you notice any problems. -- Reply to this email directly or view it on GitLab: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370#note_870671 You're receiving this email because of your account on gitlab.gnome.org. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
Re: Infrastructure | Run CI containers with --cap-add SYS_PTRACE (#370)
Issue was closed by Bartłomiej Piotrowski Issue #370: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370 -- Reply to this email directly or view it on GitLab: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370 You're receiving this email because of your account on gitlab.gnome.org. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
Re: Infrastructure | Run CI containers with --cap-add SYS_PTRACE (#370)
Sri Ramkrishna commented: I'm watching this issue as I'm also working on a ci runner. I can understand that turning off CI for external contributors in World when ci runner resources are limited is a good thing. But I'm hoping that we can still use it for extensions rebooted. If I have to I will fundraise for ci resources or get my employer to donate resources so I can have CI for GNOME. -- Reply to this email directly or view it on GitLab: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370#note_865799 You're receiving this email because of your account on gitlab.gnome.org. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
Re: Infrastructure | Run CI containers with --cap-add SYS_PTRACE (#370)
Michael Catanzaro commented: > I find it hard to believe you don't know security implications of granting > `SYS_PTRACE` to CI which runs completely arbitrary loads, not to mention > runners no longer run with `--privileged` after it was reported it breaks > glib test suite as well. Honestly, I don't tbh. I know that in Fedora, ptrace of your *own* processes works by default, whereas ptrace of *other users'* processes requires sudo (for CAP_SYS_PTRACE). asan only wants to ptrace its *own* processes, which seems like it should be safe to do without any special capabilities, but doesn't work on our CI (I assume because it uses docker)? I don't know why docker blocks it, though. Are there special considerations inside containers? I do know this used to work fine until a couple months ago. > We likely can provide a burner VM with odd CAPs applied but I wish your > request wasn't written in such a disheartening way in the first place. So my plan is to propose a GNOME initiative to add asan CI to every core module that uses C or C++, since asan is important to be confident in the security of our code. That's hard to propose when it means no more CI for external contributors, though. Honestly, I don't understand your concern with the tone of my issue report, but I didn't intend it to be mean. I think everyone really appreciates your work. :) -- Reply to this email directly or view it on GitLab: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370#note_865754 You're receiving this email because of your account on gitlab.gnome.org. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
Re: Infrastructure | Run CI containers with --cap-add SYS_PTRACE (#370)
Bartłomiej Piotrowski commented: I find it hard to believe you don't know security implications of granting `SYS_PTRACE` to CI which runs completely arbitrary loads, not to mention runners no longer run with `--privileged` after it was reported it breaks glib test suite as well. We likely can provide a burner VM with odd CAPs applied but I wish your request wasn't written in such a disheartening way in the first place. -- Reply to this email directly or view it on GitLab: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370#note_865646 You're receiving this email because of your account on gitlab.gnome.org. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
Re: Infrastructure | Run CI containers with --cap-add SYS_PTRACE (#370)
Michael Catanzaro commented: BTW, the error message: ``` ==277==LeakSanitizer has encountered a fatal error. ==277==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1 ==277==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc) ``` -- Reply to this email directly or view it on GitLab: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370#note_859615 You're receiving this email because of your account on gitlab.gnome.org. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
Infrastructure | Run CI containers with --cap-add SYS_PTRACE (#370)
Michael Catanzaro created an issue: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370 For the past couple of months, we've needed privileged runners to run tests with asan. It seems to be a regression caused by changes to the container system the CI runs in. It means that contributors who are not members of the GNOME project are unable to run CI for any projects that use asan, because such projects have to use CI tags to ensure they run only on privileged runners, and we have no privileged runners available to non-GNOME members. This is very frustrating because it means I have to manually clone each contributor's repo, check out the source branch, and push it to the upstream repo in order to trigger a CI run. @ptomato and I are both getting rather fed up. Apparently gjs and glib-networking are the only projects that are using asan CI currently, which is very concerning because asan is really required to be confident in the safety of our code. Ideally every GNOME project would run tests under asan, but requiring privileged runners discourages that. Note that asan does not require any special privileges on normal desktop systems. This problem is specific to our CI runners because asan requires ptrace and docker does not allow ptrace. [StackOverflow says it can be fixed by using `docker run --cap-add SYS_PTRACE`.](https://stackoverflow.com/a/49735927/1120203) Can we try that? -- Reply to this email directly or view it on GitLab: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/370 You're receiving this email because of your account on gitlab.gnome.org. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure