Re: Alternative solution
* Nikolaus Rath , 2016-09-30, 14:07: Luckily, glibc has a way to disable DNS queries without LD_PRELOAD trickery: $ RES_OPTIONS=attempts:0 wget http://www.example.com/ Wow, I wonder many people have used this innocent environment variable name and been bitten by weird network failures.. The name is not great, but it's been like that at least since 1995. It's not going to be changed. Couldn't they at least call it LIBC_RES_OPTIONS? codesearch.d.n tells me this variable in not (g)libc-specific. There are other resolvers that honour it, too. -- Jakub Wilk
Re: Alternative solution (was: Re: Network access during build)
* Ian Jackson , 2016-09-30, 15:03: you can completely disable external network with socket_wrapper ... which is a pretty heavy-weight solution, and in fact it breaks asyncssh's tests. Then that is clearly a bug in asyncssh's tests ... or in socket_wrapper, or in the way I used socket_wrapper. (Most likely the last one.) -- Jakub Wilk
Re: Alternative solution
On Sep 29 2016, Jakub Wilk wrote: > Luckily, glibc has a way to disable DNS queries without LD_PRELOAD trickery: > > $ RES_OPTIONS=attempts:0 wget http://www.example.com/ Wow, I wonder many people have used this innocent environment variable name and been bitten by weird network failures.. Couldn't they at least call it LIBC_RES_OPTIONS? Best, -Nikolaus, shaking his head -- GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F »Time flies like an arrow, fruit flies like a Banana.«
Re: Alternative solution
❦ 29 septembre 2016 22:54 CEST, Jakub Wilk : >>you can completely disable external network with socket_wrapper > > ... which is a pretty heavy-weight solution, and in fact it breaks > asyncssh's tests. > > Luckily, glibc has a way to disable DNS queries without LD_PRELOAD trickery: > > $ RES_OPTIONS=attempts:0 wget http://www.example.com/ > --2016-09-29 22:49:22-- http://www.example.com/ > Resolving www.example.com (www.example.com)... failed: Temporary failure in > name resolution. > wget: unable to resolve host address ‘www.example.com’ Thanks! I applied your fix. It's unobtrusive enough. -- If more of us valued food and cheer and song above hoarded gold, it would be a merrier world. -- J.R.R. Tolkien signature.asc Description: PGP signature
Re: Alternative solution (was: Re: Network access during build)
2016-09-29 22:54 GMT+02:00 Jakub Wilk : > * Jakub Wilk , 2016-09-07, 23:49: > >> you can completely disable external network with socket_wrapper >> > > ... which is a pretty heavy-weight solution, and in fact it breaks > asyncssh's tests. > > Luckily, glibc has a way to disable DNS queries without LD_PRELOAD > trickery: > > $ RES_OPTIONS=attempts:0 wget http://www.example.com/ > --2016-09-29 22:49:22-- http://www.example.com/ > > Resolving www.example.com (www.example.com)... failed: Temporary failure > in name resolution. > wget: unable to resolve host address ‘www.example.com’ > > This is wonderful, thank you ! Jérémy
Re: Alternative solution (was: Re: Network access during build)
Jakub Wilk writes ("Re: Alternative solution (was: Re: Network access during
build)"):
> * Jakub Wilk , 2016-09-07, 23:49:
> >you can completely disable external network with socket_wrapper
>
> ... which is a pretty heavy-weight solution, and in fact it breaks
> asyncssh's tests.
Then that is clearly a bug in asyncssh's tests. Package builds and
tests should work in such a situation.
> Luckily, glibc has a way to disable DNS queries without LD_PRELOAD trickery:
>
> $ RES_OPTIONS=attempts:0 wget http://www.example.com/
> --2016-09-29 22:49:22-- http://www.example.com/
> Resolving www.example.com (www.example.com)... failed: Temporary failure in
> name resolution.
> wget: unable to resolve host address ‘www.example.com’
That's interesting - thanks for a useful contribution.
Doing that in the asyncssh package (either in debian/ or in upstream)
would mean that the above bug would go away.
Ian.
--
Ian JacksonThese opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Re: Alternative solution (was: Re: Network access during build)
* Jakub Wilk , 2016-09-07, 23:49: you can completely disable external network with socket_wrapper ... which is a pretty heavy-weight solution, and in fact it breaks asyncssh's tests. Luckily, glibc has a way to disable DNS queries without LD_PRELOAD trickery: $ RES_OPTIONS=attempts:0 wget http://www.example.com/ --2016-09-29 22:49:22-- http://www.example.com/ Resolving www.example.com (www.example.com)... failed: Temporary failure in name resolution. wget: unable to resolve host address ‘www.example.com’ -- Jakub Wilk
Re: Alternative solution
On 07/09/16 08:43, Christian Seiler wrote: > There's a piece of software called nss_wrapper, written by the > Samba people, that allows you to modify glibc's DNS functions' > (getaddrinfo, gethostbyname, ...) behavior via an LD_PRELOAD > library. It's called nss_wrapper; This is an excellent suggestion. Sadly, I've tried to use it for the tests of a golang library, only to realise that it does not work because everything in golang is statically compiled :/ -- Martín Ferrari (Tincho)
Re: Alternative solution (was: Re: Network access during build)
* Christian Seiler , 2016-09-07, 07:43: That way, you can force host name resolution to not use DNS for your test suite (via just using a hosts file), then there will be no network access during package build, and you don't have to keep rebasing a patch. And, even better, IF there is a host name called 'fail' on the local network, using nss_wrapper the package build will still succeed. With nss_wrapper you can have your own hosts file, but I don't think it lets you force a name to fail to resolve. However, you can completely disable external network with socket_wrapper: $ LD_PRELOAD=libsocket_wrapper.so SOCKET_WRAPPER_DIR=$PWD wget http://www.example.com/ --2016-09-07 23:36:51-- http://www.example.com/ Resolving www.example.com (www.example.com)... failed: Temporary failure in name resolution. wget: unable to resolve host address ‘www.example.com’ -- Jakub Wilk
Re: Alternative solution
On Wed, Sep 7, 2016 at 9:07 PM, Thomas Goirand wrote: > This seem a pretty good solution to the problem. Could you show an > example in a package that does that, or maybe a patch for this kind of > bug that Lamby opened? build-rdeps says that varnish-modules and sssd use nss-wrapper. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Alternative solution
On 09/07/2016 07:43 AM, Christian Seiler wrote: > On 09/07/2016 07:17 AM, Vincent Bernat wrote: >> One of the package that I maintain (python-asyncssh) makes a DNS request >> during build and expects it to fail. Since Policy 4.9 forbids network >> access (in a rather confusing wording "may not"), I got this serious >> bug: >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830568 >> >> The fix is easy: just disable the test. >> >> However, I have a hard time to find this useful for anyone. To sum up: >> >> - patching the test suite requires maintaining the patch forever >> - both pbuilder and sbuild are using an isolated network namespace >> - package builds reproducibly with or without network access >> >> I have the impression that enforcing every word of the policy in the >> hard sense can bring endless serious bugs. This particular occurrence >> affected about 70 packages. I appear as a bad maintainer because I don't >> feel this is an important bug. >> >> Any thoughts? > > Well, the problem mentioned in the bug report is not only the > package itself, but the information leak created by the DNS > request. And I think that really is something you should fix, > because package builds should really not cause _any_ network > traffic, even if said traffic doesn't actually affect the > result of the build. I don't think this is an overly strict > interpretation of the policy, but rather it's intention. > > However, instead of disabling the test via a patch, there is a > solution where you can have your cake and eat it too. And it's > even in Debian. :-) > > There's a piece of software called nss_wrapper, written by the > Samba people, that allows you to modify glibc's DNS functions' > (getaddrinfo, gethostbyname, ...) behavior via an LD_PRELOAD > library. It's called nss_wrapper; > > Upstream website: > https://cwrap.org/nss_wrapper.html > > Debian package: > https://packages.debian.org/unstable/libnss-wrapper > > That way, you can force host name resolution to not use DNS for > your test suite (via just using a hosts file), then there will > be no network access during package build, and you don't have > to keep rebasing a patch. And, even better, IF there is a host > name called 'fail' on the local network, using nss_wrapper the > package build will still succeed. > > Hope that helps. > > Regards, > Christian This seem a pretty good solution to the problem. Could you show an example in a package that does that, or maybe a patch for this kind of bug that Lamby opened? Cheers, Thomas Goirand (zigo)
Re: Alternative solution (was: Re: Network access during build)
* Christian Seiler , 2016-09-07, 07:43: And, even better, IF there is a host name called 'fail' on the local network ...or when your ISP hijacks all NXDOMAIN responses... , using nss_wrapper the package build will still succeed. -- Jakub Wilk
Re: Alternative solution
On 09/07/2016 07:43 AM, Christian Seiler wrote:
> However, instead of disabling the test via a patch, [...]
Yet another solution would be to upstream a patch that adds the
@unittest.skipIf(os.getenv('TESTS_NO_NETWORK_ACCESS') == '1',
'No network access allowed in test suite')
decorator for all tests that are affected. While a full skip is
not something upstream will want to merge, any reasonable
upstream should be willing to merge this conditional skip. Then
just set the environment variable in debian/rules and you don't
need to carry a patch.
Regards,
Christian
