IRC logs for #baserock for Tuesday, 2015-09-22

*** zoli__ has joined #baserock		00:07
*** benbrown_ has quit IRC		00:14
*** benbrown_ has joined #baserock		00:15
*** Zara has quit IRC		00:15
*** Zara has joined #baserock		00:17
*** fay_ has quit IRC		00:24
*** fay_ has joined #baserock		00:24
*** paulw has joined #baserock		06:19
*** jjardon has quit IRC		07:41
*** lachlanmackenzie has quit IRC		07:41
*** drnic has quit IRC		07:41
*** bashrc_ has joined #baserock		08:06
*** mariaderidder has joined #baserock		08:22
*** jonathanmaw has joined #baserock		08:23
*** rdale has joined #baserock		08:50
*** toscalix__ has joined #baserock		08:51
*** toscalix__ has quit IRC		08:55
*** inara has quit IRC		08:56
*** ssam2 has joined #baserock		09:02
*** ChanServ sets mode: +v ssam2		09:02
*** inara has joined #baserock		09:02
*** franred has joined #baserock		09:02
*** toscalix__ has joined #baserock		09:05
*** toscalix__ has quit IRC		09:23
*** jjardon has joined #baserock		09:23
*** toscalix__ has joined #baserock		09:25
ssam2	i was wondering why Fedora didn't have resource limits in place to stop the Git fork-bomb from locking up my system...	09:31
ssam2	having dug a bit deeper, it has a max 'nproc' set for all users except root	09:31
ssam2	but being as I was running as root in a Baserock chroot, there were no limits	09:31
ssam2	more reasons to not require root !	09:32
*** toscalix__ has quit IRC		09:33
*** toscalix__ has joined #baserock		09:35
*** toscalix__ has quit IRC		09:45
*** toscalix__ has joined #baserock		09:51
*** franred has quit IRC		09:54
*** lachlanmackenzie has joined #baserock		09:56
*** toscalix__ has quit IRC		09:59
*** drnic has joined #baserock		10:00
*** toscalix__ has joined #baserock		10:03
*** mariaderidder has quit IRC		10:03
*** franred has joined #baserock		10:10
*** toscalix__ has quit IRC		10:12
*** mariaderidder has joined #baserock		10:15
*** paulw has quit IRC		10:15
*** paulw has joined #baserock		10:19
Kinnison	hehe	10:55
Kinnison	Or to ulimit your chroot :-)	10:56
* pedroalvarez waves		10:56
*** ssam2 has quit IRC		10:59
*** ssam2 has joined #baserock		11:01
*** ChanServ sets mode: +v ssam2		11:01
ssam2	Kinnison: how can I ulimit just the chroot ?	11:01
ssam2	I can't find anything in 'man schroot' about that	11:01
Kinnison	https://wiki.ubuntu.com/SecurityTeam/BuildEnvironment suggests it must be possible	11:01
Kinnison	though I'll admit that I'm just googling and looking for plausible hits	11:02
* pedroalvarez will be trying today to deploy baserock to aws!!		11:02
Zara	:0	11:02
ssam2	I guess I could just run 'ulimit' on chroot startup	11:02
*** toscalix__ has joined #baserock		11:07
*** ssam2 has quit IRC		11:11
*** ssam2 has joined #baserock		11:11
*** ChanServ sets mode: +v ssam2		11:11
ssam2	clearly that didn't work.	11:11
*** lachlan75 has joined #baserock		11:12
tiagogomes_	If it builds in one place and not in another, have you tried to set max-jobs to 1?	11:12
tiagogomes_	huh!?	11:13
pedroalvarez	wrong keys in the wrong window?	11:13
ssam2	tiagogomes_ I wondered why you were repeating the same question as yesterday. but I guess you are wondering why as well :)	11:13
radiofree	i read it as him "asking HUG!? WELL HAVE YOU?!"	11:13
radiofree	erm.. s/HUG/HUH	11:14
* tiagogomes_ hates xchat		11:14
De\|ta	or hugs xchat?	11:14
rjek	heh	11:14
Zara	I tabbed into this and briefly thought radiofree was asking #baserock for a hug.	11:15
ssam2	so, if I run `ulimit -u 10`, then fork 20 process, I get 20 processes	11:15
ssam2	seems that ulimit as root doesn't actually do anything anyway, or something	11:15
ssam2	and if I run it as my normal user, bash breaks immediately with 'No child processes'	11:16
ssam2	so I guess they just don't apply to root, at least with this kernel	11:16
tiagogomes_	ins't cgroups the modern way to limit processes	11:18
ssam2	yes, cgroups might work. that's no excuse for the existing method to just not work, though	11:18
ssam2	s/existing/older/	11:18
ssam2	I guess I could create a .slice file to define a cgroup with a process limit, then run the chroot under `systemd-run` so it's in that slice	11:19
pedroalvarez	"The Amazon EC2 CLI tools require Java"	11:21
rjek	installs Java "The Amazon EC2 CLI tools requires a newer version of Java than you have"	11:22
* rjek sets fire to things		11:22
ssam2	:( there doesn't seem to be a way to limit number of subprocesses a .slice can have	11:23
ssam2	I can set a limit on how much CPU time it can use, but i don't really trust it, having watched Linux grind to a halt many times already this week	11:24
ssam2	I guess I can set 'CPUQuota=1%' and then see if it gets more than 1% CPU	11:24
ssam2	to test whether it works	11:25
ssam2	nope, I can still get something to use 100% CPU inside that slice.	11:27
ssam2	so we definitely need to stop being root :-)	11:29
radiofree	ssam2: do you have /sys/fs/cgroup/cpu/cpu.cfs_quota_us ?	11:33
ssam2	radiofree: yes, it seems to be set to '-1'	11:34
ssam2	oh, inside the Baserock chroot that file doesn't exist at all	11:34
ssam2	/sys/fs/cgroup is an empty dir within the chroot	11:35
radiofree	ssam2: try mount -t tmpfs cgroup_root /sys/fs/cgroup	11:38
radiofree	then mount the cgroups you need manually	11:38
radiofree	e,g mkdir /sys/fs/cgroup/cpuset && mount -t cgroup -ocpuset cpuset /sys/fs/cgroup/cpuset	11:38
radiofree	for cpuset	11:38
ssam2	that works, ta	11:39
ssam2	so I could do this on chroot startup to manually set resource limits inside the chroot using cgroups?	11:39
radiofree	probably, i've never used cgroups in a chroot	11:39
ssam2	i'll try it later	11:41
ssam2	here's another confusing issue (that triggered the Git problem)	11:41
radiofree	you're probably want the cpu,cpuacct group as well	11:42
ssam2	ok	11:42
radiofree	mkdir /sys/fs/cgroup/cpu && mount -t cgroup -ocpu,cpuacct cpu,cpuacct /sys/fs/cgroup/cpu	11:42
ssam2	oh, the group name contains the comma	11:42
ssam2	I tried just 'cpu' and it didn't work	11:42
radiofree	yes, comma should work	11:42
ssam2	hmm, and build-chroot.slice appears within that directory, so the cgroup has been created	11:43
radiofree	appears within that directory in a sub folder or in tasks?	11:44
ssam2	in a sub folder	11:44
radiofree	what does `cat build-chroot.slice/tasks` contain	11:44
ssam2	empty file	11:44
radiofree	nothing launched in it then	11:45
radiofree	you can echo pids to that file though	11:45
ssam2	right. I did `systemd-run --slice build-chroot.slice -t enter-baserock`	11:45
ssam2	but I guess that didn't do what I thought it would	11:46
radiofree	check /sys/fs/cgroup/cpu/build-chroot.slice/tasks on your host	11:46
radiofree	(assuming you were running that command on your host)	11:47
ssam2	that does seem to put 'bash' and its subprocesses in the cgroup	11:48
ssam2	but they can still use 100% CPU	11:48
ssam2	you'd think that http://paste.baserock.org/tukicuxudu would limit it to 1% CPU :-)	11:49
radiofree	does CPUQuota set cpu.shares?	11:50
ssam2	not sure what it does	11:50
ssam2	`man systemd.resource-control` says it controls cpu.cfs_quota_us	11:51
ssam2	hmm, I may have put everything into the wrong cgroup	11:51
ssam2	ah! it works!!	11:52
radiofree	hurrah!	11:52
ssam2	suddenly my chroot has become incredibly slow :-)	11:52
radiofree	excellent!	11:52
ssam2	thanks for your help. I'm not sure if this will actually save me from future fork bombs, but it's useful anyway	11:52
radiofree	i found a decent memory.kmem.limit_in_bytes value in your cgroup more useful for protecting against fork bombs	11:54
ssam2	ok, cool.	11:54
radiofree	i suppose without a memory limit the fork bomb can still happen, just a lot slower	11:54
pedroalvarez	I wonder if CONFIG_XEN would be enough for enabling xen guest drivers	11:57
pedroalvarez	oh, it has dependencies	12:00
ssam2	any reason not to enable it in the reference Baserock Linux config ?	12:05
ssam2	FWIW it's enabled in the Fedora Linux config on my desktop	12:06
pedroalvarez	no reason, I was going to :)	12:08
richard_maw	☺	12:12
pedroalvarez	I'm confused about "depends on X86_64 \|\| (X86_32 && X86_PAE)"	12:19
ssam2	PAE is an optional feature of X86 CPUs	12:19
pedroalvarez	I've added the former to 64b and the later to 32b bsps	12:19
ssam2	my home laptop actually doesn't have PAE, I quit using Ubuntu because they started requiring it in their kernels	12:20
ssam2	while Fedora still doesn't	12:20
franred	pedroalvarez, catee does not show any dependency with x86_PAE	12:21
franred	http://cateee.net/lkddb/web-lkddb/XEN.html	12:21
pedroalvarez	franred: it does in "arch/x86/xen/Kconfig"	12:22
pedroalvarez	kernel source	12:22
pedroalvarez	also in that page you linked	12:22
franred	hehe sorry, I talked pretty fast :S	12:22
pedroalvarez	no worries :)	12:25
ssam2	Next puzzle: I have a .git directory with mode '700'. 'ls .git' works,	12:28
ssam2	but 'linux-user-chroot /staging-dir ls .git' fails with EPERM.	12:28
ssam2	this is what triggered the Git fork-bomb problem I've been having	12:28
ssam2	EACCES, not EPERM	12:35
persia	As which user are you running each command?	12:36
ssam2	all as root	12:36
ssam2	HOWEVER I just noticed the .git directory is not owned by root	12:36
ssam2	I missed that before	12:36
richard_maw	ah, and linux-user-chroot drops CAP_DAC_OVERRIDE	12:36
persia	Ah, heh, so you're being clobbered by linux-user-chroot removing capabilities. Good catch :)	12:37
ssam2	not quite sure how to fix this.. the build tool could warn if it detects this situation, perhaps	12:37
ssam2	probably better if it just forces the ownership in its copy of the .git directory, though	12:37
richard_maw	yeah	12:38
persia	How is the git directory created?	12:38
ssam2	some kind of copy operation from $cache-dir/gits/	12:38
ssam2	might actually be a `git clone`, I can't remember	12:38
richard_maw	ssam2: be careful to ensure that the copy operation doesn't hardlink the .git blobs	12:38
richard_maw	ssam2: otherwise chowning would cause someone else's git repository to break	12:38
persia	That makes it slower though, but probably worth it. Operating on a git repo when one isn't the repo owner isn't ideal for several reasons.	12:39
ssam2	morphlib.git.copy_repository seems to do 'cp -a' basically	12:39
ssam2	so we should be grand	12:39
persia	And if there exists a goal of being able to use a tool as non-root, the cache repo is probably owned by non-root, so the root in linux-user-chroot needs to recreate to claim safely.	12:40
ssam2	ybd uses 'git clone --no-hardlinks'	12:40
ssam2	yes, I guess it should chown to the running user, rather than hardcoding root	12:40
persia	`git clone --no-hardlinks` should do the chown properly (as a side effect).	12:41
persia	`cp -a` preserves ownership when run by root, complicating things.	12:41
ssam2	right. maybe I can replace it all with `git clone --no-hardlinks` instead.	12:41
ssam2	I think there was some speed reason for doing it the more complex way with 'cp -a'	12:42
persia	If you run that inside the linux-user-chroot, it safely has the right permissions. If you run it outside, you may end up with some odd permissions for some sorts of chroot management (if we get a non-linux-user-chroot working reliably)	12:42
*** paulw has quit IRC		13:59
*** inara has quit IRC		14:12
*** inara has joined #baserock		14:18
*** ssam2 has quit IRC		14:24
*** ssam2 has joined #baserock		14:25
*** ChanServ sets mode: +v ssam2		14:25
*** franred has quit IRC		14:39
pedroalvarez	looks like ec2 clients want to be too clever:	14:46
pedroalvarez	Client.Unsupported: No bootable partition found. (Service: AmazonEC2; Status Code: 400; Error Code: Unsupported; Request ID: de37a3df-3993-44d0-adc1-9983042694b2)	14:46
pedroalvarez	I'm going to try with the partitioning patches, and see what happens	14:46
pedroalvarez	Uploading!	14:57
* richard_maw crosses fingers		14:58
* richard_maw fddiujhnds it diufficulkt mto type this wsay		14:58
pedroalvarez	I found errors like "Client.Unsupported: Platform type Windows is incompatible with partition type Linux." on the way	14:58
* richard_maw raises eye row		14:59
richard_maw	s/row/b&/	14:59
pedroalvarez	heh, definitely is not your day	15:00
* richard_maw blames the early start		15:03
*** zoli__ has quit IRC		15:04
*** toscalix__ has quit IRC		15:06
pedroalvarez	I have no clue how to start the image i've uploaded :S	15:06
*** Walkerdine__ has joined #baserock		15:09
*** franred has joined #baserock		15:24
*** zoli__ has joined #baserock		16:20
*** Walkerdine__ has quit IRC		16:37
*** mariaderidder has quit IRC		16:46
*** jonathanmaw has quit IRC		16:47
*** bashrc_ has quit IRC		17:02
*** ssam2 has quit IRC		17:05
*** zoli__ has quit IRC		17:12
*** zoli__ has joined #baserock		17:26
*** lachlan75 has quit IRC		17:29
*** franred has quit IRC		17:46
*** rdale has quit IRC		18:04
*** zoli__ has quit IRC		19:08
*** Walkerdine__ has joined #baserock		19:54
*** paulw has joined #baserock		20:06
*** zoli__ has joined #baserock		20:22
*** paulw has quit IRC		20:26
*** zoli__ has quit IRC		20:30
*** zoli__ has joined #baserock		20:53
*** Walkerdine__ has quit IRC		21:01
*** Walkerdine__ has joined #baserock		21:01
*** Walkerdine__ has quit IRC		21:29
*** Walkerdine__ has joined #baserock		21:51
*** inara has quit IRC		22:10
*** inara has joined #baserock		22:13
*** petefoth has quit IRC		22:47
*** gary_perkins has quit IRC		22:48
*** fay_ has quit IRC		22:48
*** tiagogomes_ has quit IRC		22:48
*** flatmush has quit IRC		22:48
*** nowster has quit IRC		22:49
*** edcragg has quit IRC		22:49
*** gary_perkins has joined #baserock		22:54
*** nowster has joined #baserock		22:55
*** edcragg has joined #baserock		22:55
*** flatmush has joined #baserock		22:55
*** tiagogomes_ has joined #baserock		22:56
*** fay_ has joined #baserock		22:56
*** petefoth has joined #baserock		22:57
*** Walkerdine__ has quit IRC		23:21

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!