| *** gtristan has joined #baserock | 04:37 | |
| *** gtristan has quit IRC | 04:56 | |
| *** ctbruce has joined #baserock | 08:34 | |
| *** rdale has joined #baserock | 09:00 | |
| *** bashrc_ has joined #baserock | 09:06 | |
| *** tiagogomes_ has quit IRC | 09:37 | |
| *** tiagogomes_ has joined #baserock | 09:52 | |
| *** ssam2 has joined #baserock | 09:55 | |
| *** ChanServ sets mode: +v ssam2 | 09:55 | |
| *** jonathanmaw has joined #baserock | 10:04 | |
| *** toscalix has joined #baserock | 10:13 | |
| *** edcragg has joined #baserock | 10:18 | |
| *** Lachlan1975 has joined #baserock | 10:21 | |
| *** gtristan has joined #baserock | 10:31 | |
| *** Zara is now known as Zara__ | 10:31 | |
| *** Zara has joined #baserock | 10:36 | |
| * paulsherwood wonders if there are any sandboxlib/container/mount/proc level wizards here able to comment on https://github.com/devcurmudgeon/ybd/issues/149 ... somehow it seems sandboxlib trips over on a busy mount | 10:45 | |
| * paulsherwood glances at ssam2 and richard_maw, for example | 10:45 | |
| paulsherwood | another example http://paste.baserock.org/aqanuvayoz | 10:46 |
|---|---|---|
| * paulsherwood notes that this is the first artifact after stage2, maybe that's a factor? | 10:48 | |
| richard_maw | before then it's not in full sandbox mode | 10:48 |
| *** toscalix has quit IRC | 10:48 | |
| paulsherwood | but i've only seen this in docker/concourse | 10:48 |
| paulsherwood | true, richard_maw | 10:48 |
| ssam2 | weird | 10:49 |
| *** SotK is now known as SotK_ | 10:49 | |
| richard_maw | are Docker containers allowed to mount /proc? | 10:49 |
| paulsherwood | that's a fair question, i don't know | 10:49 |
| ssam2 | they're presumably in a process namespace, so no reason to deny them mounting their version of /proc in theory | 10:50 |
| pedroalvarez | I believe I have built things using docker | 10:50 |
| * richard_maw vaguely recalls there being a kernel config option for allowing multiple /proc mounts too, and is checking | 10:50 | |
| paulsherwood | pedroalvarez: using ybd? | 10:50 |
| ssam2 | richard_maw: the problem seems to be that it previously failed to *unmount* /proc | 10:50 |
| ssam2 | 10:50 | |
| ssam2 | WARNING: ['umount', '/root/ybd/tmp/tmp4uzeNE/dev/shm'] failed: umount: tmpfs: mountpoint not found | 10:50 |
| ssam2 | WARNING: ['umount', '/root/ybd/tmp/tmp4uzeNE/proc'] failed: umount: proc: mountpoint not found | 10:50 |
| pedroalvarez | paulsherwood: it was morph | 10:51 |
| ssam2 | so possibly the directories get deleted while sandboxlib is unmounting them... but i've no idea how that could happen | 10:51 |
| *** SotK has joined #baserock | 10:51 | |
| pedroalvarez | but I was assuming that they need the same permissions | 10:51 |
| richard_maw | ssam2: I was interpreting that as just that the unmount logic wasn't accounting for whether they were successfully mounted in the first place | 10:51 |
| richard_maw | ssam2: since later in the http://paste.baserock.org/aqanuvayoz log it prints out the exception that the mount failed | 10:52 |
| ssam2 | hmm | 10:53 |
| ssam2 | the tempdir names are the same though | 10:53 |
| ssam2 | /root/ybd/tmp/tmp4uzeNE/proc and /root/ybd/tmp/tmp4uzeNE/proc | 10:54 |
| ssam2 | looks like the 1st command succeeds but the 2nd command fails | 10:54 |
| *** locallycompact has joined #baserock | 10:55 | |
| richard_maw | ssam2: I wouldn't assume that jut because the unmount result is printed earlier, that it was executed earlier | 10:55 |
| richard_maw | I've seen something similar happen when user namespaces were involved, but I don't think docker does those | 10:56 |
| locallycompact | Is this about the concourse bug? | 10:58 |
| locallycompact | 'cause concourse doesn't use docker | 10:59 |
| paulsherwood | i thought it did? | 11:01 |
| locallycompact | concourse uses https://github.com/cloudfoundry-incubator/garden-linux | 11:01 |
| paulsherwood | ah | 11:01 |
| locallycompact | you can pull docker fs images into that | 11:01 |
| paulsherwood | maybe sandboxlib needs to assert what happens on the mount? | 11:02 |
| richard_maw | pardon? | 11:02 |
| radiofree | ssam2: ah, bit of an issue i have with sandboxlib btw | 11:02 |
| radiofree | if XDG_RUNTIME_DIR isn't set to something sensible, then the shm tmpfs is mount-bound to a folder... not on a tmpfs (the one set by ybd) | 11:03 |
| radiofree | which causes issues for some things | 11:03 |
| radiofree | could it fall back to just use /tmp if XDG_RUNTIME_DIR isn't set? | 11:03 |
| radiofree | http://git.baserock.org/cgit/delta/sandboxlib.git/tree/sandboxlib/linux_user_chroot.py#n52 | 11:04 |
| paulsherwood | richard_maw: never mind. i'm trying to multitask, failing. | 11:05 |
| richard_maw | well, you may be interested to learn that concourse uses user namespaces | 11:07 |
| locallycompact | richard_maw, what does that mean exactly? | 11:07 |
| richard_maw | that there's many more restrictions of what can work | 11:08 |
| locallycompact | richard_maw, so is there anything I can do to make this work? | 11:12 |
| ssam2 | raidofree: i don't really follow, could you write it up as an issue report? | 11:12 |
| ssam2 | or better yet, do a patch? :-) | 11:13 |
| radiofree | ssam2: ok! | 11:13 |
| richard_maw | locallycompact: unsure yet, I think the issue may be that the container's /proc is more locked down than the procfs it's trying to mount into the subcontainer | 11:16 |
| richard_maw | otoh I'm not sure whether linux-user-chroot works when inside a container, even with user namespacing | 11:17 |
| * richard_maw recalls interesting interactions with suid binaries and user namespaces | 11:17 | |
| richard_maw | hm, if they are privileged containers then they don't do user namespacing | 11:19 |
| richard_maw | ok, the problem may be that in your container you only have /proc mounted read-only | 11:26 |
| richard_maw | so you're not allowed to mount one as read-write | 11:26 |
| richard_maw | which sandboxlib is doing, by not explicitly requesting a read-only mount of /proc | 11:26 |
| richard_maw | note that bind-mounting /proc into the container would also work | 11:26 |
| richard_maw | provided your bind-mount keeps all the flags that were set | 11:27 |
| richard_maw | so if your /proc is mounted NOSUID or RDONLY then you need to set those in the mount options | 11:27 |
| locallycompact | it looks mounted rw to me | 11:31 |
| richard_maw | hm, privileged containers? | 11:33 |
| locallycompact | not sure how to determine that | 11:34 |
| richard_maw | I think it's a config option | 11:34 |
| locallycompact | If it's in garden linux I'm not sure I have that available | 11:35 |
| * ssam2 wonders if Garden could one day replace Sandboxlib | 11:39 | |
| richard_maw | hm, from what I could infer from the code (difficult given I'm unfamiliar with go), it looks like they must be, but you can detect whether your containerisation is user namespaced by whether /proc/self/ns/user is the same both inside and out | 11:39 |
| richard_maw | ssam2: it's a big pile of go that I'd prefer to avoid if I could | 11:40 |
| * richard_maw has to get back to his work now | 11:40 | |
| ssam2 | it does have a component named "Gardeners Question Time" though.. | 11:40 |
| locallycompact | richard_maw, which part were you looking at? | 11:44 |
| richard_maw | locallycompact: mostly https://github.com/cloudfoundry-incubator/garden-linux/blob/master/containerizer/system/namespacing_execer_linux.go#L34 and https://github.com/cloudfoundry-incubator/garden-linux/blob/master/containerizer/initc/main.go#L73 | 11:48 |
| locallycompact | thx | 11:49 |
| benbrown_ | if by privileged you mean "privileged: true" in the concourse yaml, that results in /proc/self/ns/user being the same both inside and out | 11:49 |
| richard_maw | but I can see I misread the read-only mounting of /proc now | 11:49 |
| locallycompact | I thought that just meant sudo | 11:49 |
| locallycompact | benbrown_, | 11:49 |
| benbrown_ | locallycompact: not sure, docs just say "the task will run as root with full capabilities" | 11:51 |
| * richard_maw recommends haivng a play around in a garden container and mounting /proc to see whether you can trigger the mount failure yourself | 11:51 | |
| perryl | ssam2: bit belated, but glad to see the baserock url changes! :) sorry i've not had more time to look at the cgit work, i've been a bit swamped as of late :( | 12:05 |
| ssam2 | i nearly had the hyperlink thing going too but i deleted all my changes with `git reset --hard` | 12:10 |
| perryl | oh no :( | 12:15 |
| pedroalvarez | git reflog? | 12:20 |
| ssam2 | it was uncommited changes | 12:23 |
| ssam2 | not very smart! | 12:24 |
| ssam2 | cgit is going to be a bit broken for a little while | 13:38 |
| ssam2 | on git.baserock.org | 13:38 |
| ssam2 | ok, good news! | 13:40 |
| ssam2 | it's a bit of a hack so far, but strata link to their contents now: http://git.baserock.org/cgit/baserock/baserock/definitions.git/tree/strata/apache-httpd-server.morph | 13:40 |
| benbrown_ | ssam2: ! | 13:42 |
| benbrown_ | that's really cool! | 13:43 |
| pedroalvarez | it is! | 13:46 |
| radiofree | ssam2: awesome! | 14:04 |
| pedroalvarez | Leaving here a broken file with that new feature: http://git.baserock.org/cgit/baserock/tests/bad-morphs.git/tree/bad-json.morph | 14:04 |
| radiofree | that change is one of the most useful things ever | 14:05 |
| richard_maw | ooh | 14:05 |
| radiofree | ssam2: any chance it could work with the morph: filed as well? :) | 14:05 |
| ssam2 | radiofree: yes, done now :-) | 14:22 |
| ssam2 | thank perryl for the initial work | 14:22 |
| tiagogomes_ | this was very cool, but I wonder why those changes didn't go to gerrit | 14:22 |
| tiagogomes_ | is infra work not being reviewed in public anymore? | 14:23 |
| perryl | ssam2: looking brilliant! :) | 14:23 |
| ssam2 | tiagogomes_: it will go into Gerrit | 14:23 |
| ssam2 | tiagogomes_: but i wanted to get it working first | 14:24 |
| ssam2 | tiagogomes_: There's a chicken-and-egg problem if I submit a change without actually deploying it first, because who knows if the patch actually works? | 14:24 |
| tiagogomes_ | yes, but git.baserock.org shouldn't be the test playground | 14:24 |
| ssam2 | tiagogomes_: are you volunteering to join the infra team? | 14:24 |
| * tiagogomes_ shuts up | 14:25 | |
| ssam2 | you would be welcome to join :-) me and pedro and gary don't seem to ever have much time to spend on it | 14:25 |
| franred | wow!! ssam2, great job! pretty useful! | 14:46 |
| pedroalvarez | ssam2: found a couple of issues. I have no idea how difficult is to solve them but just in case there are quick fixes: | 14:58 |
| pedroalvarez | - Subsystems in clusters don't work: http://git.baserock.org/cgit/baserock/baserock/definitions.git/tree/clusters/initramfs-test.morph | 14:58 |
| pedroalvarez | - Links to other files (morph field) will always go to the master branch even if you were looking into a different branch or specific commit | 14:58 |
| pedroalvarez | second one might be difficult to solve | 14:58 |
| locallycompact | this mako chunk's repo field ends in .git and so links to mako.git.git http://git.baserock.org/cgit/baserock/baserock/definitions.git/tree/strata/python2-core.morph | 14:59 |
| pedroalvarez | good point | 15:00 |
| pedroalvarez | should the plugin handle that case, or should we fix definitions? | 15:01 |
| ssam2 | locallycompact: good catch. thanks | 15:06 |
| ssam2 | plugin can easily handle that case | 15:06 |
| *** locallycompact has quit IRC | 15:20 | |
| ssam2 | subsystems, repos ending in .git, and files from old commits should now all work | 15:39 |
| ssam2 | i don't like that links to files that don't exist are still linkified, but it'd be a bit of effort to check if they do before creating the link.. | 15:40 |
| ssam2 | would need to actually run a git command | 15:40 |
| pedroalvarez | no need for such a thing | 15:40 |
| pedroalvarez | well, Sam is now the contributor of the month | 15:41 |
| pedroalvarez | and from 2016 so far :) | 15:41 |
| *** ssam2 has quit IRC | 15:56 | |
| *** ctbruce has quit IRC | 16:17 | |
| *** locallycompact has joined #baserock | 17:05 | |
| *** rdale_ct has joined #baserock | 17:06 | |
| *** rdale has quit IRC | 17:07 | |
| *** faybrocklebank has quit IRC | 17:22 | |
| *** toscalix has joined #baserock | 17:23 | |
| *** trn has quit IRC | 17:28 | |
| *** trn has joined #baserock | 17:48 | |
| *** bashrc_ has quit IRC | 18:01 | |
| *** jonathanmaw has quit IRC | 18:04 | |
| *** locallycompact has quit IRC | 18:24 | |
| *** Lachlan1975 has quit IRC | 18:38 | |
| *** mwilliams_ct has quit IRC | 18:42 | |
| *** edcragg has quit IRC | 18:44 | |
| *** toscalix has quit IRC | 20:04 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!