[OpenWrt-Devel] Jails current broken due to not following symlinks
Hi all, In Chaos Calmer revision 46996 which bumps procd to latest git breaks jails because Etienne's code fails to follow symlinks. This is a major problem because especially for libraries symlinks are what is reported int the ELF header (and for busybox 'binaries', or other multicall binaries failure to follow symlinks also fails). This results in jails failing with ENOENT due to inability to find the needed binaries. Regards, Daniel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Jails current broken due to not following symlinks
Hi again, It turns out the problem isn't Etienne's code, it is the fstools update in revision 47083. This causes symlinks to not be followed which breaks procd-jail even though the real issue is that procd-jail was in fact only working due to broken behaviour. Regards, Daniel On 2015-10-07 11:16 PM, Daniel Dickinson wrote: Hi all, In Chaos Calmer revision 46996 which bumps procd to latest git breaks jails because Etienne's code fails to follow symlinks. This is a major problem because especially for libraries symlinks are what is reported int the ELF header (and for busybox 'binaries', or other multicall binaries failure to follow symlinks also fails). This results in jails failing with ENOENT due to inability to find the needed binaries. Regards, Daniel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Jails current broken due to not following symlinks
On 08/10/2015 06:01, Daniel Dickinson wrote: > Hi again, > > It turns out the problem isn't Etienne's code, it is the fstools update > in revision 47083. > > This causes symlinks to not be followed which breaks procd-jail even > though the real issue is that procd-jail was in fact only working due to > broken behaviour. > > Regards, > > Daniel > > On 2015-10-07 11:16 PM, Daniel Dickinson wrote: >> Hi all, >> >> In Chaos Calmer revision 46996 which bumps procd to latest git breaks >> jails because Etienne's code fails to follow symlinks. >> >> This is a major problem because especially for libraries symlinks are >> what is reported int the ELF header (and for busybox 'binaries', or >> other multicall binaries failure to follow symlinks also fails). >> >> This results in jails failing with ENOENT due to inability to find the >> needed binaries. >> >> Regards, >> >> Daniel > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel wanna be a bit more specific ? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Jails current broken due to not following symlinks
Ok, I thought I had found the root cause but all I'm left with is that symlinks aren't followed. That is when procd-jail is installed and using procd_add_jail (or manually executing ujail) on x86_64 using squashfs, on (for example) /usr/sbin/ntpd (which is a symlink to /bin/busybox), then in syslog you get (assuming you have correctly included all config/pid files that ntpd depends on): Thu Oct 8 06:33:12 2015 user.err syslog: jail: failed to spawn child /usr/sbin/ntpd: No such file or directory Using strace I see that the mounts are occuring correctly and the necessary files are found, but execve of /usr/sbin/ntpd returns ENOENT. I took a closer look and realized that e.g. /bin/busybox and the actual libraries that are the target of the so versions listed by ldd (i.e. the so versions points to a symlink which points to the actual fully verisoned so, such as the uClibc dependencies of busybox) were not being mounted. I added the targets of the symlinks to procd_add_jail_mount and lo and behold the jailed daemon started correctly. In short, at least on x86_64 with squashfs rootfs the symlinks are not being followed. The behaviour was correct on previous version of Chaos Calmer (release commit) on ar71xx and it was not necessary to add the symlink targets to procd_jail_mount in that case. Regards, Daniel On 2015-10-08 2:18 AM, John Crispin wrote: On 08/10/2015 06:01, Daniel Dickinson wrote: Hi again, It turns out the problem isn't Etienne's code, it is the fstools update in revision 47083. This causes symlinks to not be followed which breaks procd-jail even though the real issue is that procd-jail was in fact only working due to broken behaviour. Regards, Daniel On 2015-10-07 11:16 PM, Daniel Dickinson wrote: Hi all, In Chaos Calmer revision 46996 which bumps procd to latest git breaks jails because Etienne's code fails to follow symlinks. This is a major problem because especially for libraries symlinks are what is reported int the ELF header (and for busybox 'binaries', or other multicall binaries failure to follow symlinks also fails). This results in jails failing with ENOENT due to inability to find the needed binaries. Regards, Daniel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel wanna be a bit more specific ? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Jails current broken due to not following symlinks
Hi all, Reverting to 15.05 release fails to resolve the issue on x86_64 so I suspect jails are simply broken on x86_64 due not following symlinks. For some reason ar71xx does follow the symlinks and does not experience this issue with the same commit. Regards, Daniel On 2015-10-08 2:45 AM, Daniel Dickinson wrote: Ok, I thought I had found the root cause but all I'm left with is that symlinks aren't followed. That is when procd-jail is installed and using procd_add_jail (or manually executing ujail) on x86_64 using squashfs, on (for example) /usr/sbin/ntpd (which is a symlink to /bin/busybox), then in syslog you get (assuming you have correctly included all config/pid files that ntpd depends on): Thu Oct 8 06:33:12 2015 user.err syslog: jail: failed to spawn child /usr/sbin/ntpd: No such file or directory Using strace I see that the mounts are occuring correctly and the necessary files are found, but execve of /usr/sbin/ntpd returns ENOENT. I took a closer look and realized that e.g. /bin/busybox and the actual libraries that are the target of the so versions listed by ldd (i.e. the so versions points to a symlink which points to the actual fully verisoned so, such as the uClibc dependencies of busybox) were not being mounted. I added the targets of the symlinks to procd_add_jail_mount and lo and behold the jailed daemon started correctly. In short, at least on x86_64 with squashfs rootfs the symlinks are not being followed. The behaviour was correct on previous version of Chaos Calmer (release commit) on ar71xx and it was not necessary to add the symlink targets to procd_jail_mount in that case. Regards, Daniel On 2015-10-08 2:18 AM, John Crispin wrote: On 08/10/2015 06:01, Daniel Dickinson wrote: Hi again, It turns out the problem isn't Etienne's code, it is the fstools update in revision 47083. This causes symlinks to not be followed which breaks procd-jail even though the real issue is that procd-jail was in fact only working due to broken behaviour. Regards, Daniel On 2015-10-07 11:16 PM, Daniel Dickinson wrote: Hi all, In Chaos Calmer revision 46996 which bumps procd to latest git breaks jails because Etienne's code fails to follow symlinks. This is a major problem because especially for libraries symlinks are what is reported int the ELF header (and for busybox 'binaries', or other multicall binaries failure to follow symlinks also fails). This results in jails failing with ENOENT due to inability to find the needed binaries. Regards, Daniel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel wanna be a bit more specific ? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Jails current broken due to not following symlinks
Hi all, An update: current Chaos Calmer HEAD (i.e. latest commit) does correctly follow symlinks on ar71xx but not x86_64. That is jails work on ar71xx but not x86_64 with current Chaos Calmer branch. (as described previously manually addingthe links on x86_64 allows the jails to work). Regards, Daniel On 2015-10-08 11:46 PM, Daniel Dickinson wrote: Hi all, Reverting to 15.05 release fails to resolve the issue on x86_64 so I suspect jails are simply broken on x86_64 due not following symlinks. For some reason ar71xx does follow the symlinks and does not experience this issue with the same commit. Regards, Daniel On 2015-10-08 2:45 AM, Daniel Dickinson wrote: Ok, I thought I had found the root cause but all I'm left with is that symlinks aren't followed. That is when procd-jail is installed and using procd_add_jail (or manually executing ujail) on x86_64 using squashfs, on (for example) /usr/sbin/ntpd (which is a symlink to /bin/busybox), then in syslog you get (assuming you have correctly included all config/pid files that ntpd depends on): Thu Oct 8 06:33:12 2015 user.err syslog: jail: failed to spawn child /usr/sbin/ntpd: No such file or directory Using strace I see that the mounts are occuring correctly and the necessary files are found, but execve of /usr/sbin/ntpd returns ENOENT. I took a closer look and realized that e.g. /bin/busybox and the actual libraries that are the target of the so versions listed by ldd (i.e. the so versions points to a symlink which points to the actual fully verisoned so, such as the uClibc dependencies of busybox) were not being mounted. I added the targets of the symlinks to procd_add_jail_mount and lo and behold the jailed daemon started correctly. In short, at least on x86_64 with squashfs rootfs the symlinks are not being followed. The behaviour was correct on previous version of Chaos Calmer (release commit) on ar71xx and it was not necessary to add the symlink targets to procd_jail_mount in that case. Regards, Daniel On 2015-10-08 2:18 AM, John Crispin wrote: On 08/10/2015 06:01, Daniel Dickinson wrote: Hi again, It turns out the problem isn't Etienne's code, it is the fstools update in revision 47083. This causes symlinks to not be followed which breaks procd-jail even though the real issue is that procd-jail was in fact only working due to broken behaviour. Regards, Daniel On 2015-10-07 11:16 PM, Daniel Dickinson wrote: Hi all, In Chaos Calmer revision 46996 which bumps procd to latest git breaks jails because Etienne's code fails to follow symlinks. This is a major problem because especially for libraries symlinks are what is reported int the ELF header (and for busybox 'binaries', or other multicall binaries failure to follow symlinks also fails). This results in jails failing with ENOENT due to inability to find the needed binaries. Regards, Daniel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel wanna be a bit more specific ? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel