Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-11 Thread nicolas . mailhot 

De: "Mark Wielaard" 

>On Wed, 2017-10-11 at 20:36 +0200, nicolas.mail...@laposte.net wrote:
>> De: "Frank Ch. Eigler" 
> 
>> > nicolas.mailhot wrote:
>> > 
>> > > [...]
>> > > extracting debug info from
>> > > /builddir/build/BUILDROOT/golang-github-performancecopilot-speed-
>> > > 2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump
>> > > *** ERROR: No build ID note found in
>> > > /builddir/build/BUILDROOT/golang-github-performancecopilot-speed-
>> > > 2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump
>> > 
>> > See https://fedoraproject.org/wiki/PackagingDrafts/Go#Build_ID
>> 
>> Thanks, I somewhat missed it in all the not-really current EL6-
>> oriented stuff in this document

>I CCed Jakub, who maintains the go package. He might have some update
>to this. We did recently discuss adding the support directly to the go
>linker, but I believe that isn't yet there.

>The problem indeed is that the golang linker doesn't insert a build-id
>note in the executable. In theory this can also be worked around by
>using %undefine _missing_build_ids_terminate_build in your spec file.
>But the workaround in the wiki is better. 

>Please let me know if there are any other issues with debuginfo
>packages for go programs that you cannot work around with the hints in
>the wiki page.

Thanks for the proposal, I will indeed try to report issues rather than 
workarounding them silently and forgetting about long-term fixing. Even if the 
best intentions tend to erode around the 20th Go spec ;)

Regards,

-- 
Nicolas Mailhot
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-11 Thread Mark Wielaard 
On Wed, 2017-10-11 at 20:36 +0200, nicolas.mail...@laposte.net wrote:
> De: "Frank Ch. Eigler" 
> 
> > nicolas.mailhot wrote:
> > 
> > > [...]
> > > extracting debug info from
> > > /builddir/build/BUILDROOT/golang-github-performancecopilot-speed-
> > > 2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump
> > > *** ERROR: No build ID note found in
> > > /builddir/build/BUILDROOT/golang-github-performancecopilot-speed-
> > > 2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump
> > 
> > See https://fedoraproject.org/wiki/PackagingDrafts/Go#Build_ID
> 
> Thanks, I somewhat missed it in all the not-really current EL6-
> oriented stuff in this document

I CCed Jakub, who maintains the go package. He might have some update
to this. We did recently discuss adding the support directly to the go
linker, but I believe that isn't yet there.

The problem indeed is that the golang linker doesn't insert a build-id
note in the executable. In theory this can also be worked around by
using %undefine _missing_build_ids_terminate_build in your spec file.
But the workaround in the wiki is better. Once there is a build-id note
 rpm debugedit can update it (making it unique, but stable).
Unfortunately rpm debugedit cannot insert it itself. The ELF note needs
to be in an allocated section, meaning that to add it the runtime
program headers also need to be update. And rpm debugedit cannot do
that easily. Only a real linker can.

Please let me know if there are any other issues with debuginfo
packages for go programs that you cannot work around with the hints in
the wiki page.

Thanks,

Mark
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-11 Thread nicolas . mailhot 

De: "Frank Ch. Eigler" 

|nicolas.mailhot wrote:
|
|> [...]
|> extracting debug info from
|> 
/builddir/build/BUILDROOT/golang-github-performancecopilot-speed-2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump
|> *** ERROR: No build ID note found in
|> 
/builddir/build/BUILDROOT/golang-github-performancecopilot-speed-2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump
|
|See https://fedoraproject.org/wiki/PackagingDrafts/Go#Build_ID

Thanks, I somewhat missed it in all the not-really current EL6-oriented stuff 
in this document

Regards,

-- 
Nicolas Mailhot
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-11 Thread Frank Ch. Eigler 

nicolas.mailhot wrote:

> [...]
> extracting debug info from
> /builddir/build/BUILDROOT/golang-github-performancecopilot-speed-2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump
> *** ERROR: No build ID note found in
> /builddir/build/BUILDROOT/golang-github-performancecopilot-speed-2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump

See https://fedoraproject.org/wiki/PackagingDrafts/Go#Build_ID

- FChE
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-11 Thread nicolas . mailhot 
Hi,

BTW since we are talking about debug and future tech, what is the correct way 
(as of rawhide and EPEL 7) to handle 

extracting debug info from 
/builddir/build/BUILDROOT/golang-github-performancecopilot-speed-2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump
*** ERROR: No build ID note found in 
/builddir/build/BUILDROOT/golang-github-performancecopilot-speed-2.0.0-1.el7.llt.x86_64/usr/bin/mmvdump

(I have those in all Go packages that build something)

I can sprinkle %global debug_package   %{nil} everywhere, but that's not overly 
satisfying.

Regards,

-- 
Nicolas Mailhot
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-06 Thread Daniel Walsh 

On 10/06/2017 10:14 AM, Mark Wielaard wrote:

On Mon, 2017-09-18 at 16:48 +0200, Tomas Tomecek wrote:

we managed to move tools container from Fedora Dockerfiles github
repo to Fedora infra [1]. As a side effects, we put systemtap in a
dedicated container.

We would very much appreciate your feedback here

What determines what goes into tools and what in a separate container
(like systemtap). I see the tools container has strace, gcc, gdb, perf,
etc. But not other development tools like binutils, elfutils and
valgrind. Will those be added or will they come in some separate
container?

Thanks,

Mark

Right now there is a an effort going on to shrink the tools container, 
it has grown huge.


I would prefer you create a debug container and put all of these tools 
in there.

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-06 Thread Tomas Tomecek 
Thank you for figuring this out!

I fixed in dist-git:
https://src.fedoraproject.org/container/systemtap/c/a8a59cacb440aacc150fad8a94d264d53a341baf?branch=master

Can't build in OSBS, seems like the service is having issues.


Tomas

On Thu, Oct 5, 2017 at 7:50 PM, Jeremy Eder  wrote:

> Woops, sorry Dan,  my bad.  That was a relic from earlier, when I tried
> sys_admin.
>
> Looks like --security-opt label:disable is enough to get it going.
>
> # docker run --security-opt label:disable --cap-add SYS_MODULE -v
> /sys/kernel/debug:/sys/kernel/debug -v /usr/src/kernels:/usr/src/kernels
> -v /usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug
> -t -i --name systemtap candidate-registry.fedoraproject.org/f26/systemtap
>
> On Thu, Oct 5, 2017 at 1:47 PM, Frank Ch. Eigler  wrote:
>
>> Hi, Dan -
>>
>>
>> > Could you show the docker line that atomic run is executing?
>>
>> % atomic run --spc candidate-registry.fedoraproject.org/f26/systemtap
>> /usr/share/systemtap/examples/io/iotop.stp
>> docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug
>> -v /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/
>> -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc
>> candidate-registry.fedoraproject.org/f26/systemtap
>> /usr/share/systemtap/examples/io/iotop.stp
>>
>> ... which fails.  But a hand-run % docker run, with "--security-opt
>> label:disable" added in the front works for me.
>>
>>
>> > The LABEL would be the preferred way.
>>
>> Sure, just someone(tm) needs to find the Dockerfile in git.  I
>> couldn't find it from a dozen minutes reading
>> https://fedoraproject.org/wiki/Changes/Layered_Docker_Image_Build_Service
>> and pals.
>>
>>
>> - FChE
>>
>
>
>
> --
>
> -- Jeremy Eder
>
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:55 PM, Frank Ch. Eigler wrote:

Hi, Dan -

On Thu, Oct 05, 2017 at 01:49:48PM -0400, Daniel Walsh wrote:

[...]
But really for something like this, it would be better to just run
it --privileged.  There is [no] security confinement present in what
you are doing.

Yup.  I thought "atomic run --spc" would imply "docker run --privileged"
but it doesn't seem to.

- FChE
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org


No it looks like it is just running the label that is in the container 
image.

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Frank Ch. Eigler 
Hi, Dan -

On Thu, Oct 05, 2017 at 01:49:48PM -0400, Daniel Walsh wrote:
> [...]
> But really for something like this, it would be better to just run
> it --privileged.  There is [no] security confinement present in what
> you are doing.

Yup.  I thought "atomic run --spc" would imply "docker run --privileged"
but it doesn't seem to.

- FChE
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:47 PM, Frank Ch. Eigler wrote:

Hi, Dan -



Could you show the docker line that atomic run is executing?

% atomic run --spc candidate-registry.fedoraproject.org/f26/systemtap 
/usr/share/systemtap/examples/io/iotop.stp
docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug -v 
/usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ -v 
/usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc 
candidate-registry.fedoraproject.org/f26/systemtap 
/usr/share/systemtap/examples/io/iotop.stp

... which fails.  But a hand-run % docker run, with "--security-opt
label:disable" added in the front works for me.



The LABEL would be the preferred way.

Sure, just someone(tm) needs to find the Dockerfile in git.  I
couldn't find it from a dozen minutes reading
https://fedoraproject.org/wiki/Changes/Layered_Docker_Image_Build_Service
and pals.


- FChE


But really for something like this, it would be better to just run it 
--privileged.  There is on security confinement present in what you are 
doing.

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Frank Ch. Eigler 
Hi, Dan -


> Could you show the docker line that atomic run is executing?  

% atomic run --spc candidate-registry.fedoraproject.org/f26/systemtap 
/usr/share/systemtap/examples/io/iotop.stp
docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug -v 
/usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ -v 
/usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc 
candidate-registry.fedoraproject.org/f26/systemtap 
/usr/share/systemtap/examples/io/iotop.stp

... which fails.  But a hand-run % docker run, with "--security-opt
label:disable" added in the front works for me.


> The LABEL would be the preferred way.

Sure, just someone(tm) needs to find the Dockerfile in git.  I
couldn't find it from a dozen minutes reading
https://fedoraproject.org/wiki/Changes/Layered_Docker_Image_Build_Service
and pals.


- FChE
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:38 PM, Jeremy Eder wrote:

I don't see any avc when it fails while label:disable is set.
I ran semodule -DB and retried.  I now see dontaudit stuff but still 
no interesting denials.


I'm not sure if you were talking to me or Frank with the atomic 
command line...


I pulled the label out docker inspect on the systemtap image so I can 
run it manually.  Here is what I am running.

All I have added is the --security-opt label:disable part.

# docker run --security-opt label:disable --cap-add SYS_ADMIN -v 
/sys/kernel/debug:/sys/kernel/debug -v 
/usr/src/kernels:/usr/src/kernels -v 
/usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug 
-t -i --name systemtap 
candidate-registry.fedoraproject.org/f26/systemtap 




Should be SYS_MODULE not SYS_ADMIN or maybe both.

I also tried with --security-opt seccomp:unconfimed.  That did not help.

Adding --privileged to the above command line, and systemtap works.

This is likely the key difference between why systemtap has always 
worked in the rhel-tools container...the label on that image includes 
--privileged.




On Thu, Oct 5, 2017 at 1:25 PM, Daniel Walsh > wrote:


On 10/05/2017 01:18 PM, Jeremy Eder wrote:

setenforce 0 works...security-opt label:disable does not.

On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh > wrote:

On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote:

wcohen forwarded:

[...]

 [root@dhcp23-91 ~]# atomic run --spc
candidate-registry.fedoraproject.org/f26/systemtap

>
 docker run --cap-add SYS_MODULE -v
/sys/kernel/debug:/sys/kernel/debug -v
/usr/src/kernels:/usr/src/kernels -v
/usr/lib/modules/:/usr/lib/modules/ -v
/usr/lib/debug:/usr/lib/debug -t -i --name
systemtap-spc
candidate-registry.fedoraproject.org/f26/systemtap

>
  [...]
 ERROR: Couldn't insert module

'/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko':
Operation not permitted
[...]

I bet
# setenforce 0
makes it work for you.  As per audit.log:

type=AVC msg=audit(1507222590.683:7940): avc:  denied  {
module_load }
for  pid=7595 comm="staprun"
scontext=system_u:system_r:container_t:s0:c534,c921
tcontext=system_u:system_r:container_t:s0:c534,c921
tclass=system permissive=1


- FChE
___
devel mailing list -- devel@lists.fedoraproject.org

To unsubscribe send an email to
devel-le...@lists.fedoraproject.org



Rather then putting the system into permissive mode, you
should run a privileged container or at least disable SELinux
protections.


docker run -ti --security-opt label:disable ...





-- 


-- Jeremy Eder


Could you show me the AVC you get when you do the label:disable?





--

-- Jeremy Eder



___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:18 PM, Jeremy Eder wrote:

setenforce 0 works...security-opt label:disable does not.

On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh > wrote:


On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote:

wcohen forwarded:

[...]

   [root@dhcp23-91 ~]# atomic run --spc
candidate-registry.fedoraproject.org/f26/systemtap

>
 docker run --cap-add SYS_MODULE -v
/sys/kernel/debug:/sys/kernel/debug -v
/usr/src/kernels:/usr/src/kernels -v
/usr/lib/modules/:/usr/lib/modules/ -v
/usr/lib/debug:/usr/lib/debug -t -i --name
systemtap-spc
candidate-registry.fedoraproject.org/f26/systemtap

>
  [...]
 ERROR: Couldn't insert module
'/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko':
Operation not permitted
[...]

I bet
# setenforce 0
makes it work for you.  As per audit.log:

type=AVC msg=audit(1507222590.683:7940): avc: denied  {
module_load }
for  pid=7595 comm="staprun"
scontext=system_u:system_r:container_t:s0:c534,c921
tcontext=system_u:system_r:container_t:s0:c534,c921
tclass=system permissive=1


- FChE
___
devel mailing list -- devel@lists.fedoraproject.org

To unsubscribe send an email to
devel-le...@lists.fedoraproject.org



Rather then putting the system into permissive mode, you should
run a privileged container or at least disable SELinux protections.


docker run -ti --security-opt label:disable ...





--

-- Jeremy Eder


Could you show me the AVC you get when you do the label:disable?


___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:11 PM, Frank Ch. Eigler wrote:

Hi, Dan -


[...]
Rather then putting the system into permissive mode, you should run
a privileged container

"atomic run --spc " fails similarly on f26, despite its
underlying "docker run --cap-add SYS_MODULE ..." parts.


or at least disable SELinux protections.

docker run -ti --security-opt label:disable ...

Is there an atomic(1) command line equivalent for this?  Or would
one have to put the security-option bits into the Dockerfile LABEL?


- FChE
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org


Could you show the docker line that atomic run is executing?  The LABEL 
would be the


preferred way.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Frank Ch. Eigler 
Hi, Dan -

> [...]
> Rather then putting the system into permissive mode, you should run
> a privileged container 

"atomic run --spc " fails similarly on f26, despite its
underlying "docker run --cap-add SYS_MODULE ..." parts.

> or at least disable SELinux protections.
>
> docker run -ti --security-opt label:disable ...

Is there an atomic(1) command line equivalent for this?  Or would
one have to put the security-option bits into the Dockerfile LABEL?


- FChE
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Daniel Walsh 

On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote:

wcohen forwarded:


[...]

   [root@dhcp23-91 ~]# atomic run --spc 
candidate-registry.fedoraproject.org/f26/systemtap 

 docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug -v 
/usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ -v 
/usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc 
candidate-registry.fedoraproject.org/f26/systemtap 

  [...]
 ERROR: Couldn't insert module 
'/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko': Operation not 
permitted
[...]

I bet
# setenforce 0
makes it work for you.  As per audit.log:

type=AVC msg=audit(1507222590.683:7940): avc:  denied  { module_load }
for  pid=7595 comm="staprun" scontext=system_u:system_r:container_t:s0:c534,c921
tcontext=system_u:system_r:container_t:s0:c534,c921 tclass=system permissive=1


- FChE
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org


Rather then putting the system into permissive mode, you should run a 
privileged container or at least disable SELinux protections.



docker run -ti --security-opt label:disable ...

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Frank Ch. Eigler 

wcohen forwarded:

> [...]
>>   [root@dhcp23-91 ~]# atomic run --spc 
>> candidate-registry.fedoraproject.org/f26/systemtap 
>> 
>> docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug 
>> -v /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ 
>> -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc 
>> candidate-registry.fedoraproject.org/f26/systemtap 
>> 
>>  [...]
>> ERROR: Couldn't insert module 
>> '/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko': Operation 
>> not permitted
>> [...]

I bet
   # setenforce 0
makes it work for you.  As per audit.log:

type=AVC msg=audit(1507222590.683:7940): avc:  denied  { module_load }
for  pid=7595 comm="staprun" scontext=system_u:system_r:container_t:s0:c534,c921
tcontext=system_u:system_r:container_t:s0:c534,c921 tclass=system permissive=1


- FChE
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread William Cohen 
On 10/05/2017 10:33 AM, Jeremy Eder wrote:
> Forgot to add Will Cohen (discussed stap errors with him briefly).  Also my 
> replies won't make it to the dev list since I am not subscribed (just fyi I 
> guess).
> 
> On Thu, Oct 5, 2017 at 9:10 AM, Jeremy Eder  > wrote:
> 
> First of all, that readme is awesome.
> 
> spot checking the tools container...seems to all "just work" when I run 
> it with atomic run ...
> blktrace works
> ethtool works (-K -i -c -S specifically)
> netstat works
> pstack works
> perf top,record,report works
> iotop works
> slabtop works
> lstopo works
> htop works (wish this was in rhel)
> nstat works
> ss works (-tmpie)
> ifpps works (wish this was in rhel)
> numastat works (-mczs)
> pmap works
> all the sysstat tools work
> strace works
> tcpdump works
> sar works but you have to prepend the /host directory (so, sar -f 
> /host/var/log/sa/sa05)
> my god tmux is in here?? yes!
> 
> 
> ​systemtap (aww, no readme?)
> 
> doesnt work:
> ​[root@8b7437fed211 /]# cd /usr/share/systemtap/examples/process/         
>                                                                               
>                                       
> [root@8b7437fed211 process]# stap cycle_thief.stp
> ERROR: Couldn't insert module 
> '/tmp/stapslabb9/stap_0811c9eea1bbb81f2fbc5f7bf9df4506_8509.ko': Operation 
> not permitted
> WARNING: /usr/bin/staprun exited with status: 1
> Pass 5: run failed.  [man error::pass5]
> [root@8b7437fed211 process]# 
> 
> 
> 
> [root@dhcp23-91 ~]# atomic run --spc 
> candidate-registry.fedoraproject.org/f26/systemtap 
> 
> docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug -v 
> /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ -v 
> /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc 
> candidate-registry.fedoraproject.org/f26/systemtap 
> 
> 
> This container uses privileged security switches:
> 
> INFO: --cap-add 
>       Adding capabilities to your container could allow processes from 
> the container to break out onto your host system.
> 
> For more information on these switches and their security implications, 
> consult the manpage for 'docker run'.
> 
> [root@10accce504c2 /]# cd /usr/share/systemtap/examples/process/
> [root@10accce504c2 process]# stap cycle_thief.stp 
> ERROR: Couldn't insert module 
> '/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko': Operation 
> not permitted
> WARNING: /usr/bin/staprun exited with status: 1
> Pass 5: run failed.  [man error::pass5]
> 
> 
> 
> On Thu, Oct 5, 2017 at 3:09 AM, Tomas Tomecek  > wrote:
> 
> Not sure if the question is for me -- I literally have no idea how to 
> do that.
> 
> 
> Let me know how I can help,
> 
> Tomas
> 
> 
> On Thu, Oct 5, 2017 at 5:04 AM, Dusty Mabe  > wrote:
> 
> 
> 
> On 09/18/2017 10:48 AM, Tomas Tomecek wrote:
> > Hello,
> >
> > we managed to move tools container from Fedora Dockerfiles 
> github repo to Fedora infra [1]. As a side effects, we put systemtap in a 
> dedicated container.
> >
> > We would very much appreciate your feedback here: so if you 
> have some time to take a look at these containers and try them out, it would 
> mean a lot to us.
> >
> > Repos:
> > https://src.fedoraproject.org/container/systemtap 
> 
> > https://src.fedoraproject.org/container/tools 
> 
> >
> > The way to access the images:
> > docker pull candidate-registry.fedoraproject.org/f26/tools 
>  
>  >
> 
> just tested out the tools container. can we get this into the 
> official registry?
> 
> > docker pull candidate-registry.fedoraproject.org/f26/systemtap 
>  
>  >
> >
> > Both images have help files, so please read them prior using 
> the containers:
> > 
> https://src.fedoraproject.org/container/tools/blob/master/f/root/README.md 
> 
> > 
>

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-05 Thread Tomas Tomecek 
Not sure if the question is for me -- I literally have no idea how to do
that.


Let me know how I can help,

Tomas


On Thu, Oct 5, 2017 at 5:04 AM, Dusty Mabe  wrote:

>
>
> On 09/18/2017 10:48 AM, Tomas Tomecek wrote:
> > Hello,
> >
> > we managed to move tools container from Fedora Dockerfiles github repo
> to Fedora infra [1]. As a side effects, we put systemtap in a dedicated
> container.
> >
> > We would very much appreciate your feedback here: so if you have some
> time to take a look at these containers and try them out, it would mean a
> lot to us.
> >
> > Repos:
> > https://src.fedoraproject.org/container/systemtap
> > https://src.fedoraproject.org/container/tools
> >
> > The way to access the images:
> > docker pull candidate-registry.fedoraproject.org/f26/tools <
> http://candidate-registry.fedoraproject.org/f26/tools>
>
> just tested out the tools container. can we get this into the official
> registry?
>
> > docker pull candidate-registry.fedoraproject.org/f26/systemtap <
> http://candidate-registry.fedoraproject.org/f26/systemtap>
> >
> > Both images have help files, so please read them prior using the
> containers:
> > https://src.fedoraproject.org/container/tools/blob/master/f/
> root/README.md
> > https://github.com/container-images/systemtap/blob/master/help/help.md
> >
> > (or `atomic help $the_container_image`)
> >
> > [1] https://pagure.io/atomic-wg/issue/214
>
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [atomic-devel] tools and systemtap containers are available in Fedora

2017-10-04 Thread Dusty Mabe 


On 09/18/2017 10:48 AM, Tomas Tomecek wrote:
> Hello,
> 
> we managed to move tools container from Fedora Dockerfiles github repo to 
> Fedora infra [1]. As a side effects, we put systemtap in a dedicated 
> container.
> 
> We would very much appreciate your feedback here: so if you have some time to 
> take a look at these containers and try them out, it would mean a lot to us.
> 
> Repos:
> https://src.fedoraproject.org/container/systemtap
> https://src.fedoraproject.org/container/tools
> 
> The way to access the images:
> docker pull candidate-registry.fedoraproject.org/f26/tools 
> 

just tested out the tools container. can we get this into the official registry?

> docker pull candidate-registry.fedoraproject.org/f26/systemtap 
> 
> 
> Both images have help files, so please read them prior using the containers:
> https://src.fedoraproject.org/container/tools/blob/master/f/root/README.md
> https://github.com/container-images/systemtap/blob/master/help/help.md
> 
> (or `atomic help $the_container_image`)
> 
> [1] https://pagure.io/atomic-wg/issue/214
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org