Debian Bug report logs - #703010
debianutils: ischroot can no longer detect vservers

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Andrew Ruthven <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: debianutils: ischroot can no longer detect vservers

Date: Tue, 12 Mar 2013 09:57:48 +1300

[Message part 1 (text/plain, inline)]

Package: debianutils
Version: 4.3.4
Severity: important

[resubmitting as something seems to have gone wrong with creating the bug]

Dear Maintainer,

The ischroot code checks to see if it can access /proc/1/root to determine
if it is a running inside a chroot. Within vservers you can now read
/proc/1/root so it is no longer a sufficient test for vservers.

On newer vserver patches a better check is to look for a VxID line in
/proc/self/status.  If the line is present you're running a vserver
kernel.  If the value is 0, then you're on the physical host, anything
else means you're in a vserver.

Inside a vserver:

puck@build-sid-amd64:/$ grep VxID /proc/self/status
VxID: 12
puck@build-sid-amd64:/$ 

On the physical host:

build-servers:~$ grep VxID /proc/self/status
VxID: 0
puck@build-servers:~$ 

I've set this bug report to important as it is stopping initscripts from being
installable on a Wheezy vserver.

This is the case on Linux kernel 3.4 + 2.3.3.9 vserver patch.  The 3.2 kernel
set of patches is not affected by this change of behaviour.

Cheers!



-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-28-vserver (SMP w/1 CPU core)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=POSIX (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages debianutils depends on:
ii  libc6           2.13-37
ii  sensible-utils  0.0.7

debianutils recommends no packages.

debianutils suggests no packages.

-- no debconf information

[signature.asc (application/pgp-signature, inline)]

Message #20 received at [email protected] (full text, mbox, reply):

From: Andrew Ruthven <[email protected]>

To: Clint Adams <[email protected]>, [email protected]

Subject: Re: Bug#703010: debianutils: ischroot can no longer detect vservers

Date: Fri, 15 Mar 2013 21:16:45 +1300

[Message part 1 (text/plain, inline)]

On Fri, 2013-03-15 at 03:33 +0000, Clint Adams wrote:
> > On newer vserver patches a better check is to look for a VxID line in
> > /proc/self/status.  If the line is present you're running a vserver
> > kernel.  If the value is 0, then you're on the physical host, anything
> > else means you're in a vserver.
> 
> I wonder if it's better to have the initscripts postinst do the grep
> than to parse /proc/self/status in ischroot.

The big downside to that approach that I can see is that according to
the changelog ischroot was implemented to *stop* people having checks
spread all over the place. And as we've just discovered those checks
break over time as things progress. Better to have them in one place,
than spread around.

I guess that question comes down to, is the mount that initscripts
postinst doing appropriate in chroots in general? At a guess no,
otherwise it wouldn't use ischroot.

I have proposed patch for ischroot that is attached to bug #703012
(curse the BTS for not creating my bug reports in a timely manner).

Cheers!

-- 
Andrew Ruthven
Wellington, New Zealand
At home: [email protected] |   linux.conf.au 2013
                           | Come join the party...
                           |  http://linux.conf.au

[signature.asc (application/pgp-signature, inline)]

Message #25 received at [email protected] (full text, mbox, reply):

From: Clint Adams <[email protected]>

To: Andrew Ruthven <[email protected]>, [email protected]

Subject: Re: Bug#703010: debianutils: ischroot can no longer detect vservers

Date: Sun, 28 Jul 2013 00:47:15 +0000

On Fri, Mar 15, 2013 at 09:16:45PM +1300, Andrew Ruthven wrote:
> The big downside to that approach that I can see is that according to
> the changelog ischroot was implemented to *stop* people having checks
> spread all over the place. And as we've just discovered those checks
> break over time as things progress. Better to have them in one place,
> than spread around.

I don't know; it seems pretty stupid to base script behavior on
whether one is in a "chroot" or not.

Message #30 received at [email protected] (full text, mbox, reply):

From: Andrew Ruthven <[email protected]>

To: Clint Adams <[email protected]>

Cc: [email protected]

Subject: Re: Bug#703010: debianutils: ischroot can no longer detect vservers

Date: Tue, 30 Jul 2013 21:00:15 +1200

[Message part 1 (text/plain, inline)]

On Sun, 2013-07-28 at 00:47 +0000, Clint Adams wrote:
> On Fri, Mar 15, 2013 at 09:16:45PM +1300, Andrew Ruthven wrote:
> > The big downside to that approach that I can see is that according to
> > the changelog ischroot was implemented to *stop* people having checks
> > spread all over the place. And as we've just discovered those checks
> > break over time as things progress. Better to have them in one place,
> > than spread around.
> 
> I don't know; it seems pretty stupid to base script behavior on
> whether one is in a "chroot" or not.

Totally agree. The problem is with tools that don't run in a chroot, if
they are in a chroot, break horribly. Mostly they're stuff run from
init.d...

-- 
Andrew Ruthven
Wellington, New Zealand
At home: [email protected] |   linux.conf.au 2013
                           | Come join the party...
                           |  http://linux.conf.au

[signature.asc (application/pgp-signature, inline)]

Message #35 received at [email protected] (full text, mbox, reply):

From: Clint Adams <[email protected]>

To: Andrew Ruthven <[email protected]>, [email protected]

Subject: Re: Bug#703010: debianutils: ischroot can no longer detect vservers

Date: Tue, 30 Jul 2013 16:32:43 +0000

On Tue, Jul 30, 2013 at 09:00:15PM +1200, Andrew Ruthven wrote:
> Totally agree. The problem is with tools that don't run in a chroot, if
> they are in a chroot, break horribly. Mostly they're stuff run from
> init.d...

I think that's what /usr/sbin/policy-rc.d is for.

Message #40 received at [email protected] (full text, mbox, reply):

From: Andrew Ruthven <[email protected]>

To: Clint Adams <[email protected]>

Cc: [email protected]

Subject: Re: Bug#703010: debianutils: ischroot can no longer detect vservers

Date: Fri, 09 Aug 2013 09:05:36 +1200

[Message part 1 (text/plain, inline)]

On Tue, 2013-07-30 at 16:32 +0000, Clint Adams wrote:
> On Tue, Jul 30, 2013 at 09:00:15PM +1200, Andrew Ruthven wrote:
> > Totally agree. The problem is with tools that don't run in a chroot, if
> > they are in a chroot, break horribly. Mostly they're stuff run from
> > init.d...
> 
> I think that's what /usr/sbin/policy-rc.d is for.

Sadly /usr/sbin/policy-rc.d won't fix the initscripts issue as it in is
in the packages postinst. It is all about setting up the /run symlink
and associated bits and pieces.

It takes one approach if it is in a chroot and a totally different
approach if it is a physical host.

The sysvinit postinst script also uses ischroot.

Cheers!

-- 
Andrew Ruthven
Wellington, New Zealand
At home: [email protected] |     linux.conf.au 2014
                           | Come swan on the Swan River
                           |    http://linux.conf.au

[signature.asc (application/pgp-signature, inline)]

Message #45 received at [email protected] (full text, mbox, reply):

From: Dmitry Bogatov <[email protected]>

To: [email protected], [email protected]

Date: Fri, 09 Nov 2018 20:01:27 +0000

[Message part 1 (text/plain, inline)]

control: tag -1 +moreinfo

On my laptop, there is no VxID in /proc/self/status:

	$ cat /proc/self/status
	Name:	cat
	Umask:	0022
	State:	R (running)
	Tgid:	11990
	Ngid:	0
	Pid:	11990
	PPid:	11989
	TracerPid:	0
	Uid:	1000	1000	1000	1000
	Gid:	1000	1000	1000	1000
	FDSize:	64
	Groups:	24 25 27 29 30 44 46 108 109 111 116 999 1000 
	NStgid:	11990
	NSpid:	11990
	NSpgid:	11570
	NSsid:	2243
	VmPeak:	    4172 kB
	VmSize:	    4172 kB
	VmLck:	       0 kB
	VmPin:	       0 kB
	VmHWM:	     744 kB
	VmRSS:	     744 kB
	RssAnon:	      64 kB
	RssFile:	     680 kB
	RssShmem:	       0 kB
	VmData:	     312 kB
	VmStk:	     136 kB
	VmExe:	      28 kB
	VmLib:	    1424 kB
	VmPTE:	      48 kB
	VmSwap:	       0 kB
	HugetlbPages:	       0 kB
	CoreDumping:	0
	Threads:	1
	SigQ:	0/15123
	SigPnd:	0000000000000000
	ShdPnd:	0000000000000000
	SigBlk:	0000000000000000
	SigIgn:	0000000000000000
	SigCgt:	0000000000000000
	CapInh:	0000000000000000
	CapPrm:	0000000000000000
	CapEff:	0000000000000000
	CapBnd:	0000003fffffffff
	CapAmb:	0000000000000000
	NoNewPrivs:	0
	Seccomp:	0
	Speculation_Store_Bypass:	vulnerable
	Cpus_allowed:	f
	Cpus_allowed_list:	0-3
	Mems_allowed:	00000000,00000001
	Mems_allowed_list:	0
	voluntary_ctxt_switches:	0
	nonvoluntary_ctxt_switches:	0

[Message part 2 (application/pgp-signature, inline)]

Message #53 received at [email protected] (full text, mbox, reply):

From: Andrew Ruthven <[email protected]>

To: [email protected]

Subject: Re: Bug#703010: (no subject)

Date: Tue, 13 Nov 2018 18:41:57 +1300

On Fri, 2018-11-09 at 20:01 +0000, Dmitry Bogatov wrote:
> 
> On my laptop, there is no VxID in /proc/self/status:
[snip]

That is correct, as I noted it is only present if you are running a
kernel with the vserver patch applied.

Cheers,
Andrew

-- 
Andrew Ruthven, Wellington, New Zealand
[email protected]        | linux.conf.au 2019, Christchurch, NZ
https://catalystcloud.nz |     https://lca2019.linux.org.au

Send a report that this bug log contains spam.