From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 8HeyEox0ul56XAAA0tVLHw (envelope-from ) for ; Tue, 12 May 2020 10:03:56 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id yP2YI5p0ul6MawAA1q6Kng (envelope-from ) for ; Tue, 12 May 2020 10:04:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 13C06940E97 for ; Tue, 12 May 2020 10:04:08 +0000 (UTC) Received: from localhost ([::1]:51820 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jYRlg-0007Iw-Uw for larch@yhetil.org; Tue, 12 May 2020 06:04:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49038) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jYRla-0007EK-Hx for guix-patches@gnu.org; Tue, 12 May 2020 06:04:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42773) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jYRla-0007Qy-8g for guix-patches@gnu.org; Tue, 12 May 2020 06:04:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jYRla-0006uu-3V for guix-patches@gnu.org; Tue, 12 May 2020 06:04:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41189] [PATCH 0/3] Add Fakechroot engine for 'guix pack -RR' Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 12 May 2020 10:04:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41189 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Carlos O'Donell Cc: 41189@debbugs.gnu.org Received: via spool by 41189-submit@debbugs.gnu.org id=B41189.158927781726546 (code B ref 41189); Tue, 12 May 2020 10:04:02 +0000 Received: (at 41189) by debbugs.gnu.org; 12 May 2020 10:03:37 +0000 Received: from localhost ([127.0.0.1]:54319 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jYRlB-0006u3-FH for submit@debbugs.gnu.org; Tue, 12 May 2020 06:03:37 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:37754) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jYRlA-0006tk-81 for 41189@debbugs.gnu.org; Tue, 12 May 2020 06:03:36 -0400 X-IronPort-AV: E=Sophos;i="5.73,383,1583190000"; d="scan'208";a="449285496" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 May 2020 12:03:29 +0200 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20200511170554.22916-1-ludo@gnu.org> <28e3ffa2-b565-3052-e0c7-7208fab25a11@redhat.com> Date: Tue, 12 May 2020 12:03:29 +0200 In-Reply-To: <28e3ffa2-b565-3052-e0c7-7208fab25a11@redhat.com> (Carlos O'Donell's message of "Mon, 11 May 2020 17:18:04 -0400") Message-ID: <87r1vpbhce.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -6.0 (------) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 X-Spam-Score: -1.01 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Scan-Result: default: False [-1.01 / 13.00]; GENERIC_REPUTATION(0.00)[-0.54001458050473]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.51.188.0/24:c]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.06), country: US(-0.00), ip: 209.51.188.17(-0.54)]; DWL_DNSWL_FAIL(0.00)[209.51.188.17:server fail]; MX_GOOD(-0.50)[cached: eggs.gnu.org]; RCPT_COUNT_TWO(0.00)[2]; MAILLIST(-0.20)[mailman]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_IN_DNSWL_FAIL(0.00)[209.51.188.17:server fail]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:22989, ipnet:209.51.188.0/24, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:+]; TAGGED_FROM(0.00)[larch=yhetil.org]; ARC_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[ludovic.courtes@inria.fr,guix-patches-bounces@gnu.org]; FROM_HAS_DN(0.00)[]; URIBL_BLOCKED(0.00)[libreadline.so:url,sourceware.org:url,guile-readline.so:url,ld.so:url]; MIME_GOOD(-0.10)[multipart/mixed,text/plain,text/x-patch]; DMARC_NA(0.00)[inria.fr]; HAS_LIST_UNSUB(-0.01)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.51.188.17:from]; RCVD_COUNT_SEVEN(0.00)[8]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: 9uOHvX2VmBv9 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Carlos, Carlos O'Donell skribis: > There are two issues at hand: > * Standard namespace issues (conformance) > * PLT avoidance issues (performance) > > See: > https://sourceware.org/glibc/wiki/Style_and_Conventions#Double-underscore= _names_for_public_API_functions > > It is an internal implementation detail that open(2) is being called by > the library, and as such glibc bypasses the ELF interposable symbol > open, and instead calls open directly without this being visible to the > application. > > There are many such cases where we bypass the ELF interposable symbol to > provide standard namespace cleanliness, performance, and so provide consi= stent > behaviour. It makes sense to me, thanks for explaining. > Yes, in your case this means you cannot override the behaviour of the > interface without using some kind of bind mount, or mount namespace > (to provide an alternate view of the filesystem). Agreed, unprivileged user namespaces with bind mounts are the preferred solution; the LD_PRELOAD hack discussed here is for when they=E2=80=99re unavailable and PRoot is too slow. > We would have to argue upstream that some minimal subset of the filesystem > access should be interposable via open/close/read/write, but that's going > to get difficult quickly and have significant performance problems. Yes, understood. (I wasn=E2=80=99t going to suggest it. :-)) > It would be simpler, IMO, to set LOCPATH and GCONV_PATH appropriately and > alter the runtime behaviour that way. If that doesn't work, perhaps becau= se > of setuid, then we can discuss further. Yes, setting =E2=80=98GCONV_PATH=E2=80=99 in particular seems like somethin= g the wrapper could automatically do. The attached patch does that and now Guile runs fine with the ld.so/fakechroot =E2=80=9Cengine=E2=80=9D. One thing that won=E2=80=99t work is dlopen because our =E2=80=98--library-= path=E2=80=99 argument is computed statically based on the RUNPATH of the wrapped program. So for instance if you try to load guile-readline.so from Guile, it eventually fails because libreadline.so isn=E2=80=99t found (libreadline.so is in the RUNPATH of guile-readline.so, but the loader uses non-interposable calls here as well.) Probably no simple solution to that one. Thanks for your feedback, Carlos! Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/gnu/packages/aux-files/run-in-namespace.c b/gnu/packages/aux-files/run-in-namespace.c index ed72a169f2..c56c35a510 100644 --- a/gnu/packages/aux-files/run-in-namespace.c +++ b/gnu/packages/aux-files/run-in-namespace.c @@ -425,6 +427,15 @@ exec_with_loader (const char *store, int argc, char *argv[]) mkdir_p (new_store_parent); symlink (store, new_store); +#ifdef GCONV_DIRECTORY + /* Tell libc where to find its gconv modules. This is necessary because + gconv uses non-interposable 'open' calls. */ + char *gconv_path = concat (store, + GCONV_DIRECTORY + sizeof "@STORE_DIRECTORY@"); + setenv ("GCONV_PATH", gconv_path, 1); + free (gconv_path); +#endif + setenv ("FAKECHROOT_BASE", new_root, 1); pid_t child = fork (); diff --git a/guix/scripts/pack.scm b/guix/scripts/pack.scm index 2d856066b2..2b37bf5027 100644 --- a/guix/scripts/pack.scm +++ b/guix/scripts/pack.scm @@ -739,6 +739,12 @@ last resort for relocation." bv 0 (bytevector-length bv)) (utf8->string bv))))) + (define (gconv-directory directory) + ;; Return DIRECTORY/gconv if it exists as a directory. + (let ((gconv (string-append directory "/gconv"))) + (and (directory-exists? gconv) + gconv))) + (define (elf-loader-compile-flags program) ;; Return the cpp flags defining macros for the ld.so/fakechroot ;; wrapper of PROGRAM. @@ -750,8 +756,9 @@ last resort for relocation." (match (elf-dynamic-info elf) (#f '()) (dyninfo - (let ((runpath (elf-dynamic-info-runpath dyninfo)) - (interp (elf-interpreter elf))) + (let* ((runpath (elf-dynamic-info-runpath dyninfo)) + (gconv (any gconv-directory runpath)) + (interp (elf-interpreter elf))) (if interp (list (string-append "-DPROGRAM_INTERPRETER=\"" interp "\"") @@ -762,7 +769,12 @@ last resort for relocation." ", ") ", NULL }") (string-append "-DFAKECHROOT_LIBRARY=\"" - #$(fakechroot-library) "\"")) + #$(fakechroot-library) "\"") + + (if gconv + (string-append "-DGCONV_DIRECTORY=\"" + gconv "\"") + "-UGCONV_DIRECTORY")) '()))))) '())) --=-=-=--