Bug#901030: add "needs-binfmt" to "Defined restrictions"

To: Ian Jackson <ijackson@chiark.greenend.org.uk>, 901030@bugs.debian.org
Cc: Hans-Christoph Steiner <hans@eds.org>
Subject: Bug#901030: add "needs-binfmt" to "Defined restrictions"
From: Simon McVittie <smcv@debian.org>
Date: Thu, 14 Jun 2018 18:21:46 +0100
Message-id: <[🔎] 20180614172146.GA8469@espresso.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 901030@bugs.debian.org
In-reply-to: <[🔎] 23327.62042.142444.923242@chiark.greenend.org.uk>
References: <[🔎] 95135742-e5da-b71d-82eb-1f346ba172fa@eds.org> <[🔎] 31749b84-394d-aa78-e745-10c20a8c3e61@eds.org> <m2n.s.1fRIsR-117547@chiark.greenend.org.uk> <[🔎] 23322.46429.855030.187875@chiark.greenend.org.uk> <m2n.s.1fSid3-150108@chiark.greenend.org.uk> <[🔎] 95135742-e5da-b71d-82eb-1f346ba172fa@eds.org> <[🔎] 23327.62042.142444.923242@chiark.greenend.org.uk> <[🔎] 95135742-e5da-b71d-82eb-1f346ba172fa@eds.org>

On Tue, 12 Jun 2018 at 17:18:34 +0100, Ian Jackson wrote:
> Hans-Christoph Steiner writes ("Bug#901030: some context"):
> > I agree that there can't be a Restriction for every config under the
> > sun.

Having tests be able to probe for their own requirements and declare
themselves to have been skipped, as they could in Automake (exit 77)
or TAP (print "1..0 # SKIP ${details}"), would be one way out of that.
https://salsa.debian.org/ci-team/autopkgtest/merge_requests/20
proposes a "skippable" restriction, which means: if the test script
exits 77, it is to be treated as skipped rather than failed.

> > As for the binfmt_misc module discussion, I know nothing about how that
> > works.  If you can fix this issue in the kernel, fine by me.
> 
> ISTM that the bug is that the binfmt thing is not properly virtualised
> by containers.  We don't have to fix that in the kernel; we could
> bodge it by installing binfmt-misc in the host.

Reference on binfmt_misc:
https://www.kernel.org/doc/html/v4.17/admin-guide/binfmt-misc.html

Briefly, it's a way to tell the kernel to treat particular (binary) file
contents in executable files as though they were #! lines for particular
interpreters.

I think there are two aspects of namespace-awareness ("virtualization"
for containers) that matter here:

- The fact that the binfmt_misc kernel module was loaded is not
  namespaced, and in any case only the host system can load modules for
  the obvious security reasons, so the kernel module has to be enabled
  in the host, not the container. That's relatively non-problematic.

- The registrations ("executables matching pattern X are executed by
  interpreter Y") are not namespaced, so it would be unsafe to allow
  processes in a container to create new registrations: if they could,
  then they could register "executables resembling ELF binaries are
  executed by /bin/rm" and the host system would eventually delete
  itself. That's a showstopper.

So I think tests that rely on binfmt_misc are always going to require
Restrictions: isolation-machine, unless/until the kernel can be made to
keep a separate table of binfmt_misc (pattern -> interpreter) mappings
for each "container" (in kernel terms, for each mount namespace or user
namespace or some new namespace type). That does not seem likely to
happen any time soon.

    smcv

Reply to:

Follow-Ups:
- Bug#901030: add "needs-binfmt" to "Defined restrictions"
  - From: Martin Pitt <mpitt@debian.org>

References:
- Bug#901030: add "needs-binfmt" to "Defined restrictions"
  - From: Hans-Christoph Steiner <hans@eds.org>
- Bug#901030: some context
  - From: Hans-Christoph Steiner <hans@eds.org>
- Bug#901030: some context
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Bug#901030: some context
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Bug#851558: autopkgtest: define Restrictions for tests that aren't suitable for gating CI
Next by Date: Bug#901030: plain registrations on the container host
Previous by thread: Bug#901030: some context
Next by thread: Bug#901030: add "needs-binfmt" to "Defined restrictions"
Index(es):
- Date
- Thread