- Package:
- debianutils
- Source:
- debianutils
- Description:
- Miscellaneous utilities specific to Debian
- Submitter:
- Andrew Ruthven
- Date:
- 2021-09-16 19:57:02 UTC
- Severity:
- wishlist
- Tags:
[resubmitting as something seems to have gone wrong with creating the bug] Dear Maintainer, The ischroot code checks to see if it can access /proc/1/root to determine if it is a running inside a chroot. Within vservers you can now read /proc/1/root so it is no longer a sufficient test for vservers. On newer vserver patches a better check is to look for a VxID line in /proc/self/status. If the line is present you're running a vserver kernel. If the value is 0, then you're on the physical host, anything else means you're in a vserver. Inside a vserver: puck@build-sid-amd64:/$ grep VxID /proc/self/status VxID: 12 puck@build-sid-amd64:/$ On the physical host: build-servers:~$ grep VxID /proc/self/status VxID: 0 puck@build-servers:~$ I've set this bug report to important as it is stopping initscripts from being installable on a Wheezy vserver. This is the case on Linux kernel 3.4 + 2.3.3.9 vserver patch. The 3.2 kernel set of patches is not affected by this change of behaviour. Cheers!
The big downside to that approach that I can see is that according to the changelog ischroot was implemented to *stop* people having checks spread all over the place. And as we've just discovered those checks break over time as things progress. Better to have them in one place, than spread around. I guess that question comes down to, is the mount that initscripts postinst doing appropriate in chroots in general? At a guess no, otherwise it wouldn't use ischroot. I have proposed patch for ischroot that is attached to bug #703012 (curse the BTS for not creating my bug reports in a timely manner). Cheers!
I don't know; it seems pretty stupid to base script behavior on whether one is in a "chroot" or not.
Totally agree. The problem is with tools that don't run in a chroot, if they are in a chroot, break horribly. Mostly they're stuff run from init.d...
I think that's what /usr/sbin/policy-rc.d is for.
Sadly /usr/sbin/policy-rc.d won't fix the initscripts issue as it in is in the packages postinst. It is all about setting up the /run symlink and associated bits and pieces. It takes one approach if it is in a chroot and a totally different approach if it is a physical host. The sysvinit postinst script also uses ischroot. Cheers!
control: tag -1 +moreinfo On my laptop, there is no VxID in /proc/self/status: $ cat /proc/self/status Name: cat Umask: 0022 State: R (running) Tgid: 11990 Ngid: 0 Pid: 11990 PPid: 11989 TracerPid: 0 Uid: 1000 1000 1000 1000 Gid: 1000 1000 1000 1000 FDSize: 64 Groups: 24 25 27 29 30 44 46 108 109 111 116 999 1000 NStgid: 11990 NSpid: 11990 NSpgid: 11570 NSsid: 2243 VmPeak: 4172 kB VmSize: 4172 kB VmLck: 0 kB VmPin: 0 kB VmHWM: 744 kB VmRSS: 744 kB RssAnon: 64 kB RssFile: 680 kB RssShmem: 0 kB VmData: 312 kB VmStk: 136 kB VmExe: 28 kB VmLib: 1424 kB VmPTE: 48 kB VmSwap: 0 kB HugetlbPages: 0 kB CoreDumping: 0 Threads: 1 SigQ: 0/15123 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000000000000 SigCgt: 0000000000000000 CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 NoNewPrivs: 0 Seccomp: 0 Speculation_Store_Bypass: vulnerable Cpus_allowed: f Cpus_allowed_list: 0-3 Mems_allowed: 00000000,00000001 Mems_allowed_list: 0 voluntary_ctxt_switches: 0 nonvoluntary_ctxt_switches: 0
control: tag -1 +moreinfo On my laptop, there is no VxID in /proc/self/status: $ cat /proc/self/status Name: cat Umask: 0022 State: R (running) Tgid: 11990 Ngid: 0 Pid: 11990 PPid: 11989 TracerPid: 0 Uid: 1000 1000 1000 1000 Gid: 1000 1000 1000 1000 FDSize: 64 Groups: 24 25 27 29 30 44 46 108 109 111 116 999 1000 NStgid: 11990 NSpid: 11990 NSpgid: 11570 NSsid: 2243 VmPeak: 4172 kB VmSize: 4172 kB VmLck: 0 kB VmPin: 0 kB VmHWM: 744 kB VmRSS: 744 kB RssAnon: 64 kB RssFile: 680 kB RssShmem: 0 kB VmData: 312 kB VmStk: 136 kB VmExe: 28 kB VmLib: 1424 kB VmPTE: 48 kB VmSwap: 0 kB HugetlbPages: 0 kB CoreDumping: 0 Threads: 1 SigQ: 0/15123 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000000000000 SigCgt: 0000000000000000 CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 NoNewPrivs: 0 Seccomp: 0 Speculation_Store_Bypass: vulnerable Cpus_allowed: f Cpus_allowed_list: 0-3 Mems_allowed: 00000000,00000001 Mems_allowed_list: 0 voluntary_ctxt_switches: 0 nonvoluntary_ctxt_switches: 0
[snip] That is correct, as I noted it is only present if you are running a kernel with the vserver patch applied. Cheers, Andrew