-
Notifications
You must be signed in to change notification settings - Fork 17.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/build: TestGdbBacktrace
fails on Linux builders with gdb
version >=11.1
due to AppArmor restrictions on /proc/.../task/.../mem
#54352
Comments
Change https://go.dev/cl/422294 mentions this issue: |
Disable the TestGdb* testpoints until we can figure out why they are failing and reconfigure the machine properly. Updates #54352. Change-Id: Id9c76a0ba6e23b5deff24f521a1c8e0aafb6481a Reviewed-on: https://go-review.googlesource.com/c/go/+/422294 Reviewed-by: Cherry Mui <cherryyz@google.com> Run-TryBot: Than McIntosh <thanm@google.com>
Disable the TestGdb* testpoints until we can figure out why they are failing and reconfigure the machine properly. Updates golang#54352. Change-Id: Id9c76a0ba6e23b5deff24f521a1c8e0aafb6481a Reviewed-on: https://go-review.googlesource.com/c/go/+/422294 Reviewed-by: Cherry Mui <cherryyz@google.com> Run-TryBot: Than McIntosh <thanm@google.com>
Strace on gdb (without -f to avoid interfering entirely) shows
That EACCES is not in the /proc implementation itself. It could have been (and I suspect was) introduced by AppArmor ahead of the actual call into the /proc implementation. This started with the update from Alpine 3.10 to Alpine 3.16 because Alpine 3.16 includes gdb 11.2. Starting in gdb 11.1 (Sept 2021), gdb uses the /proc/.../task/.../mem file to do short writes to the user process memory, such as when setting breakpoints. Prior to gdb 11.1, large writes used the mem file, but writes smaller than 3 words (the breakpoint is only 1 byte) used ptrace directly. I suspect all our other builders have gdb prior to 11.1. I confirmed that the linux-amd64 builder has gdb 10.1. Probably there is a way to change the container configuration to override the AppArmor configuration to allow the writes to proc. I found the 'docker-default' configuration here and it seems to allow writing to /proc/.../task/.../mem. We don't seem to be doing anything explicitly with AppArmor for our containers in the coordinator. But perhaps the Container-Optimized OS image has a different default AppArmor config. Leaving the test disabled for now seems fine. Someone who understands Container-Optimized OS and AppArmor will need to relax the permissions. |
It would be nice to get this prioritized -- based on Dmitri's experience in #57520, it seems like it's going to bite us every time we try to set up a modern Linux builder. |
Since this has been punted a couple times already, I'm inclined to move this to Backlog. Though, based on Russ' comment, perhaps this should be in Unreleased? It sounds like the fix here is actually on the x/build side? Updating the issue title optimistically. Please comment if you disagree. Thanks! |
/proc/.../task/.../mem
/proc/.../task/.../mem
TestGdbBacktrace
fails on Linux builders with gdb
version >=11.1
due to AppArmor restrictions on /proc/.../task/.../mem
What version of Go are you using (
go version
)?This is with tip.
What operating system and processor architecture are you using (
go env
)?linux/amd64 on the linux-amd64-alpine builder
What did you do?
go test -test.v -test.run=TestGdbBacktrace runtime
What did you expect to see?
pass
What did you see instead?
This needs to be looked into -- I am not sure what the issue might be. I did try:
on the builder, but I am still seeing the failure.
The text was updated successfully, but these errors were encountered: