New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.5.8 +seccomp halts memcached #399
Comments
in the HACKING file there's a description of how to debug seccomp stuff. what're the OS/kernel/libc versions between the two machines? recently it seems like a lot of new restriction points are being added. :/ poking @viraptor as well |
Security always reduces user-friendliness, but that shouldn't be a reason not to add it! I think its great @viraptor added seccomp to memcached and the Archlinux developers enabled it. I'm pretty sure the related PR fixes this, can you review it? As for the details, both machines run the latest Archlinux packages (currently |
It's in the queue for review; I'm taking a break this week. I have no problem with seccomp; I do have a problem of it getting enabled without testing, and I worry that for every user like you 100 are silently miserable. :/ It's been a bunch of changes to a bunch of different platforms, it's not maintainable in this form at all. I think viraptor mentioned a better approach to implementing it, but I'm not too familiar with how it's supposed to be used yet. |
I'm just testing the fix. It looks like a reasonable approach. Thank you @SjonHortensius ! |
I think the check for |
@viraptor thanks. I think the reason the testcase doesn't fail is related to the fact that some machines (like the first strace in this bugreport) don't actually call I've copied the |
@SjonHortensius That post on Manjaro is actually for ARM (sorry I forgot to mention it, but looks like it's not relevant now as the problem is not architecture specific). I've also experienced this same problem #384 but only on ARM, on my dev machine using Manjaro x86 I haven't encountered this problem yet. |
I just installed 1.5.8 (on x86_64) with seccomp enabled but it hangs (sometimes after processing a few calls) without any relevant error.
ps
lists the process asdefunct
. This seems seccomp related - but since there is no relevant output from either-vvv
orgdb
I'm not sure. This only fails on a single x86-64 machine, on others it seems to work fineI also noticed https://forum.manjaro.org/t/memcached-not-starting-systemctl-reporting-it-is/49038, also on Arch. If I disable seccomp, everything works fine. Can I debug this further?
Shouldn't seccomp fails be logged somewhere instead of silently pausing/killing/hanging memcached ?
Both strace and the above
audit
line point tosys_clock_gettime
being the culprit by the way:Here it works fine:
here it hangs, and cannot be terminated (needs
kill -9
from other console):Can anyone explain the difference between these two machines ?
The text was updated successfully, but these errors were encountered: