On 05/01/15 16:10, Marc Espie wrote:
> I've worked hard to allow for dpb to work in a new model, most specifically
> so that chroot always works, and also to have a slightly better security
> model.
Thanks for this large improvement. I have struggled w/ the previous chroot
model as I wanted to use stable boxes with idle cycles but did not want to
compromise their working state.
> The corresponding code and documentation have been committed, but they
> probably need people to play with it a bit more to make sure all kinks
> are gone.
>
> There are some important implications with respect to ports bulk building
> security.
>
> In the new model, dpb no longer requires any kind of sudo operation, it's
> moved to a privilege separation model.
>
> - dpb should be started as root, it will drop privileges as needed.
> - the basic core of dpb runs as root, but any time it's actually looking
> at the ports tree, it will drop to a build_user (which has to be specified).
> This user does not require any root access.
> - dpb will stay root to run the STARTUP script, and also to run
> pkg_add/pkg_delete to handle dependencies.
> - fetch can be run as a separate user (thus, the build_user shouldn't even
> have internet access under normal rules).
>
>
> Commands in the ports tree will actually be run as
> chroot -u build_user /somedir cmd
>
> Thus, all builds are chrooted "by default" with / being used as a root when
> there's no chroot.
>
> Distant buils will ssh from root to root, and run the same command
> (chroot -u build_user /somedir cmd)
> on the distant host.
>
> This is somewhat necessary so that killing dpb will correctly propagate
> signals to all running jobs, which has been an issue with previous attempts
> at running chroot.
>
> That new user model is probably going to become the ONLY operating model
> of dpb in the near future. Having options suck and is a problem for
> maintenance and security.
>
> People running bulks should transition as soon as they can. The manpage
> mentions which files belong to whom. It is highly advisable to have a
> specific build user without sudo rights and (possibly) restricted net
> access.
While I haven't been successful w/ a partial build, I was able to do a
successful fetch for my partial build.
With the latest changes today, I thought it was time to make a report.
I've created accounts for dpb, dpb_fetch and dpb_log on the relevant boxes
sharing the same gid.
x6v64:build/packages 522>grep ^dpb /etc/passwd
dpb:*:1100:1100:dpb build user:/home/dpb:/bin/ksh
dpb_fetch:*:1101:1100:dpb fetch user:/home/dpb_fetch:/bin/ksh
dpb_log:*:1102:1100:dpb log user:/home/dpb_log:/bin/ksh
x6v64:build/packages 523>grep ^dpb /etc/group
dpb:*:1100:
I use a wrapper and script the session. Here's what I see targetting just the
localhost:
x6v64:build/packages 524>$TIME sudo ./Do_dpb-without-a8v -l -v dirlist.$(arch
-s);exit
PACKAGE_REPOSITORY /nas3/work/OpenBSD/packages
BULK_COOKIES_DIR /nas3/work/OpenBSD/x6v64/bulk/amd64
UPDATE_COOKIES_DIR /nas3/work/OpenBSD/x6v64/update/amd64
LOGGER_DIR /usr/obj/amd64/logs
rm -f /nas3/work/OpenBSD/x6v64/bulk/amd64/*
rm -f /nas3/work/OpenBSD/x6v64/update/amd64/*
rm -f /usr/obj/amd64/logs/term-report.log /usr/obj/amd64/logs/debug.log
OPTS=-L /usr/obj/amd64/logs -s -A amd64 -c -R -U -J 0 -X
/home/rd/OpenBSD/build/packages/pkg_info-qPa.all -h
/home/rd/OpenBSD/build/packages/dpb_hosts.amd64 -f 8 -D SYSLOG
/usr/bin/time sudo /usr/ports/infrastructure/bin/dpb -L /usr/obj/amd64/logs -s
-A amd64 -c -R -U -J 0 -X /home/rd/OpenBSD/build/packages/pkg_info-qPa.all -h
/home/rd/OpenBSD/build/packages/dpb_hosts.amd64 -f 8 -D SYSLOG -P dirlist.amd64
Too early at /usr/ports/infrastructure/lib/DPB/Logger.pm line 33.
DPB::Logger::new(DPB::Logger, DPB::State=HASH(0xc4e35c64670)) called at
/usr/ports/infrastructure/lib/DPB/State.pm line 143
DPB::State::handle_options(DPB::State=HASH(0xc4e35c64670)) called at
/usr/ports/infrastructure/bin/dpb line 145
0.84 real 0.45 user 0.13 sys
6.17 real 0.93 user 0.68 sys
Here's more info related to the above invocation:
x6v64:build/packages 531>cat dpb_hosts.amd64
DEFAULT timeout=10 build_user=dpb memory=200M stuck=1000 fetch_user=dpb_fetch
log_user=dpb_log arch=amd64
STARTUP=/home/rd/OpenBSD/build/packages/dpb_start
dpb@localhost stuck=2000 memory=1G sf=1 jobs=1 arch=amd64
x6v64:build/packages 532>cat dirlist.amd64
databases/p5-ldap
x6v64:build/packages 533>cat pkg_info-qPa.all
databases/p5-ldap
After the above, there are no file updates in the $LOGGER_DIR although
ownership and perms seem ok:
x6v64:build/packages 535>ls -ld /usr/obj/amd64/logs
drwxrwxrwx 6 rd dpb 1024 May 10 07:22 /usr/obj/amd64/logs
I've collected the syslog debug level and don't see any clues (/usr &
/usr/local are separate partitions mounted read-only so the dpb_start script
makes them read-only and results in the following sudo mount entries):
x6v64:build/packages 536>cat /var/log/debug
May 10 07:41:19 x6v64 syslogd: start
May 10 07:41:20 x6v64 ntpd[21836]: no reply from 10.1.2.18 received in time,
next query 300s
May 10 07:41:59 x6v64 sudo: rd : TTY=ttyp2 ;
PWD=/home/rd/OpenBSD/build/packages ; USER=root ; COMMAND=./Do_dpb-without-a8v
-l -v dirlist.amd64
May 10 07:42:00 x6v64 sudo: rd : TTY=ttyp2 ;
PWD=/home/rd/OpenBSD/build/packages ; USER=root ; COMMAND=/sbin/mount -uw
/usr/local
May 10 07:42:01 x6v64 sudo: rd : TTY=ttyp2 ;
PWD=/home/rd/OpenBSD/build/packages ; USER=root ; COMMAND=/sbin/mount -uw /usr
May 10 07:42:02 x6v64 sudo: rd : TTY=ttyp2 ;
PWD=/home/rd/OpenBSD/build/packages ; USER=root ;
COMMAND=/usr/ports/infrastructure/bin/dpb -L /usr/obj/amd64/logs -s -A amd64 -c
-R -U -J 0 -X /home/rd/OpenBSD/build/packages/pkg_info-qPa.all -h
/home/rd/OpenBSD/build/packages/dpb_hosts.amd64 -f 8 -D SYSLOG -P dirlist.amd64
May 10 07:42:02 x6v64 sshd[11942]: Accepted publickey for dpb from 127.0.0.1
port 28093 ssh2: RSA SHA256:q5p33L/xs9VWWeiZWMFdY9gtGAMT7tqjozMM9zAocn0
May 10 07:42:03 x6v64 sudo: rd : TTY=ttyp2 ;
PWD=/home/rd/OpenBSD/build/packages ; USER=root ; COMMAND=/sbin/mount -ur
/usr/local
May 10 07:42:04 x6v64 sudo: rd : TTY=ttyp2 ;
PWD=/home/rd/OpenBSD/build/packages ; USER=root ; COMMAND=/sbin/mount -ur /usr
May 10 07:42:20 x6v64 sudo: rd : TTY=ttyp5 ;
PWD=/home/rd/OpenBSD/build/packages ; USER=root ; COMMAND=/usr/bin/vi
/etc/syslog.conf
May 10 07:42:34 x6v64 sudo: rd : TTY=ttyp5 ;
PWD=/home/rd/OpenBSD/build/packages ; USER=root ; COMMAND=/etc/rc.d/syslogd
restart
May 10 07:42:34 x6v64 syslogd: exiting on signal 15
Sorry to be so longwinded, but I wanted to provide as much info as possible.
I've apparently misconfigured/misunderstood/??? something about the new model.
Please help.
Thanks, Bob
dmesg:
OpenBSD 5.7-current (GENERIC) #909: Sat May 2 09:13:13 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 3082747904 (2939MB)
avail mem = 2985574400 (2847MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Phenom(tm) II X6 1055T Processor, 2815.82 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,MWAIT,NXE,FFXSR,LONG,3DNOW2,3DNOW,LAHF,AMCR8
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache, 6MB 64b/line 48-way L3 cache
cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu0: AMD erratum 721 detected and fixed
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 999MHz
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpibat0 at acpi0: BAT0 not present
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: GFX0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
vga1 at pci0 dev 2 function 0 "InnoTek VirtualBox Graphics Adapter" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 1 int 19, address
08:00:27:d6:8b:12
"InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0 not
configured
auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 1 int 21,
ICH AC97
ac97: codec id 0x83847600 (SigmaTel STAC9700)
audio0 at auich0
ohci0 at pci0 dev 6 function 0 "Apple Intrepid USB" rev 0x00: apic 1 int 22,
version 1.0
piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: SMBus disabled
ehci0 at pci0 dev 11 function 0 "Intel 82801FB USB" rev 0x00: apic 1 int 19
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ahci0 at pci0 dev 13 function 0 "Intel 82801HBM AHCI" rev 0x02: apic 1 int 21,
AHCI 1.1
ahci0: device on port 0 didn't come ready, TFD: 0x171<ERR>
ahci0: port 0: 3.0Gb/s
ahci0: device on port 1 didn't come ready, TFD: 0x171<ERR>
ahci0: port 1: 3.0Gb/s
ahci0: device on port 2 didn't come ready, TFD: 0x131<ERR>
ahci0: port 2: 3.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, VBOX HARDDISK, 1.0> SCSI3 0/direct fixed
t10.ATA_VBOX_HARDDISK_VBbcc99a08-744eefa6_
sd0: 12288MB, 512 bytes/sector, 25165824 sectors
sd1 at scsibus1 targ 1 lun 0: <ATA, VBOX HARDDISK, 1.0> SCSI3 0/direct fixed
t10.ATA_VBOX_HARDDISK_VB9da9db2b-7414c638_
sd1: 20480MB, 512 bytes/sector, 41943040 sectors
cd0 at scsibus1 targ 2 lun 0: <VBOX, CD-ROM, 1.0> ATAPI 5/cdrom removable
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "Apple OHCI root hub" rev 1.00/1.00 addr 1
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (81831238603d6adb.a) swap on sd0b dump on sd0b
