TestSetuidEtc fails during test execution in a container
136 views
Skip to first unread message
Kumar Srinivasan
May 12, 2021, 5:12:45 PM5/12/21
to golang-nuts
Hello,
This is the first time I am posting to this group, apologies if this is the wrong forum.
I am trying to build the go sources and test the built sources, so effectively I am running
% cd go-source-dir/src && GOROOT_BOOTSTRAP=<redacted>/BOOT_GO bash ./all.bash
I am seeing this failure attached below when I build and test within a container.
However I don't see this issue in a Virtual Machine running CentOS7.
Appreciate any help or insights anyone can offer.
Thanks
Kumar Srinivasan
% uname -a
Linux 7bb298e4-71d7-4f5e-4d4c-d58ac8ce61ac 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64
<redacted for clarity>
--- FAIL: TestSetuidEtc (0.12s)
syscall_linux_test.go:668: [6] "Setgroups([]int{0,1,2,3})" comparison: "/proc/32911/status" got:"Groups:\t1 2 3 0" want:"Groups:\t0 1 2 3" (bad) [pid=32911 file:'Name: syscall.test
Umask: 0022
State: S (sleeping)
Tgid: 32911
Ngid: 0
Pid: 32911
PPid: 10324
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 64
Groups: 1 2 3 0
NStgid: 32911
NSpid: 32911
NSpgid: 7
NSsid: 7
VmPeak: 1092152 kB
VmSize: 1034812 kB
VmLck: 0 kB
VmPin: 0 kB
VmHWM: 5372 kB
VmRSS: 5372 kB
RssAnon: 1416 kB
RssFile: 3956 kB
RssShmem: 0 kB
VmData: 169344 kB
VmStk: 132 kB
VmExe: 1384 kB
VmLib: 1464 kB
VmPTE: 140 kB
VmSwap: 0 kB
HugetlbPages: 0 kB
CoreDumping: 0
Threads: 8
SigQ: 2/128577
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000300000
SigCgt: fffffffdffc1feff
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
NoNewPrivs: 0
Seccomp: 2
Speculation_Store_Bypass: thread force mitigated
Cpus_allowed: ff
Cpus_allowed_list: 0-7
Mems_allowed: 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list: 0
voluntary_ctxt_switches: 22
nonvoluntary_ctxt_switches: 52
' Pid: 32911]
FAIL
FAIL syscall 0.724s
syscall_linux_test.go:668: [6] "Setgroups([]int{0,1,2,3})" comparison: "/proc/32911/status" got:"Groups:\t1 2 3 0" want:"Groups:\t0 1 2 3" (bad) [pid=32911 file:'Name: syscall.test
Umask: 0022
State: S (sleeping)
Tgid: 32911
Ngid: 0
Pid: 32911
PPid: 10324
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 64
Groups: 1 2 3 0
NStgid: 32911
NSpid: 32911
NSpgid: 7
NSsid: 7
VmPeak: 1092152 kB
VmSize: 1034812 kB
VmLck: 0 kB
VmPin: 0 kB
VmHWM: 5372 kB
VmRSS: 5372 kB
RssAnon: 1416 kB
RssFile: 3956 kB
RssShmem: 0 kB
VmData: 169344 kB
VmStk: 132 kB
VmExe: 1384 kB
VmLib: 1464 kB
VmPTE: 140 kB
VmSwap: 0 kB
HugetlbPages: 0 kB
CoreDumping: 0
Threads: 8
SigQ: 2/128577
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000300000
SigCgt: fffffffdffc1feff
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
NoNewPrivs: 0
Seccomp: 2
Speculation_Store_Bypass: thread force mitigated
Cpus_allowed: ff
Cpus_allowed_list: 0-7
Mems_allowed: 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list: 0
voluntary_ctxt_switches: 22
nonvoluntary_ctxt_switches: 52
' Pid: 32911]
FAIL
FAIL syscall 0.724s
<redacted for clarity>
Ian Lance Taylor
May 12, 2021, 5:34:09 PM5/12/21
to Kumar Srinivasan, golang-nuts, a...@google.com
[ + agm ]
> --
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/9675fc9a-75df-4253-9112-e85d3026a185n%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/9675fc9a-75df-4253-9112-e85d3026a185n%40googlegroups.com.
Kumar Srinivasan
May 12, 2021, 5:47:33 PM5/12/21
to Ian Lance Taylor, a...@google.com, golang-nuts
Whoops, I missed mentioning I was trying to build and test this branch + hash:
Thanks
Kumar
Andrew G. Morgan
May 12, 2021, 5:47:36 PM5/12/21
to golang-nuts
It looks like the CapBound here is non-default. That is, this container is running with non-default restrictions.
$ /sbin/capsh --decode=0x00000000a80425fb
0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
The environment appears to be denying cap_setgid - which is why the Setgroups() call is failing.
Is adjusting that environmental choice possible?
Cheers
Andrew
Ian Lance Taylor
May 12, 2021, 5:53:19 PM5/12/21
to Andrew G. Morgan, golang-nuts
On Wed, May 12, 2021 at 2:47 PM 'Andrew G. Morgan' via golang-nuts
<golan...@googlegroups.com> wrote:
>
>
> It looks like the CapBound here is non-default. That is, this container is running with non-default restrictions.
>
> $ /sbin/capsh --decode=0x00000000a80425fb
> 0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
>
> The environment appears to be denying cap_setgid - which is why the Setgroups() call is failing.
>
> Is adjusting that environmental choice possible?
Alternatively, can the test code detect that those restrictions are
<golan...@googlegroups.com> wrote:
>
>
> It looks like the CapBound here is non-default. That is, this container is running with non-default restrictions.
>
> $ /sbin/capsh --decode=0x00000000a80425fb
> 0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
>
> The environment appears to be denying cap_setgid - which is why the Setgroups() call is failing.
>
> Is adjusting that environmental choice possible?
being applied, and skip the test in that case? That's our usual
pattern for tests that can't be run in some environments. Thanks.
Ian
Andrew G. Morgan
May 12, 2021, 6:48:15 PM5/12/21
to golang-nuts
OK. I've filed this bug. If we want to go this route, please assign it to me:
Andrew G. Morgan
May 12, 2021, 10:31:29 PM5/12/21
to golang-nuts
Mea culpa. I clearly misread the capsh output.
There is a cap_setgid in there. Looking closer at the output the miscompare is there in the first line. The groups are listed in an unsorted order. That is not expected by the test. Let me see what is causing this to happen. I'll use the bug to investigate and document what I find.
Cheers
Andrew
Kumar Srinivasan
May 12, 2021, 11:27:35 PM5/12/21
to Andrew G. Morgan, golang-nuts
Yes I was wondering about that.
Meanwhile, is there a way to exclude that test ?
Kumar
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/b6d8a1f0-583c-465f-b259-3995baa37e91n%40googlegroups.com.
Andrew G. Morgan
May 13, 2021, 12:01:51 AM5/13/21
to golang-nuts
As a quick hack, you could just delete the src/syscall/syscall_linux_test.go file. Obviously, that will not test a bunch of stuff, but it should unblock you.
Alternatively, you could try one of the 'Download' options from:
while we go through the review cycle for this change (or something evolved from it).
Cheers
Andrew
Kumar Srinivasan
May 13, 2021, 9:41:18 AM5/13/21
to Andrew G. Morgan, golang-nuts
Thanks for looking into this, Andrew.
My 2 cents, there ought to be an elegant mechanism of excluding or disabling regression tests temporarily.
For example this is how OpenJDK handles specific or generic platform exclusions.
Kumar
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/2e9ee1a1-1362-41dc-8d9d-d197b6f71219n%40googlegroups.com.
Kumar Srinivasan
May 14, 2021, 1:25:18 PM5/14/21
to Andrew G. Morgan, golang-nuts
I applied your patch in-flight from your review, https://go-review.googlesource.com/c/go/+/319591/,
and I am seeing other failures. It appears we need to apply the ordering of setgids to the following tests as well.
Also, I grepped around for the pattern syscall.Setgroups there are no others I could see.
Thanks
Kumar
% grep -i -r SetGroup misc/cgo/*
misc/cgo/test/issue1435.go: {call: "Setgroups([]int{0,1,2,3})", fn: func() error { return syscall.Setgroups([]int{0, 1, 2, 3}) }, filter: "Groups:", expect: "\t0 1 2 3"},
misc/cgo/test/issue1435.go: {call: "Setgroups(nil)", fn: func() error { return syscall.Setgroups(nil) }, filter: "Groups:", expect: ""},
misc/cgo/test/issue1435.go: {call: "Setgroups([]int{0})", fn: func() error { return syscall.Setgroups([]int{0}) }, filter: "Groups:", expect: "\t0"},
##### ../misc/cgo/test
--- FAIL: Test1435 (0.01s)
issue1435.go:181: [6] "Setgroups([]int{0,1,2,3})" comparison: "/proc/29462/status" got:"Groups:\t1 2 3 0" want:"Groups:\t0 1 2 3" (bad) [pid=29462 file:'Name: test.test
Umask: 0022
State: S (sleeping)
Tgid: 29462
Ngid: 0
Pid: 29462
PPid: 27896
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 64
Groups: 1 2 3 0
NStgid: 29462
NSpid: 29462
NSpgid: 9
NSsid: 9
VmPeak: 1215460 kB
VmSize: 1191416 kB
VmLck: 0 kB
VmPin: 0 kB
VmHWM: 5848 kB
VmRSS: 5848 kB
RssAnon: 1724 kB
RssFile: 4124 kB
RssShmem: 0 kB
VmData: 194472 kB
VmStk: 132 kB
VmExe: 1580 kB
VmLib: 1700 kB
VmPTE: 156 kB
VmSwap: 0 kB
HugetlbPages: 0 kB
CoreDumping: 0
Threads: 12
SigQ: 0/128577
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: fffffffc3bfa3a00
SigIgn: 0000000000000000
SigCgt: fffffffdffc1feff
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
NoNewPrivs: 0
Seccomp: 2
Speculation_Store_Bypass: thread force mitigated
Cpus_allowed: ff
Cpus_allowed_list: 0-7
Mems_allowed: 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list: 0
voluntary_ctxt_switches: 19
nonvoluntary_ctxt_switches: 0
' Pid: 29462]
FAIL
exit status 1
FAIL misc/cgo/test 6.853s
2021/05/14 16:53:14 Failed: exit status 1
--- FAIL: Test1435 (0.01s)
issue1435.go:181: [6] "Setgroups([]int{0,1,2,3})" comparison: "/proc/29422/status" got:"Groups:\t1 2 3 0" want:"Groups:\t0 1 2 3" (bad) [pid=29422 file:'Name: test.test
Umask: 0022
State: S (sleeping)
Tgid: 29422
Ngid: 0
Pid: 29422
PPid: 27897
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 64
Groups: 1 2 3 0
NStgid: 29422
NSpid: 29422
NSpgid: 9
NSsid: 9
VmPeak: 1215712 kB
VmSize: 1192820 kB
VmLck: 0 kB
VmPin: 0 kB
VmHWM: 5104 kB
VmRSS: 5104 kB
RssAnon: 1464 kB
RssFile: 3640 kB
RssShmem: 0 kB
VmData: 195880 kB
VmStk: 132 kB
VmExe: 1556 kB
VmLib: 1728 kB
VmPTE: 176 kB
VmSwap: 0 kB
HugetlbPages: 0 kB
CoreDumping: 0
Threads: 12
SigQ: 0/128577
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: fffffffc3bfa3a00
SigIgn: 0000000000000000
SigCgt: fffffffdffc1feff
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
NoNewPrivs: 0
Seccomp: 2
Speculation_Store_Bypass: thread force mitigated
Cpus_allowed: ff
Cpus_allowed_list: 0-7
Mems_allowed: 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list: 0
voluntary_ctxt_switches: 19
nonvoluntary_ctxt_switches: 4
' Pid: 29422]
FAIL
exit status 1
FAIL misc/cgo/test 6.429s
2021/05/14 16:53:15 Failed: exit status 1
--- FAIL: Test1435 (0.02s)
issue1435.go:181: [6] "Setgroups([]int{0,1,2,3})" comparison: "/proc/29435/status" got:"Groups:\t1 2 3 0" want:"Groups:\t0 1 2 3" (bad) [pid=29435 file:'Name: test.test
Umask: 0022
State: S (sleeping)
Tgid: 29435
Ngid: 0
Pid: 29435
PPid: 27913
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 64
Groups: 1 2 3 0
NStgid: 29435
NSpid: 29435
NSpgid: 9
NSsid: 9
VmPeak: 1217064 kB
VmSize: 1192508 kB
VmLck: 0 kB
VmPin: 0 kB
VmHWM: 5528 kB
VmRSS: 5528 kB
RssAnon: 1524 kB
RssFile: 4004 kB
RssShmem: 0 kB
VmData: 194216 kB
VmStk: 132 kB
VmExe: 1592 kB
VmLib: 2368 kB
VmPTE: 160 kB
VmSwap: 0 kB
HugetlbPages: 0 kB
CoreDumping: 0
Threads: 12
SigQ: 0/128577
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: fffffffc3bfa3a00
SigIgn: 0000000000000000
SigCgt: fffffffdffc1feff
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
NoNewPrivs: 0
Seccomp: 2
Speculation_Store_Bypass: thread force mitigated
Cpus_allowed: ff
Cpus_allowed_list: 0-7
Mems_allowed: 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list: 0
voluntary_ctxt_switches: 25
nonvoluntary_ctxt_switches: 2
' Pid: 29435]
FAIL
exit status 1
FAIL misc/cgo/test 6.755s
Andrew G. Morgan
May 14, 2021, 1:57:22 PM5/14/21
to golang-nuts
Indeed. I neglected to heed the comment I left expressly for this purpose. :(
Thanks!
Andrew
Andrew G. Morgan
May 18, 2021, 6:29:40 PM5/18/21
to golang-nuts
This should be fully resolved at HEAD now.
Reply all
Reply to author
Forward
0 new messages