Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: bump ubuntu to 22.04 and use newer compilers / analyzers #5275

Merged
merged 10 commits into from
Jul 30, 2022
Merged

ci: bump ubuntu to 22.04 and use newer compilers / analyzers #5275

merged 10 commits into from
Jul 30, 2022

Conversation

reinerh
Copy link
Collaborator

@reinerh reinerh commented Jul 25, 2022

No description provided.

@reinerh reinerh force-pushed the ci_ubuntu_2204 branch 3 times, most recently from c8dfaf6 to 26e0e4c Compare July 28, 2022 17:15
@reinerh
Copy link
Collaborator Author

reinerh commented Jul 28, 2022
edited
Loading

I'm having a weird test failure related to dns resolution.

$ firejail --trace --dns=208.67.222.222 -- curl --silent --output /dev/null debian.org
3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:bash:stat /home/runner/work/firejail/firejail/test/environment:0
3:bash:stat .:0
3:bash:stat /home:0
3:bash:stat /home/runner:0
3:bash:stat /home/runner/work:0
3:bash:stat /home/runner/work/firejail:0
3:bash:stat /home/runner/work/firejail/firejail:0
3:bash:stat /home/runner/work/firejail/firejail/test:0
3:bash:stat /home/runner/work/firejail/firejail/test/environment:0
3:bash:stat /home/runner/work/firejail/firejail/test:0
3:bash:stat .:0
3:bash:stat /home/linuxbrew/.linuxbrew/bin/curl:-1
3:bash:stat /home/linuxbrew/.linuxbrew/sbin/curl:-1
3:bash:stat /home/runner/.local/bin/curl:-1
3:bash:stat /opt/pipx_bin/curl:-1
3:bash:stat /home/runner/.cargo/bin/curl:-1
3:bash:stat /home/runner/.config/composer/vendor/bin/curl:-1
3:bash:stat /usr/local/.ghcup/bin/curl:-1
3:bash:stat /home/runner/.dotnet/tools/curl:-1
3:bash:stat /snap/bin/curl:-1
3:bash:stat /usr/local/sbin/curl:-1
3:bash:stat /usr/local/bin/curl:-1
3:bash:stat /usr/sbin/curl:-1
3:bash:stat /usr/bin/curl:0
3:bash:stat /usr/bin/curl:0
3:curl:stat /etc/gnutls/config:-1
3:curl:exec /usr/bin/curl:0
3:curl:fopen64 /usr/lib/ssl/openssl.cnf:0x564a3a8d67c0
3:curl:open /home/runner/.config/.curlrc:-1
3:curl:open /home/runner/.curlrc:-1
3:curl:open /home/runner/.curlrc:-1
3:curl:socket AF_INET6 SOCK_DGRAM IPPROTO_IP:5
3:curl:socket AF_INET SOCK_STREAM IPPROTO_TCP:7
3:curl:connect 7 149.20.4.15 port 80:-1
3:curl:fopen /dev/null:0x564a3a8d67c0
runner@fv-az247-751:~/work/firejail/firejail/test/environment$ TESTING ERROR 6.2

curl (and also wget) is not contacting the specified (or any other) nameserver.
Does anyone have an idea how the lookup could else work?
(Obviously I'm not able to reproduce it locally)

@rusty-snake @kmk3 @glitsj16

@glitsj16
Copy link
Collaborator

curl (and also wget) is not contacting the specified (or any other) nameserver.
Does anyone have an idea how the lookup could else work?

Nothing very helpful comes to mind at the moment I'm afraid. Is there anything different in /etc/nsswitch.conf in Ubuntu 22.04 perhaps?

@rusty-snake
Copy link
Collaborator

As @glitsj16 said nsswich.conf is worth looking into. AFAIK systemd-resolved uses D-Bus or a custom UNIX socket.

@reinerh reinerh force-pushed the ci_ubuntu_2204 branch 3 times, most recently from 57e22b3 to 9147689 Compare July 29, 2022 17:18
@reinerh
Copy link
Collaborator Author

reinerh commented Jul 29, 2022

Thanks for the ideas. nsswitch.conf looks harmless, almost like on my system:

2022-07-29T16:38:41.7265620Z # /etc/nsswitch.conf
2022-07-29T16:38:41.7266122Z #
2022-07-29T16:38:41.7267090Z # Example configuration of GNU Name Service Switch functionality.
2022-07-29T16:38:41.7267919Z # If you have the `glibc-doc-reference' and `info' packages installed, try:
2022-07-29T16:38:41.7268566Z # `info libc "Name Service Switch"' for information about this file.
2022-07-29T16:38:41.7268964Z 
2022-07-29T16:38:41.7269160Z passwd:         files systemd
2022-07-29T16:38:41.7269485Z group:          files systemd
2022-07-29T16:38:41.7269960Z shadow:         files
2022-07-29T16:38:41.7270276Z gshadow:        files
2022-07-29T16:38:41.7270396Z 
2022-07-29T16:38:41.7270524Z hosts:          files dns
2022-07-29T16:38:41.7270855Z networks:       files
2022-07-29T16:38:41.7271027Z 
2022-07-29T16:38:41.7271344Z protocols:      db files
2022-07-29T16:38:41.7271953Z services:       db files
2022-07-29T16:38:41.7272376Z ethers:         db files
2022-07-29T16:38:41.7272748Z rpc:            db files
2022-07-29T16:38:41.7273186Z 
2022-07-29T16:38:41.7273410Z netgroup:       nis

With strace I could now see that curl is indeed using systemd for resolving the host (opening stuff in /run/systemd/resolve/ and connecting to 127.0.0.53:53.). Actually it looks like /etc/resolv.conf is symlinked to /run/systemd/resolve/....
I tried to blacklist the systemd directory, but it was still not opening the specified nameserver.
I think I'll just disable this test for now. It looks like --dns= does not properly work with systemd-resolved.

@reinerh reinerh marked this pull request as ready for review July 29, 2022 17:38
kmk3
kmk3 approved these changes Jul 29, 2022
View reviewed changes
Copy link
Collaborator

@kmk3 kmk3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work on upgrading the distro/tooling versions.

Could you move the following commit to be the last one in the branch?

  • CI: bump ubuntu to 22.04 and use newer compilers / analyzers

That should make all commits pass CI.

@reinerh
CI: build all jobs with apparmor / selinux to cover more code
3a5954c
@reinerh
zero-initialize two variables
e47bc3b
@reinerh
Make list of paths const to fix a false positive of gcc analyzer
eb20f52
@reinerh
CI: fix wrong matching for test errors
057f431 
grep was returning non-zero exit code if it did NOT find the
error marker, and zero if it did.
@reinerh
tests: drop checking for hosts file in trace test
e1cb7ce 
firejail is no longer detecting that /etc/hosts is getting opened.
in strace it can still be seen that the file is opened via syscall,
but on C library layer (which firejail is tracing) it's probably
implemented differently now.
@reinerh
tests: add alternative message for skipping test
b4f4444
@reinerh
tests: try curl instead of wget for tracing dns resolution
4221b15
@reinerh
tests: disable calling curl in dns test, as systemd-resolved is used …
c971903 
…on CI runner
@reinerh
CI: bump ubuntu to 22.04 and use newer compilers / analyzers
cfc8547
@reinerh
CI: keep old cppcheck job and ignore two files in new job that take t…
53f0b39 
…oo long to check
@reinerh reinerh merged commit 364a565 into master Jul 30, 2022
@reinerh reinerh deleted the ci_ubuntu_2204 branch July 30, 2022 23:06
@kmk3 kmk3 changed the title CI: bump ubuntu to 22.04 and use newer compilers / analyzers ci: bump ubuntu to 22.04 and use newer compilers / analyzers Sep 26, 2022
kmk3 added a commit that referenced this pull request Sep 26, 2022
@kmk3
RELNOTES: add build/ci items
ce92f82 
Relates to #5275 #5357 #5370.
kmk3 added a commit to kmk3/firejail that referenced this pull request May 14, 2023
@kmk3
Standardize usage string var declarations
874cf79 
Changes:

* Name them all "usage_str"
* Make them const

For the latter item, see commit eb20f52 ("Make list of paths const to
fix a false positive of gcc analyzer", 2022-07-27) / PR netblue30#5275.
@kmk3 kmk3 mentioned this pull request May 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kmk3 kmk3 kmk3 approved these changes

@rusty-snake rusty-snake rusty-snake approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Release 0.9.72
Status: Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@reinerh @glitsj16 @rusty-snake @kmk3