-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Self-signing Fedora kernels with pesign - socket permission problems #1091
Comments
Are you sure this is Mock's fault? Seems like the directory is correctly mounted by Mock -> but |
By that I mean -> what permissions are expected? What mock should do to make it work? |
I am happy to help but as I mentioned this is not a trivial setup by any means. I am also not 100 % sure mock is at fault here, but, given that downgrade and rebuilding the bootstrap makes the issue go away, it sure looks this way. |
Basically the requirement is for mock tree to use host's pesign. Some info can be seen in issue #140. |
Ok, this feels a bit weird. There is a change in the mountpoint management,
Yould you mind testing an upgrade of mock to v4.0 again, and run this |
After boot I am starting pesign and unlocking the cert DB:
Attempting to build with mock-3.5 works:
mock-4.0 does not work even if everything is scrubbed:
|
There is something really fishy going on: it turns out I actually have to reboot my system after downgrading mock or else the permission denied error persists. It is as if mock-4.0 does something to the |
I managed to dig a bit deeper. shim offers a much better test case as it builds in about a minute as opposed to 20 minutes:
Invalid signature error indicates success.
|
I was able to perform a bisect, 22c8fdc is the first bad commit:
|
Somewhat untested reproduction instructions as I have my system already set up:
|
Previously, the bind_mount plugin relied on pre-existing directory tree, typically created by the chroot directory tree by the _PackageManager installation. So it was quite easy to mount stuff like `/var/run/socket` because `/var/run` always existed. Problem happened with files like `/var/run/subdirectory/socket`. Relates: rpm-software-management#1091
Thank you for all the details! I was able to reproduce it. With Mock 3.5 and bootstrap ON, the "user mountpoins" (the /var/run/pesign) What is happening here is that On my testing system, after all the pesign setup needed by the cited howto The whole As mentioned at the beginning, if used with We should find a better way to work with Mock+pesign; perhaps creating the |
Thank you for the detailed response. I am happy to hear that you were able to reproduce despite my somewhat vague instructions. |
Koji folks probably do the same thing, but they have a way around using ACLs. |
In the same bkernel specific config they turn bootstrap off btw, not sure why exactly. But this is exactly the coincidence I meant - without bootstrap, you'd face the very same issues even before (for normal packages, Koji started using bootstrap quite recently). Can you experiment with this work-around locally? builduser=praiskup # change accordingly
for entity in "u:$builduser" g:pesign; do
for options in "-d" ""; do
setfacl $options -R -m "$entity:rwx" /var/run/pesign
done
done |
I can see the changing permissions, on my machine pesign is 974:969 on the host but 999:999 in the chroot. Initialising a fresh chroot has 974:969 permissions, installing pesign in chroot changes it to 999:999. |
Previously, the bind_mount plugin relied on pre-existing directory tree, typically created by the chroot directory tree by the _PackageManager installation. So it was quite easy to mount stuff like `/var/run/socket` because `/var/run` always existed. Problem happened with files like `/var/run/subdirectory/socket`. Relates: #1091
That should be executed only once on host; as one of the needed steps to configure Pesign for Mock. |
Thanks! With the workaround I am getting the "invalid signature" with shim suggesting it is working. This got me thinking: I believe the second reason why this was working before is this: |
It appears that the workaround from #1091 (comment) needs to be run every boot, not just once. I guess this is why it used to be triggered by the systemd unit. |
Yes, every boot (because tmpfiles systemd daemon re-creates stuff in /run). So I'm curious what to do about this issue. Should we close? |
Well, on one hand I know how to get this working now. So as far as I am concerned, the issue is solved. |
To repeat the problem - currently, we bind mount a host directory down
Any other ideas? None of those ^^^ makes me happy, and help with the |
There's #1103 doing this. Would you mind taking a look and test? |
Short description of the problem
Upon upgrading from mock-3.5-2.fc38 to mock-4.0-1.fc38 signing Fedora kernel RPMs using own certificate no longer works
Output of
rpm -q mock
mock-4.0-1.fc38.noarch
Steps to reproduce issue
This is not really trivial unfortunately:
sudo usermod -a -G pesign julas
mock -r fedora-38-x86_64 --disable-plugin=tmpfs --enable-plugin=yum_cache --isolation=simple redhat/rpm/SRPMS/kernel-6.3.4-201.s0ix01.fc38.src.rpm --with baseonly --define='pe_signing_token NSS Certificate DB' --define='pe_signing_cert Julians Secure Boot signing key - Julian Sikorski'
The following happens:
Any additional notes
In order to fix the problem, rolling back to mock-3.5 was not enough. I had to do:
for the signing to work again.
The text was updated successfully, but these errors were encountered: