Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

investigate how to run gdb server inside QM #719

Closed
dougsland opened this issue Feb 10, 2025 · 6 comments
Closed

investigate how to run gdb server inside QM #719

dougsland opened this issue Feb 10, 2025 · 6 comments
Assignees
@dougsland
Labels
jira

Comments

@dougsland
Copy link
Collaborator

Based in the logs @raballew provided: #718

----
time->Mon Feb 10 15:47:27 2025
type=PROCTITLE msg=audit(1739202447.226:242): proctitle="/sbin/init"
type=SYSCALL msg=audit(1739202447.226:242): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55f17478cfb0 a2=80000 a3=0 items=0 ppid=1401 pid=1403 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1739202447.226:242): avc:  denied  { read } for  pid=1403 comm="systemd" name="auditd.service" dev="vda4" ino=31127 scontext=system_u:system_r:qm_t:s0 tcontext=system_u:object_r:auditd_unit_file_t:s0 tclass=file permissive=0
----
time->Mon Feb 10 15:47:27 2025
type=PROCTITLE msg=audit(1739202447.389:261): proctitle=2F7573722F62696E2F676462736572766572002D2D6D756C7469002D2D6465627567003A33343536
type=SYSCALL msg=audit(1739202447.389:261): arch=c000003e syscall=101 success=no exit=-13 a0=0 a1=0 a2=0 a3=0 items=0 ppid=1436 pid=1437 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdbserver" exe="/usr/bin/gdbserver" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1739202447.389:261): avc:  denied  { ptrace } for  pid=1437 comm="gdbserver" scontext=system_u:system_r:qm_t:s0 tcontext=system_u:system_r:qm_t:s0 tclass=process permissive=0
----
time->Mon Feb 10 15:47:27 2025
type=PROCTITLE msg=audit(1739202447.394:263): proctitle=2F7573722F62696E2F676462736572766572002D2D6D756C7469002D2D6465627567003A33343536
type=SYSCALL msg=audit(1739202447.394:263): arch=c000003e syscall=101 success=no exit=-13 a0=0 a1=0 a2=0 a3=0 items=0 ppid=1436 pid=1438 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdbserver" exe="/usr/bin/gdbserver" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1739202447.394:263): avc:  denied  { ptrace } for  pid=1438 comm="gdbserver" scontext=system_u:system_r:qm_t:s0 tcontext=system_u:system_r:qm_t:s0 tclass=process permissive=0
----
time->Mon Feb 10 15:47:35 2025
type=PROCTITLE msg=audit(1739202455.118:348): proctitle="/sbin/init"
type=SYSCALL msg=audit(1739202455.118:348): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55ca5cbe4fb0 a2=80000 a3=0 items=0 ppid=1603 pid=1605 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1739202455.118:348): avc:  denied  { read } for  pid=1605 comm="systemd" name="auditd.service" dev="vda4" ino=31127 scontext=system_u:system_r:qm_t:s0 tcontext=system_u:object_r:auditd_unit_file_t:s0 tclass=file permissive=0
----
time->Mon Feb 10 15:47:35 2025
type=PROCTITLE msg=audit(1739202455.280:365): proctitle=2F7573722F62696E2F676462736572766572002D2D6D756C7469002D2D6465627567003A33343536
type=SYSCALL msg=audit(1739202455.280:365): arch=c000003e syscall=101 success=no exit=-13 a0=0 a1=0 a2=0 a3=0 items=0 ppid=1638 pid=1639 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdbserver" exe="/usr/bin/gdbserver" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1739202455.280:365): avc:  denied  { ptrace } for  pid=1639 comm="gdbserver" scontext=system_u:system_r:qm_t:s0 tcontext=system_u:system_r:qm_t:s0 tclass=process permissive=0
----
time->Mon Feb 10 15:47:35 2025
type=PROCTITLE msg=audit(1739202455.286:369): proctitle=2F7573722F62696E2F676462736572766572002D2D6D756C7469002D2D6465627567003A33343536
type=SYSCALL msg=audit(1739202455.286:369): arch=c000003e syscall=101 success=no exit=-13 a0=0 a1=0 a2=0 a3=0 items=0 ppid=1638 pid=1640 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdbserver" exe="/usr/bin/gdbserver" subj=system_u:system_r:qm_t:s0 key=(null)
type=AVC msg=audit(1739202455.286:369): avc:  denied  { ptrace } for  pid=1640 comm="gdbserver" scontext=system_u:system_r:qm_t:s0 tcontext=system_u:system_r:qm_t:s0 tclass=process permissive=0
@dougsland dougsland self-assigned this Feb 10, 2025
@dougsland
Copy link
Collaborator Author

However, I would like to merge after mr. @rhatdan review it.

@rhatdan
Copy link
Member

rhatdan commented Feb 10, 2025

We do not want to allow this inside of QM by default. This would allow the one QM Process to read data within another QM process and even modify it. Why would anyone be running a database in production? Why wouldn't you run the gdb from the host ASIL environment?

@dougsland
Copy link
Collaborator Author

We do not want to allow this inside of QM by default. This would allow the one QM Process to read data within another QM process and even modify it. Why would anyone be running a database in production? Why wouldn't you run the gdb from the host ASIL environment?

Agreed, we need to explain customers to use ASIL not QM. QM is just a process inside the host that gdb can attach.

@dougsland dougsland added the jira label Feb 10, 2025
@raballew
Copy link
Contributor

raballew commented Feb 11, 2025
edited
Loading

To my knowledge the QM partition is a separate pid namespace which means I can not attach to the process I am trying to debug. If I understand correctly I would need to run gdb in there which brings me back to my original problem of how to debug an application in-situ within the QM partition using gdbserver.

@rhatdan
Copy link
Member

rhatdan commented Feb 11, 2025

Just because it is in a pid namespace does not mean that it can not see the process or ptrace it.

You can also do a
$ podman exec --privileged qm gdb ...

@raballew
Copy link
Contributor

raballew commented Feb 11, 2025
edited
Loading

But thats exactly where I get the selinux denials as shown in #719 (comment)

podman exec --privileged qm gdbserver --multi --debug :3457
gdbserver: linux_ptrace_test_ret_to_nx: Cannot PTRACE_TRACEME: Permission denied
gdbserver: linux_ptrace_test_ret_to_nx: status 256 is not WIFSTOPPED!
gdbserver: linux_ptrace_test_ret_to_nx: failed to kill child pid 48 No such process

podman exec --privileged qm gdb attach 1
GNU gdb (CentOS Stream) 14.2-4.el9
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
attach: No such file or directory.
Attaching to process 1
ptrace: Permission denied.
(gdb) /1: No such file or directory.
quit

I wonder if nsenter -t $(podman inspect qm --format='{{.State.Pid}}') -a gdbserver --multi --debug :3456 could be the solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dougsland dougsland

Labels
jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dougsland @rhatdan @raballew