fizz is failing cheets_ContainerMount |
|||
Issue descriptionhttps://stainless.corp.google.com/search?view=list&first_date=2018-06-02&last_date=2018-06-04&test=%5Echeets_ContainerMount%24&status=FAIL&status=ERROR&status=ABORT&exclude_cts=true&exclude_not_run=false&exclude_non_release=true&exclude_au=true&exclude_acts=true&exclude_retried=true&exclude_non_production=false Seems like huddly-monitor.conf and mimo-monitor.conf need to add --profile=minimalistic_mountns (similar to https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1050550/5/net-firewall/conntrack-tools/files/init/conntrackd.conf ), but I have no way of testing this (other than sending lots of tryjobs, but that seems suboptimal).
,
Jun 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/cfm-device-monitor/+/66548622ec053e942931ff23132da8b1211eea87 commit 66548622ec053e942931ff23132da8b1211eea87 Author: Luis Hector Chavez <lhchavez@google.com> Date: Wed Jun 06 04:28:47 2018 Use pivot_root(2) for the service's container This change restricts the mounts that both mimo-monitor and huddly-monitor are allowed to inherit to: * /sys * /dev * /proc * /run/dbus This prevents the containers from accidentally grabbing references to undesired mounts in the init namespace. BUG=b:65450844 BUG= chromium:849455 TEST=fizz tryjob Change-Id: Ia60adb321e81157646bd87c2b6d9d930de1c0f60 Reviewed-on: https://chromium-review.googlesource.com/1087356 Commit-Ready: Luis Hector Chavez <lhchavez@chromium.org> Tested-by: Luis Hector Chavez <lhchavez@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/66548622ec053e942931ff23132da8b1211eea87/init/huddly-monitor.conf [modify] https://crrev.com/66548622ec053e942931ff23132da8b1211eea87/init/mimo-monitor.conf [modify] https://crrev.com/66548622ec053e942931ff23132da8b1211eea87/mimo-monitor/main.cc
,
Jun 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/95cd066fa8398849cf1d3f8b0f64838ccd7ee978 commit 95cd066fa8398849cf1d3f8b0f64838ccd7ee978 Author: Luis Hector Chavez <lhchavez@google.com> Date: Wed Jun 06 04:28:37 2018 cecservice: Use pivot_root(2) instead of chroot(2) This change calls pivot_root(2) instead of chroot(2) to enter the container. This prevents the container from accidentally grabbing references to undesired mounts in the init namespace. BUG=b:65450844 BUG= chromium:849455 TEST=fizz tryjob Change-Id: I3090d8bf665369022e0b38707ac49582a1ab174c Reviewed-on: https://chromium-review.googlesource.com/1087708 Commit-Ready: Luis Hector Chavez <lhchavez@chromium.org> Tested-by: Luis Hector Chavez <lhchavez@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/95cd066fa8398849cf1d3f8b0f64838ccd7ee978/cecservice/share/cecservice.conf
,
Jun 6 2018
I believe all the pending work has been done.
,
Jun 6 2018
Latest build was all green! https://stainless.corp.google.com/search?status=GOOD&hostname=&exclude_au=true&exclude_retried=true&builder_name_number=&shard=&exclude_acts=true&waterfall=&builder_name=&master_builder_name_number=&suite=&owner=&retry=&exclude_cts=true&exclude_non_production=false&master_builder_name=&reason=&exclude_non_release=true&build=%5ER69%5C-10757%5C.0%5C.0%24&test=%5Echeets_ContainerMount%24&exclude_not_run=false&model=&view=list&board=&first_date=2018-06-04&last_date=2018-06-06
,
Jun 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/1541d0248bb3f7a8a2d247c608d1ad24840a567d commit 1541d0248bb3f7a8a2d247c608d1ad24840a567d Author: Luis Hector Chavez <lhchavez@google.com> Date: Fri Jun 08 06:33:36 2018 cecservice: Clean up the minijail0 invocation This change uses /var/empty as the chroot to match the way we invoke the rest of the services. It also stops creating/deleting the chroot directory. BUG=b:65450844 BUG= chromium:849455 TEST=fizz tryjob Change-Id: I243e4e4ae6392f0ae257249a401518362097b60a Reviewed-on: https://chromium-review.googlesource.com/1087709 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Luis Hector Chavez <lhchavez@chromium.org> Reviewed-by: Felix Ekblom <felixe@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/1541d0248bb3f7a8a2d247c608d1ad24840a567d/cecservice/share/cecservice.conf
,
Jul 12
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/atrusctl/+/f2f9d8df9f307aea2f0c269c81ab7f104b8a4a20 commit f2f9d8df9f307aea2f0c269c81ab7f104b8a4a20 Author: Luis Hector Chavez <lhchavez@google.com> Date: Thu Jul 12 18:35:40 2018 Clean up the minijail0 invocation This change uses /var/empty as the chroot to match the way we invoke the rest of the services. It also stops creating/deleting the chroot directory. BUG=b:65450844 BUG= chromium:849455 BUG= chromium:861994 TEST=fizz tryjob Change-Id: I6a76cc92d93bdb8f7edf2990cb0cf219ac20f4ff Reviewed-on: https://chromium-review.googlesource.com/1087681 Commit-Ready: Luis Hector Chavez <lhchavez@chromium.org> Tested-by: Luis Hector Chavez <lhchavez@chromium.org> Reviewed-by: Emil Lundmark <lndmrk@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/f2f9d8df9f307aea2f0c269c81ab7f104b8a4a20/init/atrusd.conf |
|||
►
Sign in to add a comment |
|||
Comment 1 by bugdroid1@chromium.org
, Jun 6 2018