sk4nz/skz-sloptrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

debugging recursion

Browse Source
This commit is contained in:
Samuel Aubertin
2026-03-10 00:42:19 +01:00
parent 1e97baa534
commit 3731094f60
5 changed files with 664 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

435
sloptrap
View File

@@ -356,6 +356,120 @@ set -euo pipefail
helper_pid=""
has_capability() {
local needle=$1
local token
for token in ${SLOPTRAP_ACTIVE_CAPABILITIES:-}; do
if [[ $token == "$needle" ]]; then
return 0
fi
done
return 1
}
detect_subid_range_from_map() {
local map_path=$1
local account_id=$2
awk -v account_id="$account_id" '
NF < 3 { next }
{
ns_start = $1 + 0
ns_count = $3 + 0
if (ns_count <= 0) {
next
}
if (account_id >= ns_start && account_id < (ns_start + ns_count)) {
next
}
if (ns_count > best_count) {
best_start = ns_start
best_count = ns_count
}
}
END {
if (best_count > 0) {
printf "%s %s", best_start, best_count
exit 0
}
exit 1
}
' "$map_path"
}
ensure_subid_mapping_file() {
local destination=$1
local account_name=$2
local account_id=$3
local range_start=$4
local range_count=$5
local tmp_file="${destination}.tmp"
if [[ -r $destination ]] && awk -F: -v account_name="$account_name" -v account_id="$account_id" -v range_start="$range_start" -v range_count="$range_count" '
($1 == account_name || $1 == account_id) && $2 == range_start && $3 == range_count { found=1; exit }
END { exit(found ? 0 : 1) }
' "$destination"; then
return 0
fi
[[ -e $destination && ! -L $destination ]] || : >"$destination"
awk -F: -v account_name="$account_name" -v account_id="$account_id" '
$1 == account_name || $1 == account_id { next }
{ print }
' "$destination" >"$tmp_file"
if [[ -n $account_name && $account_name != "$account_id" ]]; then
printf '%s:%s:%s\n' "$account_name" "$range_start" "$range_count" >>"$tmp_file"
else
printf '%s:%s:%s\n' "$account_id" "$range_start" "$range_count" >>"$tmp_file"
fi
chmod 0644 "$tmp_file" 2>/dev/null || true
if ! mv "$tmp_file" "$destination" 2>/dev/null; then
cat "$tmp_file" >"$destination"
rm -f "$tmp_file"
fi
}
lookup_account_name() {
local account_id=$1
local passwd_entry=""
if passwd_entry=$(getent passwd "$account_id" 2>/dev/null); then
printf '%s\n' "${passwd_entry%%:*}"
return 0
fi
return 1
}
ensure_subid_mappings() {
local account_id account_gid account_name=""
local range_start="" range_count="" gid_start="" gid_count=""
local detected_range=""
account_id=${SLOPTRAP_HOST_UID:-$(id -u)}
account_gid=${SLOPTRAP_HOST_GID:-$(id -g)}
if ! account_name=$(lookup_account_name "$account_id"); then
account_name=""
fi
if detected_range=$(detect_subid_range_from_map /proc/self/uid_map "$account_id" 2>/dev/null); then
read -r range_start range_count <<<"$detected_range"
elif [[ -n ${SLOPTRAP_PODMAN_SUBID_START:-} && -n ${SLOPTRAP_PODMAN_SUBID_COUNT:-} ]]; then
range_start=${SLOPTRAP_PODMAN_SUBID_START}
range_count=${SLOPTRAP_PODMAN_SUBID_COUNT}
fi
if detected_range=$(detect_subid_range_from_map /proc/self/gid_map "$account_gid" 2>/dev/null); then
read -r gid_start gid_count <<<"$detected_range"
elif [[ -n ${SLOPTRAP_PODMAN_SUBGID_START:-} && -n ${SLOPTRAP_PODMAN_SUBGID_COUNT:-} ]]; then
gid_start=${SLOPTRAP_PODMAN_SUBGID_START}
gid_count=${SLOPTRAP_PODMAN_SUBGID_COUNT}
fi
if [[ -n $range_start && -n $range_count ]]; then
ensure_subid_mapping_file /etc/subuid "$account_name" "$account_id" "$range_start" "$range_count"
fi
if [[ -n $gid_start && -n $gid_count ]]; then
ensure_subid_mapping_file /etc/subgid "$account_name" "$account_id" "$gid_start" "$gid_count"
fi
}
cleanup() {
if [[ -n $helper_pid ]]; then
kill "$helper_pid" >/dev/null 2>&1 || true
@@ -374,11 +488,11 @@ if [[ $(id -u) -eq 0 ]]; then
queue_dir="$helper_dir/queue"
mkdir -p "$queue_dir"
chmod 711 "$helper_dir"
chmod 700 "$queue_dir"
chmod 1733 "$queue_dir"
target_uid=${SLOPTRAP_HOST_UID:-}
target_gid=${SLOPTRAP_HOST_GID:-}
if [[ -n $target_uid && -n $target_gid ]]; then
chown "$target_uid:$target_gid" "$queue_dir"
if has_capability "nested-podman"; then
ensure_subid_mappings
fi
if [[ -n ${SLOPTRAP_ACTIVE_CAPABILITIES:-} ]]; then
/usr/local/bin/sloptrap-helperd &
@@ -412,7 +526,13 @@ cleanup_pidfile() {
rm -f "$pidfile"
}
trap cleanup_pidfile EXIT INT TERM HUP
shutdown_helper() {
cleanup_pidfile
exit 0
}
trap cleanup_pidfile EXIT
trap shutdown_helper INT TERM HUP
printf '%s\n' "$$" >"$pidfile"
chmod 644 "$pidfile" 2>/dev/null || true
@@ -460,10 +580,35 @@ path_within_root() {
claim_request_dir() {
local request_dir=$1
local owner_uid owner_gid
[[ -d $request_dir && ! -L $request_dir ]] || return 1
path_within_root "$queue_dir" "$request_dir" || return 1
chown root:root "$request_dir" 2>/dev/null || true
owner_uid=$(stat -c '%u' "$request_dir" 2>/dev/null || true)
owner_gid=$(stat -c '%g' "$request_dir" 2>/dev/null || true)
[[ $owner_uid =~ ^[0-9]+$ && $owner_gid =~ ^[0-9]+$ ]] || return 1
REQUEST_OWNER_UID=$owner_uid
REQUEST_OWNER_GID=$owner_gid
if [[ $(id -u) -eq 0 ]]; then
chown root:root "$request_dir" 2>/dev/null || return 1
chmod 700 "$request_dir" 2>/dev/null || return 1
fi
}
release_request_dir() {
local request_dir=$1
local owner_uid=$2
local owner_gid=$3
local path
[[ $owner_uid =~ ^[0-9]+$ && $owner_gid =~ ^[0-9]+$ ]] || return 0
for path in "$request_dir" "$request_dir/status" "$request_dir/stdout" "$request_dir/stderr"; do
[[ -e $path && ! -L $path ]] || continue
chown "$owner_uid:$owner_gid" "$path" 2>/dev/null || true
done
chmod 700 "$request_dir" 2>/dev/null || true
for path in "$request_dir/status" "$request_dir/stdout" "$request_dir/stderr"; do
[[ -e $path && ! -L $path ]] || continue
chmod 600 "$path" 2>/dev/null || true
done
}
init_request_outputs() {
@@ -636,6 +781,8 @@ while true; do
[[ -d $request_dir ]] || continue
[[ ! -f "$request_dir/status" ]] || continue
pending_requests=1
REQUEST_OWNER_UID=""
REQUEST_OWNER_GID=""
if ! claim_request_dir "$request_dir"; then
log_action "request" "unsafe=1 path=$request_dir" 2
continue
@@ -663,6 +810,7 @@ while true; do
log_action "$op" "unknown=1" 2
;;
esac
release_request_dir "$request_dir" "$REQUEST_OWNER_UID" "$REQUEST_OWNER_GID"
done
if [[ $pending_requests -eq 0 ]]; then
sleep 1
@@ -716,8 +864,7 @@ ensure_helper_ready() {
[[ -n $helper_bin ]] || exit 1
mkdir -p "$queue_dir"
chmod 711 "$helper_dir"
chmod 700 "$queue_dir"
chown "$SLOPTRAP_HOST_UID:$SLOPTRAP_HOST_GID" "$queue_dir"
chmod 1733 "$queue_dir"
if [[ -r $pidfile ]]; then
pid=$(<"$pidfile")
if [[ -n $pid ]] && kill -0 "$pid" 2>/dev/null; then
@@ -827,8 +974,7 @@ ensure_helper_ready() {
[[ -n $helper_bin ]] || exit 1
mkdir -p "$queue_dir"
chmod 711 "$helper_dir"
chmod 700 "$queue_dir"
chown "$SLOPTRAP_HOST_UID:$SLOPTRAP_HOST_GID" "$queue_dir"
chmod 1733 "$queue_dir"
if [[ -r $pidfile ]]; then
pid=$(<"$pidfile")
if [[ -n $pid ]] && kill -0 "$pid" 2>/dev/null; then
@@ -961,6 +1107,10 @@ exit "$status"
EOF
;;
sloppodman)
# shellcheck disable=SC2034
local workspace_root="" podman_root="" podman_runroot="" runtime_dir="" config_home=""
# shellcheck disable=SC2034
local storage_driver="" storage_conf="" containers_conf="" subcommand=""
cat <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
@@ -983,11 +1133,29 @@ if [[ $# -eq 0 ]]; then
exit 2
fi
original_args=("$@")
subcommand=$1
shift
subcommand_prefix=("$subcommand")
case "$subcommand" in
pull|build|tag|run|ps|logs|stop|rm|inspect)
pull|build|tag|run|ps|logs|stop|rm|inspect|rmi)
;;
image)
[[ $# -gt 0 ]] || {
printf 'sloppodman: image requires a subcommand\n' >&2
exit 2
}
case "$1" in
inspect|prune)
subcommand_prefix=(image "$1")
shift
;;
*)
printf 'sloppodman: unsupported image subcommand %s\n' "$1" >&2
exit 2
;;
esac
;;
*)
printf 'sloppodman: unsupported subcommand %s\n' "$subcommand" >&2
@@ -1004,7 +1172,161 @@ workspace_root=${SLOPTRAP_WORKDIR:-/workspace}
podman_root=${SLOPTRAP_INNER_PODMAN_ROOT:-/codex/capabilities/podman/storage}
podman_runroot=${SLOPTRAP_INNER_PODMAN_RUNROOT:-/codex/capabilities/podman/run}
runtime_dir=${XDG_RUNTIME_DIR:-/codex/capabilities/podman/runtime}
mkdir -p "$podman_root" "$podman_runroot" "$runtime_dir"
config_home=${SLOPTRAP_INNER_PODMAN_CONFIG_HOME:-$runtime_dir/config}
containers_conf_dir="$config_home/containers"
storage_driver=${SLOPTRAP_INNER_PODMAN_DRIVER:-vfs}
storage_conf="$containers_conf_dir/storage.conf"
containers_conf="$containers_conf_dir/containers.conf"
subuid_file=${SLOPTRAP_PODMAN_SUBUID_FILE:-/etc/subuid}
subgid_file=${SLOPTRAP_PODMAN_SUBGID_FILE:-/etc/subgid}
mkdir -p "$podman_root" "$podman_runroot" "$runtime_dir" "$containers_conf_dir"
cat >"$storage_conf" <<STORAGE_CONF_EOF
[storage]
driver = "$storage_driver"
runroot = "$podman_runroot"
graphroot = "$podman_root"
[storage.options.vfs]
ignore_chown_errors = "true"
[storage.options.overlay]
ignore_chown_errors = "true"
mount_program = "/usr/bin/fuse-overlayfs"
STORAGE_CONF_EOF
cat >"$containers_conf" <<'CONTAINERS_CONF_EOF'
[engine]
cgroup_manager = "cgroupfs"
events_logger = "file"
CONTAINERS_CONF_EOF
export CONTAINERS_STORAGE_CONF="$storage_conf"
export CONTAINERS_CONF="$containers_conf"
export BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}"
detect_subid_range_from_map() {
local map_path=$1
local account_id=$2
awk -v account_id="$account_id" '
NF < 3 { next }
{
ns_start = $1 + 0
ns_count = $3 + 0
if (ns_count <= 0) {
next
}
if (account_id >= ns_start && account_id < (ns_start + ns_count)) {
next
}
if (ns_count > best_count) {
best_start = ns_start
best_count = ns_count
}
}
END {
if (best_count > 0) {
printf "%s %s", best_start, best_count
exit 0
}
exit 1
}
' "$map_path"
}
ensure_subid_mapping_file() {
local destination=$1
local account_name=$2
local account_id=$3
local range_start=$4
local range_count=$5
local tmp_file="${destination}.tmp"
if [[ -r $destination ]] && awk -F: -v account_name="$account_name" -v account_id="$account_id" -v range_start="$range_start" -v range_count="$range_count" '
($1 == account_name || $1 == account_id) && $2 == range_start && $3 == range_count { found=1; exit }
END { exit(found ? 0 : 1) }
' "$destination"; then
return 0
fi
[[ -e $destination && ! -L $destination ]] || : >"$destination"
awk -F: -v account_name="$account_name" -v account_id="$account_id" '
$1 == account_name || $1 == account_id { next }
{ print }
' "$destination" >"$tmp_file"
if [[ -n $account_name && $account_name != "$account_id" ]]; then
printf '%s:%s:%s\n' "$account_name" "$range_start" "$range_count" >>"$tmp_file"
else
printf '%s:%s:%s\n' "$account_id" "$range_start" "$range_count" >>"$tmp_file"
fi
chmod 0644 "$tmp_file" 2>/dev/null || true
if ! mv "$tmp_file" "$destination" 2>/dev/null; then
cat "$tmp_file" >"$destination"
rm -f "$tmp_file"
fi
}
ensure_subid_mappings() {
local account_id account_name range_start range_count gid_start gid_count detected_range
account_id=${SLOPTRAP_PODMAN_CALLER_UID:-$(id -u)}
account_name=${SLOPTRAP_PODMAN_CALLER_USER:-}
if [[ -z $account_name ]]; then
account_name=$(id -un 2>/dev/null || true)
fi
range_start=${SLOPTRAP_PODMAN_SUBID_START:-100000}
range_count=${SLOPTRAP_PODMAN_SUBID_COUNT:-65536}
gid_start=${SLOPTRAP_PODMAN_SUBGID_START:-$range_start}
gid_count=${SLOPTRAP_PODMAN_SUBGID_COUNT:-$range_count}
if detected_range=$(detect_subid_range_from_map /proc/self/uid_map "$account_id" 2>/dev/null); then
read -r range_start range_count <<<"$detected_range"
fi
if detected_range=$(detect_subid_range_from_map /proc/self/gid_map "${SLOPTRAP_PODMAN_CALLER_GID:-$(id -g)}" 2>/dev/null); then
read -r gid_start gid_count <<<"$detected_range"
fi
[[ -e $subuid_file && ! -L $subuid_file ]] || : >"$subuid_file"
[[ -e $subgid_file && ! -L $subgid_file ]] || : >"$subgid_file"
ensure_subid_mapping_file "$subuid_file" "$account_name" "$account_id" "$range_start" "$range_count"
ensure_subid_mapping_file "$subgid_file" "$account_name" "$account_id" "$gid_start" "$gid_count"
if [[ $(id -u) -eq 0 ]]; then
ensure_subid_mapping_file "$subuid_file" root 0 "$range_start" "$range_count"
ensure_subid_mapping_file "$subgid_file" root 0 "$gid_start" "$gid_count"
fi
}
exec_podman() {
local -a cmd=(
podman
--root "$podman_root"
--runroot "$podman_runroot"
--storage-driver "$storage_driver"
--cgroup-manager cgroupfs
--events-backend file
"${subcommand_prefix[@]}" "$@"
)
if [[ $(id -u) -eq 0 ]]; then
ensure_subid_mappings
exec "${cmd[@]}"
fi
if [[ ${SLOPTRAP_PODMAN_ESCALATED:-0} == 1 ]]; then
exec "${cmd[@]}"
fi
if ! command -v setpriv >/dev/null 2>&1; then
printf 'sloppodman: setpriv is required to enter the nested podman capability profile\n' >&2
exit 1
fi
chmod 0777 "$podman_root" "$podman_runroot" "$runtime_dir" 2>/dev/null || true
exec setpriv --reuid 0 --regid 0 --clear-groups -- env \
CONTAINERS_STORAGE_CONF="$CONTAINERS_STORAGE_CONF" \
CONTAINERS_CONF="$CONTAINERS_CONF" \
BUILDAH_ISOLATION="$BUILDAH_ISOLATION" \
XDG_RUNTIME_DIR="$runtime_dir" \
SLOPTRAP_PODMAN_ESCALATED=1 \
SLOPTRAP_PODMAN_CALLER_UID="${SLOPTRAP_PODMAN_CALLER_UID:-$(id -u)}" \
SLOPTRAP_PODMAN_CALLER_GID="${SLOPTRAP_PODMAN_CALLER_GID:-$(id -g)}" \
SLOPTRAP_PODMAN_CALLER_USER="${SLOPTRAP_PODMAN_CALLER_USER:-$(id -un 2>/dev/null || true)}" \
"$0" "${original_args[@]}"
}
resolve_inner_path() {
local raw=$1
@@ -1180,7 +1502,7 @@ if [[ $subcommand == "run" ]]; then
done
fi
exec podman --root "$podman_root" --runroot "$podman_runroot" "$subcommand" "$@"
exec_podman "$@"
EOF
;;
*)
@@ -1243,6 +1565,30 @@ prepare_build_context() {
select_codex_home() {
local preferred="$HOME/.codex"
if [[ -n ${CODEX_HOME:-} ]]; then
if [[ ${HOME:-} == "$CODEX_HOME" ]]; then
preferred="$CODEX_HOME"
elif [[ ${SLOPTRAP_PREFER_CODEX_HOME:-0} == "1" ]]; then
local inherited_runtime_home=false
local runtime_hint
for runtime_hint in \
"${SLOPTRAP_CAPTURE_DIR:-}" \
"${SLOPTRAP_AUDIT_LOG:-}" \
"${SLOPTRAP_INNER_PODMAN_ROOT:-}" \
"${SLOPTRAP_INNER_PODMAN_RUNROOT:-}" \
"${XDG_CONFIG_HOME:-}" \
"${XDG_CACHE_HOME:-}" \
"${XDG_STATE_HOME:-}"; do
if [[ -n $runtime_hint && ( $runtime_hint == "$CODEX_HOME" || $runtime_hint == "$CODEX_HOME/"* ) ]]; then
inherited_runtime_home=true
break
fi
done
if ! $inherited_runtime_home; then
preferred="$CODEX_HOME"
fi
fi
fi
if [[ -L $preferred ]]; then
error "Codex home '$preferred' must not be a symlink"
fi
@@ -1269,6 +1615,59 @@ select_codex_home() {
fi
}
write_subid_mapping_file() {
local destination=$1
local existing_path=$2
local account_name=$3
local account_id=$4
local range_start=$5
local range_count=$6
if [[ -r $existing_path ]]; then
awk -F: -v account_name="$account_name" -v account_id="$account_id" '
$1 == account_name || $1 == account_id { next }
{ print }
' "$existing_path" >"$destination"
else
: >"$destination"
fi
if [[ -n $account_name && $account_name != "$account_id" ]]; then
printf '%s:%s:%s\n' "$account_name" "$range_start" "$range_count" >>"$destination"
else
printf '%s:%s:%s\n' "$account_id" "$range_start" "$range_count" >>"$destination"
fi
chmod 0644 "$destination"
}
detect_subid_range_from_map() {
local map_path=$1
local account_id=$2
awk -v account_id="$account_id" '
NF < 3 { next }
{
ns_start = $1 + 0
ns_count = $3 + 0
if (ns_count <= 0) {
next
}
if (account_id >= ns_start && account_id < (ns_start + ns_count)) {
next
}
if (ns_count > best_count) {
best_start = ns_start
best_count = ns_count
}
}
END {
if (best_count > 0) {
printf "%s %s", best_start, best_count
exit 0
}
exit 1
}
' "$map_path"
}
compute_manifest_digest() {
if [[ -f $MANIFEST_PATH ]]; then
local digest
@@ -2234,7 +2633,7 @@ prepare_container_runtime() {
SLOPTRAP_CONTAINER_NAME=$(sanitize_engine_name "$SLOPTRAP_CONTAINER_NAME")
local -a network_opts=(--network "$SLOPTRAP_NETWORK_NAME" --init)
local -a security_opts=(--cap-drop=ALL --security-opt no-new-privileges)
local -a security_opts=(--cap-drop=ALL)
local -a capability_opts=()
if [[ -n $SLOPTRAP_SECURITY_OPTS_EXTRA ]]; then
local -a extra_opts=()
@@ -2267,7 +2666,12 @@ prepare_container_runtime() {
SLOPTRAP_RUN_AS_ROOT=true
fi
if capability_list_contains "$ENABLED_CAPABILITIES" "nested-podman"; then
capability_opts+=(--device /dev/fuse)
capability_opts+=(--device /dev/fuse --cap-add SYS_CHROOT --cap-add MKNOD)
security_opts+=(--security-opt seccomp=unconfined)
SLOPTRAP_ROOTFS_READONLY=0
SLOPTRAP_RUN_AS_ROOT=true
else
security_opts+=(--security-opt no-new-privileges)
fi
if $SLOPTRAP_RUN_AS_ROOT; then
capability_opts+=(
@@ -2318,6 +2722,7 @@ prepare_container_runtime() {
-e "SLOPTRAP_AUDIT_LOG=$SLOPTRAP_CODEX_HOME_CONT/state/capabilities.log"
-e "SLOPTRAP_INNER_PODMAN_ROOT=$SLOPTRAP_CODEX_HOME_CONT/capabilities/podman/storage"
-e "SLOPTRAP_INNER_PODMAN_RUNROOT=$SLOPTRAP_CODEX_HOME_CONT/capabilities/podman/run"
-e "SLOPTRAP_PREFER_CODEX_HOME=1"
-e "XDG_RUNTIME_DIR=$SLOPTRAP_CODEX_HOME_CONT/capabilities/podman/runtime"
)
if capability_list_contains "$ENABLED_CAPABILITIES" "nested-podman" && [[ $SLOPTRAP_NETWORK_NAME == "host" ]]; then
@@ -2381,6 +2786,7 @@ build_image() {
"$CONTAINER_ENGINE" build --quiet
-t "$SLOPTRAP_IMAGE_NAME"
-f "$SLOPTRAP_DOCKERFILE_PATH"
--network "$SLOPTRAP_NETWORK_NAME"
--label "$SLOPTRAP_IMAGE_LABEL"
--build-arg "BASE_PACKAGES=$SLOPTRAP_PACKAGES_BASE"
--build-arg "CAPABILITY_PACKAGES=$capability_packages_arg"
@@ -2426,6 +2832,7 @@ rebuild_image() {
"$CONTAINER_ENGINE" build --no-cache --quiet
-t "$SLOPTRAP_IMAGE_NAME"
-f "$SLOPTRAP_DOCKERFILE_PATH"
--network "$SLOPTRAP_NETWORK_NAME"
--label "$SLOPTRAP_IMAGE_LABEL"
--build-arg "BASE_PACKAGES=$SLOPTRAP_PACKAGES_BASE"
--build-arg "CAPABILITY_PACKAGES=$capability_packages_arg"