On Freitag, 8. Juni 2018, 15:31:59 CEST wrote Keil, Karsten:
Hi,
begin of this week I updated our private instance of OBS from 2.8.4 to 2.9.2. First tests did not show any issues, builds were running just fine. But after adding a new worker (no package cache !) we get build errors, in the build log we see that getbinaries did fail for the basic system packages (but the files are available and the packages do not have any unresolved state. In the repo server log I see the GET /getbinaries request and then a POST with failed status, nothing more. With Wireshark I saw that the answer for the /getbinaries request do contain info with "file is a symlink". Our base OS repositories are created from loop mounted Product DVDs or a local SMT copy, all packages are sym linked to the :full/ directory of the project, since we are in a fully isolated network. This setup did work without any issues for some years until now and I know some other private installations which use a similar bootstrapping method for the basic repositories.
Digging a little bit deeper in the repo server backend code, I found that some special handling for symlinks was introduced In the BSHTTP::cpio_sender function and that the function has some support do follow symlinks, but this was not enabled in the calling function BSServer::reply_cpio, adding 'follow' => 1 as parameter to the call of BSHTTP::cpio_sender seems to fix this problem for me.
Questions: Is this valid as fix for now ? Is this a bug or is here some reason to forbid following symlinks ?
This is considered to be a security feature from our side. We could make it configurable though. This kind of setup is not really 100% supported atm, is there any reason why you don't just use DoD functionality? -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org