[Bug 1051035] New: zypper up leaves gpg-agent running
From the gpg-agent manual page, the option --daemon is supposed to keep the
http://bugzilla.suse.com/show_bug.cgi?id=1051035 Bug ID: 1051035 Summary: zypper up leaves gpg-agent running Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: SUSE Other Status: NEW Severity: Minor Priority: P5 - None Component: Maintenance Assignee: bnc-team-screening@forge.provo.novell.com Reporter: Ralf.Friedl@online.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- OS is Tumbleweed. Each run of "zypper up" leaves one or two processes of gpg-agent running. Example 1 is when nothing is changed in the repositories, it leaves one gpg-agent process running in .../zypp-trusted. Example 2 forces a download of repo-update, this leaves two gpg-agent processes running, one in .../zypp-trusted and one in .../zypp-general. The directories under /var/tmp/zypp. are deleted after zypper exits. program running, --use-standard-socket has no effect. The right option seems to be --server so that gpg-agent accepts commands on stdin but exits as soon as stdin closes. Also, why is gpg-agent started at all? It is started with a temporary directory as --homedir, and then queries for the existence of keys within this newly created directory. Example 1: # killall gpg-agent # ps l -C gpg-agent F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND # strace -s200 -feexecve zypper up execve("/usr/bin/zypper", ["zypper", "up"], 0x7ffcbf82e648 /* 59 vars */) = 0 [pid 30952] execve("/usr/bin/gpg2", ["/usr/bin/gpg2", "--import", "--homedir", "/var/tmp/zypp.aU8FU1/zypp-trusted-krZsV9rZ", "--no-default-keyring", "--quiet", "--no-tty", "--no-greeting", "--no-permission-warning", "--status-fd", "1", "/var/tmp/zypp.aU8FU1/TmpFile.Uo0CEU"], 0x7f896ae64950 /* 62 vars */) = 0 [pid 30954] execve("/usr/bin/gpg-agent", ["gpg-agent", "--homedir", "/var/tmp/zypp.aU8FU1/zypp-trusted-krZsV9rZ", "--use-standard-socket", "--daemon"], 0x7ffe75b26b90 /* 62 vars */) = 0 Loading repository data... Reading installed packages... Nothing to do. <---- here strace waits for gpg-agent to exit, killall gpg-agent from another terminal is necessary --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=30959, si_uid=0} --- +++ exited with 0 +++ Example 2: # killall gpg-agent # ps l -C gpg-agent F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND # rm -r /var/cache/zypp/raw/repo-update/repodata # strace -s200 -feexecve zypper up execve("/usr/bin/zypper", ["zypper", "up"], 0x7ffd98d67d48 /* 59 vars */) = 0 [pid 30968] execve("/usr/bin/gpg2", ["/usr/bin/gpg2", "--import", "--homedir", "/var/tmp/zypp.ajNXqC/zypp-trusted-kr3Ntfzf", "--no-default-keyring", "--quiet", "--no-tty", "--no-greeting", "--no-permission-warning", "--status-fd", "1", "/var/tmp/zypp.ajNXqC/TmpFile.DV3RZv"], 0x7f928f72f950 /* 62 vars */) = 0 [pid 30970] execve("/usr/bin/gpg-agent", ["gpg-agent", "--homedir", "/var/tmp/zypp.ajNXqC/zypp-trusted-kr3Ntfzf", "--use-standard-socket", "--daemon"], 0x7fff7bbcf4d0 /* 62 vars */) = 0 [pid 30976] execve("/usr/bin/gpg2", ["/usr/bin/gpg2", "-v", "--no-default-keyring", "--fixed-list-mode", "--with-fingerprint", "--with-colons", "--homedir", "/var/tmp/zypp.ajNXqC/PublicKey", "--quiet", "--no-tty", "--no-greeting", "--batch", "--status-fd", "1", "/var/tmp/TmpFile.Nw0oTp"], 0x7f928f72f950 /* 62 vars */) = 0 [pid 30977] execve("/usr/bin/gpg2", ["/usr/bin/gpg2", "--import", "--homedir", "/var/tmp/zypp.ajNXqC/zypp-general-krpJJyHS", "--no-default-keyring", "--quiet", "--no-tty", "--no-greeting", "--no-permission-warning", "--status-fd", "1", "/var/tmp/TmpFile.Nw0oTp"], 0x7f928f72f950 /* 62 vars */) = 0 [pid 30979] execve("/usr/bin/gpg-agent", ["gpg-agent", "--homedir", "/var/tmp/zypp.ajNXqC/zypp-general-krpJJyHS", "--use-standard-socket", "--daemon"], 0x7ffcbd2c79a0 /* 62 vars */) = 0 [pid 30982] execve("/usr/bin/gpg2", ["/usr/bin/gpg2", "--homedir", "/var/tmp/zypp.ajNXqC/fake-keyringrJDqo5", "--no-default-keyring", "--quiet", "--no-tty", "--no-greeting", "--batch", "--status-fd", "1", "/var/cache/zypp/raw/repo-updateMgLSnY/repodata/repomd.xml.asc"], 0x7f928f72f950 /* 62 vars */) = 0 [pid 30983] execve("/usr/bin/gpg2", ["/usr/bin/gpg2", "--list-public-keys", "--homedir", "/var/tmp/zypp.ajNXqC/zypp-trusted-kr3Ntfzf", "--no-default-keyring", "--quiet", "--with-colons", "--fixed-list-mode", "--with-fingerprint", "--with-sig-list", "--no-tty", "--no-greeting", "--batch", "--status-fd", "1"], 0x7f928f72f950 /* 62 vars */) = 0 [pid 30984] execve("/usr/bin/gpg2", ["/usr/bin/gpg2", "--list-public-keys", "--homedir", "/var/tmp/zypp.ajNXqC/zypp-general-krpJJyHS", "--no-default-keyring", "--quiet", "--with-colons", "--fixed-list-mode", "--with-fingerprint", "--with-sig-list", "--no-tty", "--no-greeting", "--batch", "--status-fd", "1"], 0x7f928f72f950 /* 62 vars */) = 0 [pid 30985] execve("/usr/bin/gpg2", ["/usr/bin/gpg2", "--verify", "--homedir", "/var/tmp/zypp.ajNXqC/zypp-trusted-kr3Ntfzf", "--no-default-keyring", "--quiet", "--no-tty", "--batch", "--no-greeting", "--status-fd", "1", "/var/cache/zypp/raw/repo-updateMgLSnY/repodata/repomd.xml.asc", "/var/cache/zypp/raw/repo-updateMgLSnY/repodata/repomd.xml"], 0x7f928f72f950 /* 62 vars */) = 0 Retrieving repository 'repo-update' metadata -----------------------------[done] Nothing to do. <---- here strace waits for gpg-agent to exit, killall gpg-agent from another terminal is necessary [pid 30980] --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=31129, si_uid=0} --- [pid 30971] --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=31129, si_uid=0} --- -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1051035 http://bugzilla.suse.com/show_bug.cgi?id=1051035#c3 Ralf Friedl <Ralf.Friedl@online.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(Ralf.Friedl@onlin | |e.de) | --- Comment #3 from Ralf Friedl <Ralf.Friedl@online.de> --- (In reply to Michael Andres from comment #2)
@Ralf Please confirm that you agents do not vanish, even after a couple of minutes. In this case we should pass the bug to the gpg maintainer. I only started to investigate because I noticed around 50 gpg-agent processes shown with "zypper ps -s" after updating. At first I thought strange, but they may be needed, then I noticed the arguments with the temporary directories indicating zypper, so I killed them.
But I have a machine where I didn't kill them. It seems the oldest processes are from May, which should qualify for more than a few minutes. Note that I don't use gpg-agent, which is why I have no problem using killall gpg-agent. Maybe gpg doesn't start a new agent if it finds one running, although that would also be wrong according to your comment #1 it is separate from the user keyring. # for i in $(pidof gpg-agent); do echo /proc/$i; done | xargs ls -lrtd dr-xr-xr-x 9 root root 0 May 20 15:17 /proc/6906 dr-xr-xr-x 9 root root 0 May 20 15:30 /proc/7747 dr-xr-xr-x 9 root root 0 May 20 18:05 /proc/11915 dr-xr-xr-x 9 root root 0 May 22 14:30 /proc/6563 dr-xr-xr-x 9 root root 0 May 22 14:30 /proc/6549 dr-xr-xr-x 9 root root 0 May 22 15:30 /proc/8254 dr-xr-xr-x 9 root root 0 May 30 15:30 /proc/8551 dr-xr-xr-x 9 root root 0 May 30 15:30 /proc/8538 dr-xr-xr-x 9 root root 0 May 30 23:33 /proc/28076 dr-xr-xr-x 9 root root 0 May 30 23:33 /proc/28095 dr-xr-xr-x 9 root root 0 Jun 21 19:26 /proc/23659 dr-xr-xr-x 9 root root 0 Jun 21 19:26 /proc/23667 dr-xr-xr-x 9 root root 0 Jun 23 18:57 /proc/23922 dr-xr-xr-x 9 root root 0 Jun 23 18:57 /proc/23932 dr-xr-xr-x 9 root root 0 Jun 23 18:58 /proc/24065 dr-xr-xr-x 9 root root 0 Jul 11 14:55 /proc/2336 dr-xr-xr-x 9 root root 0 Jul 11 14:55 /proc/2344 dr-xr-xr-x 9 root root 0 Jul 11 14:56 /proc/2554 dr-xr-xr-x 9 root root 0 Jul 11 15:13 /proc/10997 dr-xr-xr-x 9 root root 0 Jul 11 15:13 /proc/11044 dr-xr-xr-x 9 root root 0 Jul 11 15:14 /proc/11174 dr-xr-xr-x 9 root root 0 Jul 17 10:39 /proc/15588 dr-xr-xr-x 9 root root 0 Jul 17 10:39 /proc/15596 dr-xr-xr-x 9 root root 0 Jul 17 10:40 /proc/15919 dr-xr-xr-x 9 root root 0 Jul 17 10:42 /proc/16122 dr-xr-xr-x 9 root root 0 Jul 18 11:58 /proc/8693 You are correct that gpg-agent is started by gpg, so the maintainer should know that the documentation says that --use-standard-socket has no effect. Actually, gpg-agent says the same: write(2, "gpg-agent[20560]: WARNING: \"--use-standard-socket", 49) = 49 write(2, "\" is an obsolete option - it has no effect\n", 43) = 43 gpg only launches gpg-agent after it has read the key from the command line, and the key is not imported into the agent. Than about once a minute the agent forks a process that connects to the agent, does "GETINFO pid" and "BYE". -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1051035 http://bugzilla.suse.com/show_bug.cgi?id=1051035#c4 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pmonrealgonzalez@suse.com --- Comment #4 from Andreas Stieger <astieger@suse.com> ---
From conversation with ma@...
So it seems like it starts an agent for every temp dir. GnuPG 2.1 started requiring gpg-agent as it moved many PK operations there, and running it always. We could try to invoke gpg2 with --no-autostart, available from 2.1.1: gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or dirmngr. There is no gpg option switching in zypper/libzypp just now,. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1051035 http://bugzilla.suse.com/show_bug.cgi?id=1051035#c5 --- Comment #5 from Michael Andres <ma@suse.com> ---
- GnuPG 2.1.22: ... * agent,dirmngr: Initiate shutdown on removal of the GnuPG home directory.
The above fix in gpg2-2.1.22 should IMO also fix this issue. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1051035 http://bugzilla.suse.com/show_bug.cgi?id=1051035#c6 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|zypp-maintainers@forge.prov |astieger@suse.com |o.novell.com | Flags| |needinfo?(Ralf.Friedl@onlin | |e.de) --- Comment #6 from Andreas Stieger <astieger@suse.com> --- Ralf, please verify if this is fixed with gpg2 2.1.22. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1051035 http://bugzilla.suse.com/show_bug.cgi?id=1051035#c7 --- Comment #7 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- I have just tested in TW with gpg2 2.1.22 and an earlier version and I can confirm it is now fixed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1051035 http://bugzilla.suse.com/show_bug.cgi?id=1051035#c8 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Flags|needinfo?(Ralf.Friedl@onlin | |e.de) | --- Comment #8 from Andreas Stieger <astieger@suse.com> --- ok thanks -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com