Hi All,
Here is a bit of an update on some of the system integration tasks I
have been working on.
1. I have created a new utility ulp_buildid (open to suggestions on the
name), this solves the problem of when we have multiple choices for
which live patch to apply how do we choose. This utility takes a pid and
libname and returns the NT_GNU_BUILD_ID.
It is a long time since I have written more then a few lines of C at a
time and back then I was working on a pretty old C compiler so any
feedback and constructive criticism is more then welcome.
https://github.com/SUSE/libpulp/pull/34
2. I also created a tool called ulp_apply which does a similar role to
the dispatcher lua script, currently it takes a lib name and .ulp file
and applies the patch to all running programs. Now that I have
ulp_buildid I can drop the need for passing in the .ulp file
./ulp-apply "/usr/lib64/libcrypto.so.1.1"
"/usr/lib64/openssl-1_1-livepatches/libcrypto_livepatch1.ulp"
A work in progress version can be found here
https://github.com/simotek/libpulp/blob/tools/tools/ulp_apply
At some point we need to decide whether we move forward with this bash
script or the dispatcher lua script.
3. As a debugging script I created a very simple script ulp_pids which
will give you the pid and executable name of each process with libpulp
loaded.
4. I created an experimental package using multibuild to try and build
live patches in the simplest way possible. Using this approach all you
would need to do is add the respective versions to the _multibuild file.
However currently it doesn't work as obs only finds the latest version,
I will chase this up with the obs team to see if what i'm trying to do
is possible.
Other things to note here is the use of Supplements: (libopenssl1_1 and
libpulp-tools) which means if you have the repository with this package
enabled it will automatically be installed if openssl and libpulp-tools
are on the system.
It also calls ulp_apply in the %posttrans section with a temporary file
as a guard to ensure that live patches are only applied once per library.
## Whats Next ##
Currently ulp_reverse takes a .ulp file as a parameter but the "ulp"
program only provides us with the .so file that has been patched. So I
either need to modify ulp_reverse to take the .so file as a parameter or
modify "ulp" to also list metadata files or do something like
ulp_buildid to get such info.
Another thing I need to decide is whether to add a parameter to ulp_dump
to just return the build_id or whether I just parse the full output in
whichever script we end up using. I will probably also consider doing
something similar for "ulp" just to return the list of live patches as
thats all my script will need, primarily to assess whether I need to
reverse an existing live patch at the start of the update.
Once this is done we should have a fully functioning system.
Cheers
--
Simon Lees (Simotek) http://simotek.net
Emergency Update Team keybase.io/simotek
SUSE Linux Adelaide Australia, UTC+10:30
GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
