Re: Re: Performance issue with systemd-coredump and container process linking 2000 shared libraries.

[Luca Boccassi <bluca@debian.org>]

On Tue, 20 Jun 2023 at 13:07, Mark Wielaard <mark@klomp.org> wrote:
>
> Hi Luca,
>
> On Mon, 2023-06-19 at 21:54 +0100, Luca Boccassi wrote:
> > > > Which does bring up the question why systemd-coredump isn't running
> > > in
> > > > the same mount space as the crashing program. Then it would simply
> > > find
> > > > the files that the crashing program is using.
> > >
> > > On this point that systemd-coredump might not run in the same mount
> > > namespace, don’t blindly believe me. I think I saw this while
> > > reviewing the
> > > systemd code, but it was the first time I looked at it to investigate
> > > this issue,
> > > so may be wrong.
> >
> > This is correct, in case of containers sd-coredump will run on the host
> > and collect from all the guests, so they are going to be in different
> > namespaces. And even when they are not, the original binary might be
> > long gone by the time it has a chance to run.
>
> Since sd-coredump is run on the host it could transition into the mount
> namespace of the process it is capturing the coredump for. This makes
> sense if it is then going to do some path based lookups. Alternatively
> we could look into making the path based lookups look under
> /proc/PID/root/ Since sd-coredump is run as special kernel helper
> through /proc/sys/kernel/core_pattern the original executable is still
> there (it cannot be reaped till sd-coredump has done its thing).

This requires additional privileges that we really don't want to give
to sd-coredump, as it fundamentally processes untrusted inputs. Also
as mentioned there's no guarantee anyway that the original binary will
still be around when the processing happens, it's all asynchronous, so
there would still be common corner cases where that doesn't help.
There were other suggestions in this thread to fix this issue, to me
it seems better to pursue those instead.

Kind regards,
Luca Boccassi