public inbox for
help / color / mirror / Atom feed
From: "twhitehead at gmail dot com" <>
Subject: [Bug gdb/30113] New: Different namespaces under linux now require extra capabilities even when not strictly needed (regression)
Date: Fri, 10 Feb 2023 23:21:39 +0000	[thread overview]
Message-ID: <> (raw)

            Bug ID: 30113
           Summary: Different namespaces under linux now require extra
                    capabilities even when not strictly needed
           Product: gdb
           Version: 7.10
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: twhitehead at gmail dot com
  Target Milestone: ---

Created attachment 14675
Patch to fallback to trying direct if unable to enter target's namespace due to
insufficient permissions

I ran into a regression trying to attach to and debug a hung process on the one
of the Canadian super computer system. Newer gdbs kept giving a confusing error
message about operation not permitted when opening the executable and refused
to load the symbol information while older ones worked okay.

[tyson@gra120 ~]$ gdb -p 26848
GNU gdb (Gentoo 9.1 vanilla) 9.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:

For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 26848
[New LWP 26849]
[New LWP 26850]
[New LWP 26852]

warning: "target:/project/6001152/issm5/bin/issm.exe": could not open as an
executable file: Operation not permitted.

warning: `target:/project/6001152/issm5/bin/issm.exe': can't open to read
symbols: Operation not permitted.

warning: Could not load vsyscall page because no executable was specified
0x00002b2741a5d64d in ?? ()

After a lot of digging around and the help of my colleague Bart Oldeman
compiling and trying a lot of different gdb versions, we eventually traced it
down to the introduction of the linux namespace code in 7.10.

This code seems to assumes that different namespace automatically mean there
are containers and that target paths will not valid outside of their container
namespace. This isn't universally true. In the super computer world, the SLURM
scheduler runs jobs in a separate namespaces and cgroups for reasons of
resource control. The target paths are perfectly valid outside of the target,
and sysadmins are not happy about the idea of handing out extra capabilities.

I have done up a short patch and attached it to restore the previous behaviour
of just directly trying to use the targets paths as a fallback if setns fails
due to lacking capabilities. This resolves the issue for us. Possibly a warning
should be issued, so container users know they need to run with elevated
capabilities, but, not being familiar with the gdb code base, I wasn't clear on
how best that would be done.

Thanks!  Tyson

You are receiving this mail because:
You are on the CC list for the bug.

             reply	other threads:[~2023-02-10 23:21 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-10 23:21 twhitehead at gmail dot com [this message]
2023-09-19 18:47 ` [Bug gdb/30113] " tromey at sourceware dot org
2023-09-19 23:08 ` twhitehead at gmail dot com

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).