Hello all I want to consult regarding this issue

Question

Hello all I want to consult regarding this issue <https github com osquery osquery issues 7298> This is an issue that depends on the environment whether or not SELinux or other security products are present and blocking I was thinking of resolving it without changing compatibility by applying a patch in librpm to dynamically check for getauxval in case we compile without that option which we do for compatibility Is that an acceptable solution to keep the product working without the need to apply special exceptions for it Added code will look roughly like this rpmrc c 964 ifdef HAVE GETAUXVAL rpmat platform = char getauxval AT PLATFORM if rpmat platform rpmat platform = rpmat hwcap = getauxval AT HWCAP else Try dynamically if g getauxval initialized g getauxval func = getauxval t dlsym NULL getauxval if g getauxval func rpmat platform = char getauxval func AT PLATFORM if rpmat platform rpmat platform = rpmat hwcap = getauxval func AT HWCAP else Continue original rpmlib code

seph · Answer

If I understand right this is a build time option So it would require a custom build

seph · Answer

TBH I d be interesting in a bigger conversation about removing centos6 support

Ben Haham Hay · Answer

Yeah on one hand this is a build time option and we do not specify it because we want to support CentOS 6 On the other hand there are advanced system that conflict with that option

Ben Haham Hay · Answer

I do have CentOS RHEL 6 scenarios so I would like to keep supporting these for the time being

seph · Answer

Good to know you have cento6 machines If you can say more <https github com osquery osquery issues 7445> is somewhere to comment I just made that to discuss desupporting centos 6

seph · Answer

Personally I m not opposed to that sort of patch for compile time options But I am a little leery of the longer term support burden As a thought exercise I think it would be most correct to default to supporting the newer platforms with a compile option to fall back But I m not sure what kind of sprawl that would create Or how easily we could test the code paths in CI

Ben Haham Hay · Answer

Yeah I understand Does the CI test on CentOS 6

seph · Answer

I d have to check but I think everything runs on `ubuntu 18 04` should be able to poke around the github workflows

Ben Haham Hay · Answer

I think that long term we would like to introduce that support to librpm Because what we re saying essentially is we want the support a portable instance of the librpm library without needing to rebuild for each scenario WDYT

seph · Answer

Is there a way to do that at runtime not compile time Generally though I d defer this to Stefano or Alessandro and see what they think I m sure they ll chime in eventually

Ben Haham Hay · Answer

Yeah the runtime way is the code snippet I provided We just check for the symbol in runtime and use it if it exists

Ben Haham Hay · Answer

Sure I ll wait for them to chime in

seph · Answer

The one that feels like a bigger issue is the `iptables` one As I understand it centos6 is keeping us from supporting the newer nftables

Ben Haham Hay · Answer

Let me try to dig into that I have some experience with iptables

seph · Answer

The issue is linked slightly smiling face

Stefano Bonicatti · Answer

What seph is said is correct in terms of why dropping CentOS 6 but I would also add that it s definitely a big maintenance burden on the third party library side when we have to generate their configuration and on the toolchain side which has to support back to that version which currently does but it s a bit dodgy and incorrect since we are using the wrong kernel headers versions Fixing those it then causes issue where we can t easily use newer distributions and features I think last time we sort of agreed that we wanted to have 1 year of intentional support after a distribution has gone fully EOL CentOS 6 is really old