Channels
#general
Title
# general
b
Ben Haham Hay
01/13/2022, 10:25 AMHello all!
I want to consult regarding this issue: https://github.com/osquery/osquery/issues/7298
This is an issue that depends on the environment (whether or not SELinux or other security products are present and blocking)
I was thinking of resolving it without changing compatibility by applying a patch in librpm to dynamically check for getauxval in case we compile without that option (which we do for compatibility)
Is that an acceptable solution to keep the product working without the need to apply special exceptions for it?
Added code will look roughly like this:
rpmrc.c964
#ifdef HAVE_GETAUXVAL
rpmat.platform = (char *) getauxval(AT_PLATFORM);
if (!rpmat.platform)
rpmat.platform = "";
rpmat.hwcap = getauxval(AT_HWCAP);
#else
// Try dynamically
if (!g_getauxval_initialized)
{
g_getauxval_func = (getauxval_t)dlsym(NULL, "getauxval");
}
if (g_getauxval_func)
{
rpmat.platform = (char *) getauxval_func(AT_PLATFORM);
if (!rpmat.platform)
rpmat.platform = "";
rpmat.hwcap = getauxval_func(AT_HWCAP);
}
else
{
// Continue original rpmlib code
}
s
seph
01/13/2022, 2:12 PM
If I understand right, this is a build time option? So it would require a custom build?
TBH I'd be interesting in a bigger conversation about removing centos6 support.
b
Ben Haham Hay
01/13/2022, 2:18 PMYeah on one hand this is a build time option and we do not specify it because we want to support CentOS 6. On the other hand there are advanced system that conflict with that option.
I do have CentOS/RHEL 6 scenarios, so I would like to keep supporting these for the time being
s
seph
01/13/2022, 2:22 PM
Good to know you have cento6 machines. If you can say more, https://github.com/osquery/osquery/issues/7445 is somewhere to comment (I just made that to discuss desupporting centos 6)
Personally, I'm not opposed to that sort of patch for compile time options. But I am a little leery of the longer term support burden.
As a thought exercise, I think it would be most correct to default to supporting the newer platforms, with a compile option to fall back.
But I'm not sure what kind of sprawl that would create. Or how easily we could test the code paths in CI.
b
Ben Haham Hay
01/13/2022, 2:25 PMYeah, I understand. Does the CI test on CentOS 6?
s
seph
01/13/2022, 2:27 PM
I'd have to check, but I think everything runs on
ubuntu-18.04b
Ben Haham Hay
01/13/2022, 2:27 PMI think that long-term, we would like to introduce that support to librpm. Because what we're saying essentially is we want the support a portable instance of the librpm library, without needing to rebuild for each scenario.
WDYT?
s
seph
01/13/2022, 2:28 PM
Is there a way to do that at runtime, not compile time? Generally though, I'd defer this to Stefano or Alessandro and see what they think. I'm sure they'll chime in eventually,
b
Ben Haham Hay
01/13/2022, 2:28 PMYeah, the runtime way is the code snippet I provided. We just check for the symbol in runtime and use it if it exists
Sure, I'll wait for them to chime in
s
seph
01/13/2022, 2:29 PM
The one that feels like a bigger issue, is the
iptablesb
Ben Haham Hay
01/13/2022, 2:29 PMLet me try to dig into that, I have some experience with iptables
s
seph
01/13/2022, 2:30 PM
The issue is linked. 🙂
s
Stefano Bonicatti
01/13/2022, 4:28 PMWhat seph is said is correct in terms of why dropping CentOS 6, but I would also add that it’s definitely a big maintenance burden, on the third party library side, when we have to generate their configuration, and on the toolchain side which has to support back to that version, which currently does but it’s a bit dodgy and incorrect, since we are using the wrong kernel headers versions.
Fixing those, it then causes issue where we can’t easily use newer distributions and features.
I think last time we sort of agreed that we wanted to have 1 year of intentional support after a distribution has gone fully EOL.
CentOS 6 is really old.
7 Views