search

freebsd / pkg

Package management tool for FreeBSD. Help at #pkg on Libera Chat or pkg@FreeBSD.org
Other
748 stars 279 forks source link

410.pkg-audit attempts to audit poudriere jails #1748

Closed dlangille closed 3 years ago

dlangille commented 5 years ago

see https://github.com/freebsd/pkg/pull/1749

If poudriere is running, 410.pkg-audit will audit it. This is not logical.

[dan@r710-01] $ sudo /usr/local/etc/periodic/security/410.pkg-audit 

Checking for packages with security vulnerabilities:
Host system:
Database fetched: Fri Mar 22 16:14:03 UTC 2019

jail: ioc-pg03_int_unixathome_org
Database fetched: Fri Mar 22 04:08:48 UTC 2019

jail: ioc-mqtt01
Database fetched: Fri Mar 22 04:08:49 UTC 2019

jail: ioc-dev-pgeu
Database fetched: Fri Mar 22 04:08:50 UTC 2019
openjpeg-2.3.0_3

Notice that 'Database fetched' output ceases after first vuln package is located. see #1747 for fix

jail: ioc-bacula-sd-02_int_unixathome_org

jail: ioc-pg02_int_unixathome_org

The above is the last 'real' jail.

How we start in with poudriere jails I am not sure how to detect a poudriere jail.. except perhaps via jls -v, which mentions poudriere:

  2864  120i386-default-master-list-i /usr/local/poudriere/data/.m/120i386-default-master-list-i386/13
        120i386-default-master-list-i ACTIVE
        56

The output continues:


jail: 120i386-default-master-list-i386
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-n

jail: 120i386-default-master-list-i386-job-04
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-04-n

jail: 120i386-default-master-list-i386-job-02
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-11
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-02-n

jail: 120i386-default-master-list-i386-job-11-n

jail: 120i386-default-master-list-i386-job-19
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-19-n

jail: 120i386-default-master-list-i386-job-16
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-07
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-16-n

jail: 120i386-default-master-list-i386-job-07-n

jail: 120i386-default-master-list-i386-job-05
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-06
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-05-n

jail: 120i386-default-master-list-i386-job-06-n

jail: 120i386-default-master-list-i386-job-03
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-15
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-03-n

jail: 120i386-default-master-list-i386-job-20
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-17
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-15-n

jail: 120i386-default-master-list-i386-job-18
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-20-n

jail: 120i386-default-master-list-i386-job-17-n

jail: 120i386-default-master-list-i386-job-22
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-12
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-18-n

jail: 120i386-default-master-list-i386-job-22-n

jail: 120i386-default-master-list-i386-job-01
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-12-n

jail: 120i386-default-master-list-i386-job-23
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-08
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-01-n

jail: 120i386-default-master-list-i386-job-23-n

jail: 120i386-default-master-list-i386-job-08-n

jail: 120i386-default-master-list-i386-job-09
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-14
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-21
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-09-n

jail: 120i386-default-master-list-i386-job-24
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-14-n

jail: 120i386-default-master-list-i386-job-21-n

jail: 120i386-default-master-list-i386-job-24-n

jail: 120i386-default-master-list-i386-job-10
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-10-n

jail: 120i386-default-master-list-i386-job-13
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file

jail: 120i386-default-master-list-i386-job-13-n
[dan@r710-01] $
bapt commented 4 years ago

I disagree with the approach, pkg should not hardcode anything related to poudriere. another approach should be found which is more generic

bapt commented 3 years ago

after even more thinking, I don't think it is up to pkg to solve this problem, but up to the administrator to ensure those jails are not taken in account. The right way to do it is via how pkg_jails variable is built.

dlangille commented 3 years ago

FYI, since I moved poudriere into its own jail, this issue no longer concerns me. Thank you though, the pkg_jails variable is a good idea.