search

gramineproject / gramine

A library OS for Linux multi-process applications, with Intel SGX support
GNU Lesser General Public License v3.0
591 stars 195 forks source link

GSC build with latest master fails on `/etc/resolv.conf` mountpoint when `sys.enable_extra_runtime_domain_names_conf = true` #2014

Open anjalirai-intel opened 6 days ago

anjalirai-intel commented 6 days ago

Description of the problem

The commit aef087f moved the handling of allowed and trusted files into the LibOS layer. This change introduced a bug related to the handling of the /etc/resolv.conf file when the sys.enable_extra_runtime_domain_names_conf option is set to true.

Details: When sys.enable_extra_runtime_domain_names_conf is set to true, Gramine generates /etc/resolv.conf from scratch, ignoring whether the file was marked as allowed or trusted. If the file is marked as allowed, it is found on the host but ignored and replaced with a generated version. If the file is marked as trusted and its hash does not match the one specified in the manifest, Gramine's lookup logic detects the mismatch and fails on startup.

For more details, refer https://github.com/gramineproject/gramine/pull/2012

Steps to reproduce

Build gsc workload with latest gramine, after adding sys.enable_extra_runtime_domain_names_conf = true into manifest file

Expected results

Workload should be running successfully

Actual results

/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) Gramine is starting. Parsing TOML manifest file, this may take some time... [P1:T1:] error: Looking up mountpoint /etc/resolv.conf failed: Operation not permitted (EPERM) [P1:T1:] error: libos_init() failed in init_mount: Operation not permitted (EPERM)

Gramine commit hash

aef087f

mkow commented 5 days ago

Why did you create an issue if we already have a PR which fixes that? (which you even mentioned?)

anjalirai-intel commented 5 days ago

Why did you create an issue if we already have a PR which fixes that? (which you even mentioned?)

There were some customers who encountered this issue a couple of days ago and looked into the GitHub issues but could not find any details. Since the PR has not yet been merged, it was decided based on internal discussions, to raise it as an issue. This way, if anyone else faces this problem, they can find the details and try the proposed fix.