search

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
6.63k stars 531 forks source link

Talos leaks file descriptors to child processes #9412

Open smira opened 1 week ago

smira commented 1 week ago

tl;dr is missing O_CLOEXEC in some libraries we're using

### Tasks
- [ ] https://github.com/insomniacslk/dhcp/pull/550
- [ ] https://github.com/safchain/ethtool/pull/88
- [ ] https://github.com/vishvananda/netlink/pull/1023
dsseng commented 1 week ago

Should we maybe consider adding a rule to golangci-lint to check for syscalls without cloexec to avoid problematic code being merged later?

smira commented 1 week ago

Should we maybe consider adding a rule to golangci-lint to check for syscalls without cloexec to avoid problematic code being merged later?

I would rather prefer a test, but not sure how to put #9414 into a useful thing, as we need to fork directly from machined to verify this. System extensions don't work, I don't want to put test binary into any Talos build. I could use some debug feature as well to enable this test controller

dsseng commented 1 week ago

Will take a look a bit later, maybe I have some ideas about this

smira commented 1 week ago

Update: the problem itself is fixed, but the issue is left open to track upstream PRs.