Environment
Mac OS X 10.10.5
Erlang/OTP: 17.5
rebar 2.6.0 17 20150818_094957 git 2.6.0-16-g3239e74-dirty
It is an example of application from the book Programming Erlang. I have git push to github
Steps to reproduce the error
build
$ git clone https://github.com/mingchaoyan/sellaprime.git
...
$ cd sellaprime
$ rebar prepare-deps
...
$ rebar compile
...
release
$ mkdir rel
$ cd rel
$ rebar create-node nodeid=sp
...
edit reltool.config as follow
```
%% -*- mode: erlang -*-
%% ex: ft=erlang
{sys, [
{lib_dirs, []},
{erts, [{mod_cond, derived}, {app_file, strip}]},
{app_file, strip},
{rel, "sp", "1.0.0",
[
kernel,
stdlib,
sasl,
goldrush,
lager,
sp
]},
{rel, "start_clean", "",
[
kernel,
stdlib
]},
{boot_rel, "sp"},
{profile, embedded},
{incl_cond, derived},
{excl_archive_filters, [".*"]}, %% Do not archive built libs
{excl_sys_filters, ["^bin/(?!start_clean.boot)",
"^erts.*/bin/(dialyzer|typer)",
"^erts.*/(doc|info|include|lib|man|src)"]},
{excl_app_filters, ["\.gitignore"]},
{app, goldrush, [{mod_cond, app}, {incl_cond, include}, {lib_dir, "../deps/goldrush"}]},
{app, lager, [{mod_cond, app}, {incl_cond, include}, {lib_dir, "../deps/lager"}]},
{app, sp, [{mod_cond, app}, {incl_cond, include}, {lib_dir, ".."}]}
]}.
{target_dir, "sp"}.
{overlay, [
{mkdir, "log/sasl"},
{copy, "files/erl", "\{\{erts_vsn\}\}/bin/erl"},
{copy, "files/nodetool", "releases/\{\{rel_vsn\}\}/nodetool"},
{copy, "sp/bin/start_clean.boot",
"\{\{erts_vsn\}\}/bin/start_clean.boot"},
{copy, "files/sp", "bin/sp"},
{copy, "files/sp.cmd", "bin/sp.cmd"},
{copy, "files/start_erl.cmd", "bin/start_erl.cmd"},
{copy, "files/sys.config", "releases/\{\{rel_vsn\}\}/sys.config"},
{copy, "files/vm.args", "releases/\{\{rel_vsn\}\}/vm.args"}
]}.
```
then
$ rebar generate
...
start
$ cd sp
$ ./bin/sp start
$ ./bin/sp getpid
...
$ ./bin/sp attach
start an another erlang shell
erl -name 'other#127.0.0.1' -noinput -noshell -eval "rpc:call('sp#127.0.0.1', init, restart, [])" -setcookie sp
then the first erlang shell will report
sp#127.0.0.1)1> {"init terminating in do_boot",{'cannot load',asn1rt_nif,get_files}}
How this happened?
And why asn1rt will be released, actually I didn't config it in reltool.config
Thank you!
You can find an answer in this old rebar issue: you need to prevent the boot script from loading the crypto module. To do this, edit the sp/bin/sp script and remove -mode embedded from the CMD variable setting, changing this:
CMD="$BINDIR/erlexec $SLIM_ARGS -boot $RUNNER_BASE_DIR/releases/$APP_VSN/$BOOTFILE -mode embedded -config $CONFIG_PATH -args_file $VMARGS_PATH"
to this:
CMD="$BINDIR/erlexec $SLIM_ARGS -boot $RUNNER_BASE_DIR/releases/$APP_VSN/$BOOTFILE -config $CONFIG_PATH -args_file $VMARGS_PATH"
Related
I am working on bit-bake environment. I am using nodejs ver 10.15.3
dest cpu == ppc64 linux
My problem is node binary core dumps and I am not able to identify the root cause. I am trying to compile nodejs for dest cpu(ppc64).
I am not sure but I guess there are runtime requirements which are not satisfied on the target machine.
below is my recipe:-
DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
HOMEPAGE = "http://nodejs.org"
LICENSE = "MIT & BSD & Artistic-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=9ceeba79eb2ea1067b7b3ed16fff8bab"
DEPENDS = "openssl zlib icu"
DEPENDS_append_class-target = " nodejs-native"
inherit pkgconfig
COMPATIBLE_MACHINE_armv4 = "(!.*armv4).*"
COMPATIBLE_MACHINE_armv5 = "(!.*armv5).*"
COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"
SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
file://0003-Crypto-reduce-memory-usage-of-SignFinal.patch \
file://0004-Make-compatibility-with-gcc-4.8.patch \
file://0005-Link-atomic-library.patch \
file://0006-Use-target-ldflags.patch \
"
SRC_URI_append_class-target = " \
file://0002-Using-native-torque.patch \
"
SRC_URI[md5sum] = "d76210a6ae1ea73d10254947684836fb"
SRC_URI[sha256sum] = "4e22d926f054150002055474e452ed6cbb85860aa7dc5422213a2002ed9791d5"
S = "${WORKDIR}/node-v${PV}"
# v8 errors out if you have set CCACHE
CCACHE = ""
def map_nodejs_arch(a, d):
import re
if re.match('i.86$', a): return 'ia32'
elif re.match('x86_64$', a): return 'x64'
elif re.match('aarch64$', a): return 'arm64'
elif re.match('(powerpc64|ppc64le)$', a): return 'ppc64'
elif re.match('powerpc$', a): return 'ppc'
return a
ARCHFLAGS_arm = "${#bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \
${#bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \
bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \
bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \
'--with-arm-fpu=vfp', d), d), d)}"
GYP_DEFINES_append_mipsel = " mips_arch_variant='r1' "
ARCHFLAGS ?= ""
# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi
do_configure () {
rm -rf ${S}/deps/openssl
export LD="${CXX}"
GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES
# $TARGET_ARCH settings don't match --dest-cpu settings
./configure --prefix=${prefix} --with-intl=system-icu --without-snapshot --shared-openssl --shared-zlib \
--dest-cpu="${#map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \
--dest-os=linux \
${ARCHFLAGS}
}
do_compile () {
export LD="${CXX}"
oe_runmake BUILDTYPE=Release
}
do_install () {
oe_runmake install DESTDIR=${D}
}
do_install_append_class-native() {
# use node from PATH instead of absolute path to sysroot
# node-v0.10.25/tools/install.py is using:
# shebang = os.path.join(node_prefix, 'bin/node')
# update_shebang(link_path, shebang)
# and node_prefix can be very long path to bindir in native sysroot and
# when it exceeds 128 character shebang limit it's stripped to incorrect path
# and npm fails to execute like in this case with 133 characters show in log.do_install:
# updating shebang of /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/work/x86_64-linux/nodejs-native/0.10.15-r0/image/home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/npm to /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/node
# /usr/bin/npm is symlink to /usr/lib/node_modules/npm/bin/npm-cli.js
# use sed on npm-cli.js because otherwise symlink is replaced with normal file and
# npm-cli.js continues to use old shebang
sed "1s^.*^#\!/usr/bin/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js
# Install the native torque to provide it within sysroot for the target compilation
install -d ${D}${bindir}
install -m 0755 ${S}/out/Release/torque ${D}${bindir}/torque
}
do_install_append_class-target() {
sed "1s^.*^#\!${bindir}/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js
}
PACKAGES =+ "${PN}-npm"
FILES_${PN}-npm = "${exec_prefix}/lib/node_modules ${bindir}/npm ${bindir}/npx"
RDEPENDS_${PN}-npm = "bash python-shell python-datetime python-subprocess python-textutils \
python-compiler python-misc python-multiprocessing"
PACKAGES =+ "${PN}-systemtap"
FILES_${PN}-systemtap = "${datadir}/systemtap"
BBCLASSEXTEND = "native"
I am able to apply gdb to node binary below is the snapshot. It core dumps at this point.
Thread 1 "node" hit Breakpoint 10, v8::internal::Runtime_PromiseHookInit (args_length=2, args_object=0x3fffffffd188, isolate=0x11284ab0)
at /usr/src/debug/nodejs/8.17.0-r0/node-v8.17.0/deps/v8/src/runtime/runtime-promise.cc:132
132 /usr/src/debug/nodejs/8.17.0-r0/node-v8.17.0/deps/v8/src/runtime/runtime-promise.cc: No such file or directory.
(gdb) bt
#0 v8::internal::Runtime_PromiseHookInit (args_length=2, args_object=0x3fffffffd188, isolate=0x11284ab0) at /usr/src/debug/nodejs/8.17.0-r0/node-v8.17.0/deps/v8/src/runtime/runtime-promise.cc:132
#1 0x000003c7b3f04134 in ?? ()
(gdb) c
Continuing.
Nodejs is not supported on PPC64 LE architecture. There is only support for the Big Endian platform on PPC architecture till 7.9 Version.
I am currently trying out Podman on Gentoo Linux:
# grep -i selinux /usr/src/linux-4.19.82-gentoo/.config
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_DEFAULT_SECURITY="selinux"
# getenforce
Permissive
Unfortunately, it fails while trying to mount shm with SELinux context. I tried it with VFS and fuse-overlayfs:
$ podman --log-level=debug run -it --rm localhost/ubuntu:latest /bin/bash
...
DEBU[0000] ExitCode msg: "failed to mount shm tmpfs \"/home/david/.local/share/containers/storage/overlay-containers/a05754757bafec92198c27b6ba954c40ac6a0ee99f29927f216bddb6c6ad4d07/userdata/shm\": invalid argument"
ERRO[0000] failed to mount shm tmpfs "/home/david/.local/share/containers/storage/overlay-containers/a05754757bafec92198c27b6ba954c40ac6a0ee99f29927f216bddb6c6ad4d07/userdata/shm": invalid argument
I patched my Podman for debugging:
gentoo ~/libpod-1.6.3 # git diff | tee /etc/portage/patches/app-emulation/libpod/00.patch
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 471648b..a2c001a 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
## -43,6 +43,11 ## import (
func (c *Container) mountSHM(shmOptions string) error {
if err := unix.Mount("shm", c.config.ShmDir, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV,
label.FormatMountLabel(shmOptions, c.config.MountLabel)); err != nil {
+ logrus.Debugf("AAAAA %s", c.config.ShmDir)
+ logrus.Debugf("BBBBB %s", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV)
+ logrus.Debugf("CCCCC %s", shmOptions)
+ logrus.Debugf("DDDDD %s", c.config.MountLabel)
+ logrus.Debugf("EEEEE %s", label.FormatMountLabel(shmOptions, c.config.MountLabel))
return errors.Wrapf(err, "failed to mount shm tmpfs %q", c.config.ShmDir)
}
return nil
And, got this output:
$ podman --log-level=debug run -it --rm localhost/ubuntu:latest /bin/bash
...
DEBU[0000] AAAAA /home/david/.local/share/containers/storage/overlay-containers/a05754757bafec92198c27b6ba954c40ac6a0ee99f29927f216bddb6c6ad4d07/userdata/shm
DEBU[0000] BBBBB %!s(int=14)
DEBU[0000] CCCCC mode=1777,size=65536000
DEBU[0000] DDDDD system_u:object_r:svirt_lxc_file_t
DEBU[0000] EEEEE mode=1777,size=65536000,context="system_u:object_r:svirt_lxc_file_t"
...
Mounting shm without the context option worked:
# mount -t tmpfs -o mode=1777,size=65536000 shm /mnt/
# mount | grep shm
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel)
shm on /mnt type tmpfs (rw,relatime,seclabel,size=64000k)
But, it fails with the context option:
# mount -t tmpfs -o mode=1777,size=65536000,context="system_u:object_r:svirt_lxc_file_t" shm /mnt/
mount: /mnt: wrong fs type, bad option, bad superblock on shm, missing codepage or helper program, or other error.
And, running Podman without SELinux works.
Some info on the machine:
vagrant#gentoo ~ $ eix -I libpod
[I] app-emulation/libpod
Available versions: (~)1.6.3^t {apparmor btrfs ostree +rootless selinux}
Installed versions: 1.6.3^t(07:51:44 AM 11/18/2019)(rootless selinux -apparmor -btrfs -ostree)
Homepage: https://github.com/containers/libpod/
Description: Library and podman tool for running OCI-based containers in Pods
vagrant#gentoo ~ $ eix -I install-xattr
[I] sys-apps/install-xattr
Available versions: 0.5 (~)0.7 (~)0.8 **9999*l
Installed versions: 0.8(06:07:20 PM 11/17/2019)
Homepage: https://dev.gentoo.org/~blueness/install-xattr/
Description: Wrapper to coreutil's install to preserve Filesystem Extended Attributes
vagrant#gentoo ~ $ emerge --info
Portage 2.3.76 (python 3.6.9-final-0, default/linux/amd64/17.1/no-multilib/hardened/selinux, gcc-9.2.0, glibc-2.29-r2, 4.19.82-gentoo x86_64)
=================================================================
System uname: Linux-4.19.82-gentoo-x86_64-Intel_Core_Processor_-Skylake,_IBRS-with-gentoo-2.6
KiB Mem: 2036312 total, 1846924 free
KiB Swap: 4000764 total, 4000764 free
Timestamp of repository gentoo: Sun, 17 Nov 2019 17:00:01 +0000
Head commit of repository gentoo: 6c3900366099220296f7765bd1f0668d980d0d29
sh bash 4.4_p23-r1
ld GNU ld (Gentoo 2.32 p2) 2.32.0
app-shells/bash: 4.4_p23-r1::gentoo
dev-lang/perl: 5.28.2-r1::gentoo
dev-lang/python: 2.7.16::gentoo, 3.6.9::gentoo
dev-util/cmake: 3.14.6::gentoo
sys-apps/baselayout: 2.6-r1::gentoo
sys-apps/openrc: 0.41.2::gentoo
sys-apps/sandbox: 2.13::gentoo
sys-devel/autoconf: 2.69-r4::gentoo
sys-devel/automake: 1.16.1-r1::gentoo
sys-devel/binutils: 2.32-r1::gentoo
sys-devel/gcc: 9.2.0-r2::gentoo
sys-devel/gcc-config: 2.1::gentoo
sys-devel/libtool: 2.4.6-r3::gentoo
sys-devel/make: 4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers)
sys-libs/glibc: 2.29-r2::gentoo
Repositories:
gentoo
location: /usr/portage
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
sync-rsync-verify-jobs: 1
sync-rsync-verify-max-age: 24
sync-rsync-verify-metamanifest: yes
sync-rsync-extra-opts:
localrepo
location: /var/db/repos/localrepo
masters: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="#FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-mtune=generic -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-mtune=generic -O2 -pipe"
DISTDIR="/distfiles"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl alsa amd64 bzip2 crypt cxx hardened iconv ipv6 libtirpc ncurses nls nptl open_perms openmp openssl pam pcre peer_perms pie readline seccomp selinux split-usr ssl ssp ubac unicode usb xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="emu efi-32 efi-64 pc" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python3_6 python2_7" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Late answer here, as noted by duexsco the svirt_lxc_file_t enforcement type is missing which can be installed by emerging sec-policy/selinux-virt on Gentoo.
Why an interface (/usr/share/selinux/strict/include/services/virt.if) from sec-policy/selinux-base uses an enforcement type from sec-policy/selinux-virt is also a rather interesting question.
I want to install the specific rpm packages using bash script. But I am getting error.
I am using the below code :
#!/bin/bash
systemctl stop edb-as-10.service
server_status=$(systemctl status edb-as-10.service|awk '{print $1,$2,$3}'|grep Active|cut -d ":" -f2|cut -d " " -f2|tr -d " ")
echo "$server_status"
if [ "$server_status" == inactive ]; then
echo "You can proceed with upgrading the Potgresql server"
rpm –Uvh --nodeps edb-as10-server-pltcl-10.9.17-1.rhel7.x86_64.rpm
systemctl start edb-as-10.service else
echo " Failed to do Upgrading"
fi
I'm getting this error :
RPM version 4.11.3 Copyright (C) 1998-2002 - Red Hat, Inc. This
program may be freely redistributed under the terms of the GNU GPL
Usage: rpm [-aKfgpqVcdLilsiv?] [-a|--all] [-f|--file] [-g|--group]
[-p|--package] [--pkgid] [--hdrid] [--triggeredby] [--whatrequires]
[--whatprovides]
[--nomanifest] [-c|--configfiles] [-d|--docfiles] [-L|--licensefiles] [--dump] [-l|--list] [--queryformat=QUERYFORMAT]
[-s|--state] [--nofiledigest]
[--nofiles] [--nodeps] [--noscript] [--allfiles] [--allmatches] [--badreloc] [-e|--erase +] [--excludedocs]
[--excludepath=] [--force]
[-F|--freshen +] [-h|--hash] [--ignorearch] [--ignoreos] [--ignoresize] [-i|--install] [--justdb] [--nodeps]
[--nofiledigest]
[--nocontexts] [--noorder] [--noscripts] [--notriggers] [--nocollections] [--oldpackage] [--percent] [--prefix=]
[--relocate==]
[--replacefiles] [--replacepkgs] [--test] [-U|--upgrade +] [--reinstall=+] [-D|--define 'MACRO
EXPR'] [--undefine=MACRO]
[-E|--eval 'EXPR'] [--macros=] [--noplugins] [--nodigest] [--nosignature] [--rcfile=] [-r|--root ROOT]
[--dbpath=DIRECTORY]
[--querytags] [--showrc] [--quiet] [-v|--verbose] [--version] [-?|--help] [--usage] [--scripts] [--setperms] [--setugids]
[--conflicts] [--obsoletes]
[--provides] [--requires] [--info] [--changelog] [--xml] [--triggers] [--last] [--dupes] [--filesbypkg] [--fileclass]
[--filecolor] [--fscontext]
[--fileprovide] [--filerequire] [--filecaps]
But when I run the command
rpm –Uvh --nodeps edb-as10-server-pltcl-10.9.17-1.rhel7.x86_64.rpm
on terminal its working but when it placed in script its not working.
I am trying to activate IMA appraisal & EVM modules.
After compiling linux kernel 3.10.2 on my bt5R3 and setting kernel boot option in a first time like this:
GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=fix ima_appraise_tcb evm=fix"
and after running this command to generate xattr security.ima and security.evm
find / \( -fstype rootfs -o -fstype ext4 \) -type f -uid 0 -exec head -c 1 '{}' \;
like this:
GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=enforce ima_appraise_tcb evm=enforce"
I try to create digital signature of xattr like it's recommended on this tutorial
Tutorial to IMA & EVM
Every steps have been followed, creating RSA keys, loading them early at boot in initramfs with keyctl.
Session Keyring
-3 --alswrv 0 65534 keyring: _uid_ses.0
977514165 --alswrv 0 65534 \_ keyring: _uid.0
572301790 --alswrv 0 0 \_ user: kmk-user
126316032 --alswrv 0 0 \_ encrypted: evm-key
570886575 --alswrv 0 0 \_ keyring: _ima
304346597 --alswrv 0 0 \_ keyring: _evm
However as soon as I reboot my OS when I try to read a signed and hashed file I get the error "Permission Denied"
Running dmesg tells me :
[ 5461.175996] type=1800 audit(1375262160.913:57): pid=1756 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="**invalid-HMAC**" comm="sh" name="/root/Desktop/new.sh" dev="sda1" ino=546526 res=0
Have you any idea why i get invalid HMAC ?
They keys are loaded like the tutorial says...
#!/bin/sh -e
PREREQ=""
# Output pre-requisites
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
grep -q "ima=off" /proc/cmdline && exit 1
mount -n -t securityfs securityfs /sys/kernel/security
IMA_POLICY=/sys/kernel/security/ima/policy
LSM_POLICY=/etc/ima_policy
grep -v "^#" $LSM_POLICY >$IMA_POLICY
# import EVM HMAC key
keyctl show |grep -q kmk || keyctl add user kmk "testing123" #u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" #u
#keyctl revoke kmk
# import Module public key
mod_id=`keyctl newring _module #u`
evmctl import /etc/keys/pubkey_evm.pem $mod_id
# import IMA public key
ima_id=`keyctl newring _ima #u`
evmctl import /etc/keys/pubkey_evm.pem $ima_id
# import EVM public key
evm_id=`keyctl newring _evm #u`
evmctl import /etc/keys/pubkey_evm.pem $evm_id
# enable EVM
echo "1" > /sys/kernel/security/evm
# enable module checking
#echo "1" > /sys/kernel/security/module_check
Thanks for your help
Solved, new kernel use HMAC v2 and you have to activate asymmetric key when you compile kernel.
cat .config should have this entries:
CONFIG_EVM_HMAC_VERSION=2
CONFIG_ASYMMETRIC_KEY_TYPE=y
Then when you hash or sign a file use
evmctl -u - -x --imasig/--imahash $file
As well you should have create the asymetric keys and load them in _evm and _ima keyring with keyctl with initramfs.
New to XMonad and loving it so far. I have a fairly vanilla / regular XMonad setup and am having problems with dmenu. When I login and hit mod+p nothing happens. If I then open a terminal and hit xmonad --restart then mod+p, dmenu will be working.
There must be something wrong with my xmonad.hs? I tried a no-customization setup of XMonad and things were working normally (i.e. dmenu was working after login).
My questions:
Is there something wrong with my xmonad.hs?
Why won't dmenu work unless I xmonad --restart ?
Could something fail in xmonad.start that would prevent dmenu from loading properly when starting xmonad?
Here are my files (borrowed from overthink). :
xmonad.hs
import System.IO
import XMonad
import XMonad.Hooks.DynamicLog
import XMonad.Hooks.ManageDocks
import XMonad.Hooks.SetWMName
import XMonad.Util.EZConfig(additionalKeys)
import XMonad.Util.Run(spawnPipe)
import XMonad.Hooks.ICCCMFocus
myWorkspaces = ["1", "2", "3", "4", "5", "6"]
myManageHook = composeAll
[ className =? "Gimp" --> doFloat
, className =? "Vncviewer" --> doFloat
]
main = do
xmproc <- spawnPipe "/usr/bin/xmobar /home/aaron/.xmobarrc"
xmonad $ defaultConfig { terminal = "urxvt" }
{ manageHook = manageDocks <+> manageHook defaultConfig
, startupHook = takeTopFocus >> setWMName "LG3D" -- fix for Java apps
, layoutHook = avoidStruts $ layoutHook defaultConfig
, logHook = dynamicLogWithPP xmobarPP
{ ppOutput = hPutStrLn xmproc
, ppTitle = xmobarColor "green" "" . shorten 50
}
, modMask = mod4Mask -- Rebind Mod to the Windows key
, workspaces = myWorkspaces
} `additionalKeys`
[ ((mod4Mask .|. shiftMask, xK_l), spawn "gnome-screensaver-command --lock") ]
xmonad.desktop
[Desktop Entry]
Encoding=UTF-8
Name=Xmonad-****
Comment=Ligthweight, pretentious tiling window manager
Exec=xmonad.start
Icon=xmonad.png
Type=XSession
xmonad.start
#!/bin/bash
xrdb -merge .Xresources
trayer --edge top --align right --SetDockType true --SetPartialStrut true --expand true --widthtype percent --width 10 --heighttype pixel --height 20 --transparent true --alpha 0 --tint 0x333333 &
# settings daemon is a prereq for some other gnome apps
gnome-settings-daemon &
# Network monitor (connections, vpns) applet in tray
if [ -x /usr/bin/nm-applet ] ; then
nm-applet --sm-disable &
fi
# volume indicator in tray
if [ -x /usr/bin/gnome-sound-applet ] ; then
gnome-sound-applet &
fi
eval $(gnome-keyring-daemon --start)
export GNOME_KEYRING_SOCKET
export GNOME_KEYRING_PID
#exec xmonad
dbus-launch --exit-with-session xmonad
Thanks for your help!
I have a vague feeling that when you first launch xmonad, it uses one executable+configuration, and then when you recompile, it finds the "right" one. In xmonad.desktop, try changing the Exec= line to include a full path to your xmonad.start.
Exec=/full/path/to/xmonad.start
Or you might try changing the last line in xmonad.start to include the full path to your xmonad executable.
dbus-launch --exit-with-session /full/path/to/xmonad
Another thing to try is changing the last two lines to:
exec xmonad
#dbus-launch --exit-with-session xmonad
If any of these options change the behaviour you're seeing, that might give us a clue.
EDIT: Let's try a different way of launching it, to see if we can learn anything. Don't start any window manager, log into a plain terminal instead. Type the command xinit -- xmonad or xinit -- /full/path/to/xmonad.
Alternatively, create the file .xinitrc with one line in it:
xmonad
Then type the command startx.
I also found this on the Xmonad FAQ, which may help:
2.6 not found errors or changes to xmonad.hs won't take effect
Ensure that ghc, and the xmonad executable are both in the environment
PATH from which you start X. Alternatively symlink them to locations
already in the PATH. ghc-pkg list should show ghc, xmonad, X11, etc.
without brackets, e.g. {xmonad} is bad. ghc-pkg check will tell you if
you have inconsistent dependencies or other registration problems.
The mod-q action calls the xmonad binary to recompile itself, so if
your display manager is starting it with /path/to/xmonad you'll also
have to edit your xmonad.hs mod-q binding to use the full path and
restart X (or in newer versions use 'xmonad --restart') to restart
xmonad with the new mod-q full path binding.
UPDATE:
The fix that seems to have solved the problem is changing:
exec xmonad
To:
touch ~/.xmonad/xmonad.hs
exec xmonad
in
/usr/local/bin/xmonad.start (or .xinitrc/.xsession if xmonad is started using startx)
OLD:
How about changing:
} `additionalKeys`
[ ((mod4Mask .|. shiftMask, xK_l), spawn "gnome-screensaver-command --lock") ]
To:
} `additionalKeys`
[ ((mod4Mask .|. shiftMask, xK_l), spawn "gnome-screensaver-command --lock")
, ((mod4Mask, xK_p), spawn "dmenu_run -b -nb black") ]
I had the same issue as you and it was because I had used something like:
((mod4Mask, xK_p), spawn "exe=`dmenu_path | dmenu` && eval \"exec $exe\"")
which, for some reason, only works properly after a "xmonad --restart". Changing the binding to simply "dmenu-run" fixed the problem. In your case, though, it looks like you're missing the binding at all.