varnish-cache
varnish-cache copied to clipboard
varnishcache
EPERM mmap()ing vgc.so from /run/varnishd due to noexec default for /run
Recently, the default working directory was changed to /var/run, which is symlinked to /run on Linux. This conflicts with default mount options:
# /tmp/sbin/varnishd -f /tmp/t.vcl
Error:
Message from dlopen:
Could not load compiled VCL.
dlopen() = vcl_boot.1635859837.825274/vgc.so: failed to map segment from shared object
Running dlopen failed, exited with 1
VCL compilation failed
The root cause is apparent from strace:
[pid 22390] open("vcl_boot.1635859876.055740/vgc.so", O_RDONLY|O_CLOEXEC) = 4
[pid 22390] read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P8\0\0\0\0\0\0"..., 832) = 832
[pid 22390] fstat(4, {st_mode=S_IFREG|0750, st_size=115408, ...}) = 0
[pid 22390] getcwd("/run/varnishd", 128) = 14
[pid 22390] mmap(NULL, 2143240, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = -1 EPERM (Operation not permitted)
which fails because of noexec:
# mount | grep " on /run "
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=50420k,nr_inodes=63021,mode=755)
build info
- 9f5044eb8d551bafeecdefc1d91529abfe8b9490
./autogen.sh
./configure --prefix=/tmp
make -j 3 install
Ran into the same issue on Debian Bullseye (looks like same regression):
mkdir("vcl_boot.1653993701.127146", 0755) = 0
chown("vcl_boot.1653993701.127146", 117, 124) = 0
setresuid(-1, 117, -1) = 0
openat(AT_FDCWD, "vcl_boot.1653993701.127146/vgc.c", O_WRONLY|O_CREAT|O_TRUNC, 0640) = 3
fchown(3, 0, 0) = -1 EPERM (Operation not permitted)
geteuid() = 117
close(3) = 0
openat(AT_FDCWD, "vcl_boot.1653993701.127146/vgc.so", O_WRONLY|O_CREAT|O_TRUNC, 0640) = 3
fchown(3, 0, 0) = -1 EPERM (Operation not permitted)
geteuid() = 117
close(3) = 0
This was introduce between 6.0.10 and 7.0, the bisect attempt failed due to build errors.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
$ uname -a
Linux debian 5.10.0-14-amd64 #1 SMP Debian 5.10.113-1 (2022-04-29) x86_64 GNU/Linux
EDIT: This is the output from 6.0.10 (see the fallback to O_RDONLY):
mkdir("vcl_boot.1653994533.871654", 0755) = 0
chown("vcl_boot.1653994533.871654", 117, 124) = 0
setresuid(-1, 117, -1) = 0
openat(AT_FDCWD, "vcl_boot.1653994533.871654/vgc.c", O_WRONLY|O_CREAT|O_TRUNC, 0640) = 4
fchown(4, 0, 0) = -1 EPERM (Operation not permitted)
geteuid() = 117
close(4) = 0
openat(AT_FDCWD, "vcl_boot.1653994533.871654/vgc.so", O_WRONLY|O_CREAT|O_TRUNC, 0640) = 4
fchown(4, 0, 0) = -1 EPERM (Operation not permitted)
geteuid() = 117
close(4) = 0
pipe([4, 5]) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f2f59611250) = 396067
close(5) = 0
read(4, "", 8191) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=396067, si_uid=117, si_status=0, si_utime=0, si_stime=0} ---
close(4) = 0
wait4(396067, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 396067
pipe([4, 5]) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f2f59611250) = 396068
close(5) = 0
read(4, "", 8191) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=396068, si_uid=117, si_status=0, si_utime=0, si_stime=0} ---
close(4) = 0
wait4(396068, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 396068
pipe([4, 5]) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f2f59611250) = 396073
close(5) = 0
read(4, "", 8191) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=396073, si_uid=118, si_status=0, si_utime=0, si_stime=0} ---
close(4) = 0
wait4(396073, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 396073
openat(AT_FDCWD, "vcl_boot.1653994533.871654/vgc.c", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0640, st_size=61658, ...}) = 0
read(4, "/* ---===### include/vdef.h ###="..., 4096) = 4096
close(4) = 0
unlink("vcl_boot.1653994533.871654/vgc.c") = 0
write(2, "Warnings:\nVCL compiled.\n\n", 25Warnings:
VCL compiled.
) = 25
