Bug 2011831
| Summary: | llvmpipe shaders in shared homedirs are not invalidated when switching between machines | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Andrew Mike <amike> |
| Component: | mesa | Assignee: | Dave Airlie <airlied> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Peter Kopec <pekopec> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.4 | CC: | airlied, alanm, brclark, casantos, csoriano, jwright, lilhuang, mkolbas, pandrade, rstrode, sbarcomb, tpelka |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-12 08:06:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Andrew Mike
2021-10-07 13:42:16 UTC
Isn't it possible to force the cache to be in local storage, as a workaround? Maybe we can circumvent the problem in /usr/libexec/vncsession-start:
-----8<-----
#!/bin/bash
#
# Copyright 2019 Pierre Ossman for Cendio AB
#
# This is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This software is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this software; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
#
USERSFILE="/etc/tigervnc/vncserver.users"
if [ $# -ne 1 ]; then
echo "Syntax:" >&2
echo " $0 <display>" >&2
exit 1
fi
if [ ! -f "${USERSFILE}" ]; then
echo "Users file ${USERSFILE} missing" >&2
exit 1
fi
DISPLAY="$1"
USER=$(grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g')
if [ -z "${USER}" ]; then
echo "No user configured for display ${DISPLAY}" >&2
exit 1
fi
GROUP=$(id -ng "${USER}" 2>/dev/null)
if [ -z "${GROUP}" ]; then
echo "Could not find group ID of user ${USER}" >&2
exit 1
fi
MESA_GLSL_CACHE_DIR="/var/cache/mesa_shader/${USER}"
if ! mkdir -p "${MESA_GLSL_CACHE_DIR}"; then
echo "Could not create Mesa cache dir ${MESA_GLSL_CACHE_DIR}" >&2
exit 1
fi
if ! chown -R "${USER}:${GROUP}" "${MESA_GLSL_CACHE_DIR}"; then
echo "Could not create Mesa cache dir ${MESA_GLSL_CACHE_DIR}" >&2
exit 1
fi
export MESA_GLSL_CACHE_DIR
exec "/usr/sbin/vncsession" "${USER}" "${DISPLAY}"
-----8<----
But it works only with SELinux disabled or in permissive mode because the script runs with context=system_u:system_r:vnc_session_t:s0:
# ausearch --input-logs -m avc,user_avc -ts today
----
time->Thu Oct 7 14:40:48 2021
type=PROCTITLE msg=audit(1633628448.003:416): proctitle=6D6B646972002D70002F7661722F63616368652F6D6573615F73686164657200766E637573657232
type=PATH msg=audit(1633628448.003:416): item=1 name=(null) inode=626332 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1633628448.003:416): item=0 name=(null) inode=24249 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1633628448.003:416): cwd="/var/cache"
type=SYSCALL msg=audit(1633628448.003:416): arch=c000003e syscall=83 success=yes exit=0 a0=7ffe33885f26 a1=1ff a2=7ffe33885140 a3=0 items=2 ppid=14474 pid=14483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/usr/bin/mkdir" subj=system_u:system_r:vnc_session_t:s0 key=(null)
type=AVC msg=audit(1633628448.003:416): avc: denied { create } for pid=14483 comm="mkdir" name="mesa_shader" scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Thu Oct 7 14:40:48 2021
type=PROCTITLE msg=audit(1633628448.007:417): proctitle=63686F776E002D5200766E6375736572323A766E637573657232002F7661722F63616368652F6D6573615F7368616465722F766E637573657232
type=SYSCALL msg=audit(1633628448.007:417): arch=c000003e syscall=138 success=yes exit=0 a0=5 a1=7ffccceb66d0 a2=f a3=0 items=0 ppid=14474 pid=14484 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chown" exe="/usr/bin/chown" subj=system_u:system_r:vnc_session_t:s0 key=(null)
type=AVC msg=audit(1633628448.007:417): avc: denied { getattr } for pid=14484 comm="chown" name="/" dev="dm-0" ino=128 scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
----
time->Thu Oct 7 14:40:48 2021
type=PROCTITLE msg=audit(1633628448.007:418): proctitle=63686F776E002D5200766E6375736572323A766E637573657232002F7661722F63616368652F6D6573615F7368616465722F766E637573657232
type=SYSCALL msg=audit(1633628448.007:418): arch=c000003e syscall=260 success=yes exit=0 a0=ffffff9c a1=5622323eb380 a2=3ea a3=3ea items=0 ppid=14474 pid=14484 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chown" exe="/usr/bin/chown" subj=system_u:system_r:vnc_session_t:s0 key=(null)
type=AVC msg=audit(1633628448.007:418): avc: denied { setattr } for pid=14484 comm="chown" name="vncuser2" dev="dm-0" ino=17578696 scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
You could keep it in the home directory, but just make it per-machine...e.g. use MESA_GLSL_CACHE_DIR=${USER}/.cache/mesa_shader_${cat /etc/machine-id}" . I think that should avoid any selinux issues.
(sorry about the typo where i used { } instead of () around the cat command)
(In reply to Ray Strode [halfline] from comment #7) > You could keep it in the home directory, but just make it per-machine...e.g. > use MESA_GLSL_CACHE_DIR=${USER}/.cache/mesa_shader_${cat /etc/machine-id}" . > I think that should avoid any selinux issues. Yup, it works with this /usr/libexec/vncsession-start: -----8<----- #!/bin/bash # # Copyright 2019 Pierre Ossman for Cendio AB # # This is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This software is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this software; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # USERSFILE="/etc/tigervnc/vncserver.users" if [ $# -ne 1 ]; then echo "Syntax:" >&2 echo " $0 <display>" >&2 exit 1 fi if [ ! -f "/etc/machine-id" ]; then echo "Machine ID file /etc/machine-id missing" >&2 exit 1 fi read -r MACHINE_ID < /etc/machine-id if [ -z "${MACHINE_ID}" ]; then echo "No machine ID configured in /etc/machine-id" >&2 exit 1 fi if [ ! -f "${USERSFILE}" ]; then echo "Users file ${USERSFILE} missing" >&2 exit 1 fi DISPLAY="$1" USER=$(grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g') if [ -z "${USER}" ]; then echo "No user configured for display ${DISPLAY}" >&2 exit 1 fi USER_HOME="$(getent passwd "${USER}" | cut -d : -f 6)" if [ -z "${USER_HOME}" ]; then echo "Could not find home directory of ${USER}" >&2 exit 1 fi MESA_GLSL_CACHE_DIR="$(getent passwd "${USER}" | cut -d : -f 6)/.cache/${MACHINE_ID}" export MESA_GLSL_CACHE_DIR exec "/usr/sbin/vncsession" "${USER}" "${DISPLAY}" -----8<----- dont forget to mkdir -p (In reply to Ray Strode [halfline] from comment #11) > dont forget to mkdir -p Does not work, either. # ausearch --input-logs -m avc,user_avc -ts today ---- time->Thu Oct 7 19:24:01 2021 type=PROCTITLE msg=audit(1633645441.172:602): proctitle=6D6B646972002D70002F686F6D652F766E6375736572322F2E6361636865 type=SYSCALL msg=audit(1633645441.172:602): arch=c000003e syscall=83 success=no exit=-13 a0=7ffcd7b64f34 a1=1ff a2=0 a3=0 items=0 ppid=31635 pid=31646 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/usr/bin/mkdir" subj=system_u:system_r:vnc_session_t:s0 key=(null) type=AVC msg=audit(1633645441.172:602): avc: denied { create } for pid=31646 comm="mkdir" name=".cache" scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 that's surprising. the session itself might do a similar mkdir as part of startup so i'd expect it to work. . i wonder if there's a transition to a different context after vncsession is exec'd. maybe this should go somewhere else (like .vnc/xstartup or an xinit script) based on comment#9 (currently private), this was fixed in 8.5 beta, closing. |