Bug 2080735 - fedora-review: No longer works with non-root user accessed via sudo
Summary: fedora-review: No longer works with non-root user accessed via sudo
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mock
Version: 37
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Pavel Raiskup
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-01 12:14 UTC by Ben Beasley
Modified: 2022-11-10 22:17 UTC (History)
12 users (show)

Fixed In Version: mock-3.3-1.fc36 mock-3.3-1.el9 mock-3.3-1.fc35 mock-3.3-1.fc37
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-10-27 12:19:37 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Ben Beasley 2022-05-01 12:14:43 UTC 
Description of problem:

I run fedora-review in a dedicated user account for a little extra isolation:

> $ id reviewer
> uid=1001(reviewer) gid=1001(reviewer) groups=1001(reviewer),135(mock)
> $ getent passwd reviewer
> reviewer:x:1001:1001::/home/reviewer:/sbin/nologin

I usually access it like this:

> $ sudo -u reviewer -s screen

Inside the screen session:

> $ id
> uid=1001(reviewer) gid=1001(reviewer) groups=1001(reviewer),135(mock) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Historically, this has worked great. Since fedora-review 0.8.0 and mock 3, I am unable to straightforwardly run fedora-review in this environment. More details and a workaround follow.

Version-Release number of selected component (if applicable): fedora-review-0.8.0-1.fc35, mock-3.0-1.fc35


How reproducible:


Steps to Reproduce:
1. Use sudo to change to a non-root user.
2. fedora-review -b 2027121

Actual results:

> INFO: Processing bugzilla bug: 2027121
> INFO: Getting .spec and .srpm Urls from : 2027121
> INFO:   --> SRPM url: https://music.fedorapeople.org/20220228/casc-1.0.5-1.fc35.src.rpm
> INFO:   --> Spec url: https://music.fedorapeople.org/20220228/casc.spec
> INFO: Using review directory: /home/reviewer/2027121-casc
> INFO: Downloading .spec and .srpm files
> INFO: Downloading (Source0): https://github.com/ctlee/casc/archive/v1.0.5/casc-1.0.5.tar.gz
> INFO: Running checks and generating report
> INFO: Results and/or logs in: /home/reviewer/2027121-casc/results
> ERROR: Exception down the road... (logs in /home/reviewer/.cache/fedora-review.log)

From /home/reviewer/.cache/fedora-review.log:

> Traceback (most recent call last):
>   File "/usr/lib/python3.10/site-packages/FedoraReview/review_helper.py", line 236, in run
>     self._do_run(outfile)
>   File "/usr/lib/python3.10/site-packages/FedoraReview/review_helper.py", line 226, in _do_run
>     self._do_report(outfile)
>   File "/usr/lib/python3.10/site-packages/FedoraReview/review_helper.py", line 99, in _do_report
>     self._run_checks(self.bug.spec_file, self.bug.srpm_file, outfile)
>   File "/usr/lib/python3.10/site-packages/FedoraReview/review_helper.py", line 117, in _run_checks
>     self.checks.run_checks(output=output, writedown=not Settings.no_report)
>   File "/usr/lib/python3.10/site-packages/FedoraReview/checks.py", line 382, in run_checks
>     run_check(name)
>   File "/usr/lib/python3.10/site-packages/FedoraReview/checks.py", line 357, in run_check
>     check.run()
>   File "/usr/lib/python3.10/site-packages/FedoraReview/plugins/generic_build.py", line 203, in run
>     Mock.build(self.srpm.filename)
>   File "/usr/lib/python3.10/site-packages/FedoraReview/mock.py", line 449, in build
>     self.builddir_cleanup()
>   File "/usr/lib/python3.10/site-packages/FedoraReview/mock.py", line 576, in builddir_cleanup
>     paths = glob(os.path.join(self.get_builddir("BUILD"), "*"))
>   File "/usr/lib/python3.10/site-packages/FedoraReview/mock.py", line 352, in get_builddir
>     p = self._get_dir(os.path.join("root", self._topdir[1:]))
>   File "/usr/lib/python3.10/site-packages/FedoraReview/mock.py", line 193, in _get_dir
>     self._get_root()
>   File "/usr/lib/python3.10/site-packages/FedoraReview/mock.py", line 176, in _get_root
>     config_opts = mockbuild.config.simple_load_config(config)
>   File "/usr/lib/python3.10/site-packages/mockbuild/trace_decorator.py", line 93, in trace
>     result = func(*args, **kw)
>   File "/usr/lib/python3.10/site-packages/mockbuild/config.py", line 790, in simple_load_config
>     uidManager = setup_uid_manager()
>   File "/usr/lib/python3.10/site-packages/mockbuild/trace_decorator.py", line 93, in trace
>     result = func(*args, **kw)
>   File "/usr/lib/python3.10/site-packages/mockbuild/uid.py", line 27, in setup_uid_manager
>     os.setgroups((mockgid,))
> PermissionError: [Errno 1] Operation not permitted

Expected results:

Successful fedora-review invocation.

Additional info:

In the setup_uid_manager() function in mockbuild.uid, there is an assumption that if the SUDO_UID environment variable is set (as it is in this environment), then os.setgroups() should be called to set the supplementary groups to include (only) the mock group. If the user is not root, this won’t be possible.

Based on that, this may be a mock issue instead. I filed it on fedora-review because mock builds like

> mock -r fedora-rawhide-x86_64 --rebuild 2027121-casc/srpm/casc-1.0.5-1.fc35.src.rpm

still work just fine in the same environment.

As a workaround, I can

> $ unset SUDO_UID

and fedora-review works just fine.
Comment 1 Neal Gompa 2022-05-01 12:35:50 UTC 
Since this is actually a bug in Mock code, I'm switching to that package.
Comment 2 Ben Cotton 2022-08-09 13:15:18 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle.
Changing version to 37.
Comment 3 Pavel Raiskup 2022-09-27 17:41:45 UTC 
Fix is going to be proposed here:
https://github.com/rpm-software-management/mock/pull/975
Comment 4 Fedora Update System 2022-10-14 07:31:01 UTC 
FEDORA-2022-9f6d199630 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9f6d199630
Comment 5 Fedora Update System 2022-10-14 07:31:08 UTC 
FEDORA-2022-c4316e5c3f has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-c4316e5c3f
Comment 6 Fedora Update System 2022-10-14 07:31:09 UTC 
FEDORA-2022-3b6ee0825e has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-3b6ee0825e
Comment 7 Fedora Update System 2022-10-14 07:31:11 UTC 
FEDORA-EPEL-2022-73bd121c67 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-73bd121c67
Comment 8 Fedora Update System 2022-10-14 10:31:11 UTC 
FEDORA-2022-3b6ee0825e has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-3b6ee0825e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-3b6ee0825e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2022-10-14 13:34:45 UTC 
FEDORA-EPEL-2022-73bd121c67 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-73bd121c67

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2022-10-14 14:38:15 UTC 
FEDORA-2022-9f6d199630 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9f6d199630`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9f6d199630

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2022-10-14 14:38:23 UTC 
FEDORA-2022-c4316e5c3f has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-c4316e5c3f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-c4316e5c3f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 12 Adam Williamson 2022-10-16 07:07:49 UTC 
The fix for this seems to have had the effect of disallowing running mock as root, which is a problem, because openqa relies on doing that, so two openqa tests now fail on every Rawhide update. The error is "Can't parse mock configuration under root". Can this be reverted, or do I now have to make the openQA tests - which run in a disposable VM in which the 'security' of the root account is entirely irrelevant - run mock commands as a user? This is somewhat awkward because I then have to make the test set permissions to allow the user account to write to serial consoles, otherwise openQA's mechanism for checking that commands have completed does not work.
Comment 13 Pavel Raiskup 2022-10-17 07:45:05 UTC 
Thank you for the note, Adam.  We'll twist that error into a warning only.  Seems like many
users are running Mock as root.
Comment 14 Fedora Update System 2022-10-18 12:40:54 UTC 
FEDORA-2022-3b6ee0825e has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-3b6ee0825e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-3b6ee0825e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 15 Fedora Update System 2022-10-18 13:50:09 UTC 
FEDORA-EPEL-2022-73bd121c67 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-73bd121c67

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 16 Fedora Update System 2022-10-18 14:34:32 UTC 
FEDORA-2022-9f6d199630 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9f6d199630`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9f6d199630

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 17 Fedora Update System 2022-10-18 14:37:15 UTC 
FEDORA-2022-c4316e5c3f has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-c4316e5c3f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-c4316e5c3f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 18 Fedora Update System 2022-10-27 12:19:37 UTC 
FEDORA-2022-9f6d199630 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 19 Fedora Update System 2022-10-27 12:40:08 UTC 
FEDORA-EPEL-2022-73bd121c67 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 20 Fedora Update System 2022-10-27 12:44:09 UTC 
FEDORA-2022-c4316e5c3f has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 21 Fedora Update System 2022-11-10 22:17:14 UTC 
FEDORA-2022-3b6ee0825e has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.