Uploaded image for project: 'Facter'
  1. Facter
  2. FACT-1832

Facter Fails on Solaris 11.3 Patch 29.0.4.0 Native Zone.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: FACT 3.11.3
    • Component/s: None
    • Environment:

      Publisher: solaris
      Version: 0.5.11
      Build Release: 5.11
      Branch: 0.175.3.29.0.4.0
      Puppet: 4.10.4

    • Template:
    • Team:
      Platform OS
    • Sprint:
      Platform OS Kanban
    • Method Found:
      Needs Assessment
    • CS Priority:
      Normal
    • CS Frequency:
      1 - 1-5% of Customers
    • CS Severity:
      3 - Serious
    • CS Business Value:
      3 - $$$$
    • CS Impact:
      Hide
      Facter won't work in zones.

      Our understanding is that the zones have security settings which limits what system calls can be made in the zone, facter is not expecting to have certain calls, kstat in this case, be rejected and to get passed a terminate signal. This could probably be solved on the zone side by giving access to kstat.

      If they are running a newer facter with the blacklist functionality it may be possible to track down this call and stop it from running it.

      Perhaps this is instead an improvement request for facter to not blow up when one call is rejected. This may become more important as docker adds similar security functionality as zones already have.
      Show
      Facter won't work in zones. Our understanding is that the zones have security settings which limits what system calls can be made in the zone, facter is not expecting to have certain calls, kstat in this case, be rejected and to get passed a terminate signal. This could probably be solved on the zone side by giving access to kstat. If they are running a newer facter with the blacklist functionality it may be possible to track down this call and stop it from running it. Perhaps this is instead an improvement request for facter to not blow up when one call is rejected. This may become more important as docker adds similar security functionality as zones already have.
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Facter no longer tries to read kstat entries that it does not need to process. This avoids potential permissions issues when run in a zone or as non-root on Solaris.
    • QA Risk Assessment:
      Needs Assessment

      Description

      When running facter in a zone following error occurs;

      2018-03-07 12:22:40.806413 DEBUG puppetlabs.facter - resolving virtualization facts.
      2018-03-07 12:22:40.806612 DEBUG puppetlabs.facter - resolving ldom facts.
      2018-03-07 12:22:40.806754 DEBUG puppetlabs.facter - resolving processor facts.
      2018-03-07 12:22:40.807161 DEBUG leatherman.execution:92 - executing command: /sbin/uname -p
      2018-03-07 12:22:40.809843 DEBUG | - sparc
      2018-03-07 12:22:40.810153 DEBUG leatherman.execution:556 - process exited with status code 0.
      terminate called after throwing an instance of 'facter::util::solaris::kstat_exception'
      what(): kstat_read failed: Permission denied (13)

      facter runs correctly on the global zone.

      3530/1: 0.184177 ioctl(7, KSTAT_IOC_READ, "pic3") = 1410238
      3530/1: 0.184229 ioctl(7, KSTAT_IOC_READ, "counters") Err#13 EACCES
      3530/1: 0.185395 fstat64(2, 0xFFBFDF58) = 0
      3530/1: 0.185468 write(2, " t e r m i n a t e c a".., 48) = 48
      3530/1: 0.185546 write(2, " f a c t e r : : u t i l".., 38) = 38
      3530/1: 0.185622 write(2, " '\n", 2) = 2
      3530/1: 0.185795 write(2, " w h a t ( ) : ", 11) = 11
      3530/1: 0.185870 write(2, " k s t a t _ r e a d f".., 41) = 41
      3530/1: 0.185955 write(2, "\n", 1) = 1
      3530/1: 0.186056 sigaction(SIGABRT, 0x00000000, 0xFFBFE250) = 0
      3530/1: 0.186107 sigaction(SIGABRT, 0xFFBFE100, 0xFFBFE1A0) = 0
      3530/1: 0.186140 lwp_sigmask(SIG_SETMASK, 0x00000000, 0x00000000, 0x00000000, 0x00000000) = 0xFFBFFEFF [0xFFFFFFFF]
      3530/1: 0.186176 lwp_kill(1, SIGABRT) = 0
      3530/1: 0.186205 Received signal #6, SIGABRT [default]
      3530/1: siginfo: SIGABRT pid=3530 tid=1 uid=0 SI_LWP

      The same ioctl permission denied happens on machines that work correctly, it's just that a new process is forked that calls /usr/bin/kstat

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                casey.williams Casey Williams
                Reporter:
                neil.binney Neil Binney
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support