Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add a check for an /etc/swupd/picky_repair.d/*.whitelist (or similar) for whitelisting #1587

Open
inmanturbo opened this issue Jun 14, 2020 · 2 comments
Open

add a check for an /etc/swupd/picky_repair.d/*.whitelist (or similar) for whitelisting #1587

inmanturbo opened this issue Jun 14, 2020 · 2 comments
Labels
enhancement

Comments

@inmanturbo
Copy link

inmanturbo commented Jun 14, 2020
edited
Loading

Cheers everyone. I have a little idea here.I might have more to add here later. I just wanted to bounce this off you first. So I'm simply opening this issue so that we have a place to discuss it.

System hackers and rogue devs will constantly be pushing at the bounds of swupd and the stateless design. Of course you want to use it, but you also want to be able to harness it.

Currenty, whitelisting a file or directory for swupd can done by creating a config under /etc/swupd/
and adding it to the picky_whitelist here:

[repair]
# Any path completely matching the POSIX extended regular expression is ignored
# by --picky, matched directories get skipped (string value)
# Example: /var|/etc/machine-id
# Default: /usr/lib/modules|/usr/lib/kernel|/usr/local|/usr/src
#picky_whitelist=[RE]

And/or in the same file under [diagnose].
As is touched on here.

The Problem

  • Having the whitelist represented by a single posix string can be cumbersome and difficult to manage
  • Automatically updating the whitelist requires all sorts of sed magic

The Proposal

  • Include /etc/swupd/picky_diagnose.d/*.whitelist
  • Include /etc/swupd/picky_repair.d/*.whitelist
  • ensure swupd will follow symlinks

Users and admins can then easily automatically update their diagnose and repair whitelists with commands, scripts or policies by adding a symlink or file to their respective directories.
i.e:

sudo mkdir -p /etc/swupd/{whitelists-available/,picky_repair.d/}
echo "/usr/lib/python" | sudo tee -a /etc/swupd/whitelists-available/python.whitelist
sudo ln -s /etc/swupd/whitelists-available/python.whitelist /etc/swupd/picky_repair.d/

Possibly more on this later. Thanks for taking a look at it and may all your coding be stress and bug free!
@inmanturbo inmanturbo changed the title add a check for an /etc/swupd/picky_repair.d/*.whitelist (or smiliar) for whitelisting add a check for an /etc/swupd/picky_repair.d/*.whitelist (or similar) for whitelisting Jun 17, 2020
@marioroy
Copy link

marioroy commented Nov 25, 2021
edited
Loading

Clear Linux is nice for the most part. The one thing that I dislike is swupd repair restoring GL libraries on a system with NVIDIA driver. I haven't tried this but added the config. My question is will filenames in the regex be ignored by repair?

[repair]
picky_whitelist=/usr/lib/modules|/usr/lib/kernel|/usr/local|/usr/src|/usr/lib/libGL.so.1|/usr/lib32/libEGL.so|/usr/lib32/libEGL.so.1|/usr/lib32/libEGL.so.1.0.0|/usr/lib32/libGLESv1_CM.so|/usr/lib32/libGLESv1_CM.so.1|/usr/lib32/libGLESv1_CM.so.1.1.0|/usr/lib32/libGLESv2.so|/usr/lib32/libGLESv2.so.2|/usr/lib32/libGLESv2.so.2.0.0|/usr/lib32/libGL.so|/usr/lib32/libGL.so.1|/usr/lib32/libGL.so.1.2.0|/usr/lib64/libEGL.so|/usr/lib64/libEGL.so.1|/usr/lib64/libEGL.so.1.0.0|/usr/lib64/libGLESv1_CM.so|/usr/lib64/libGLESv1_CM.so.1|/usr/lib64/libGLESv1_CM.so.1.1.0|/usr/lib64/libGLESv2.so|/usr/lib64/libGLESv2.so.2|/usr/lib64/libGLESv2.so.2.0.0|/usr/lib64/libGL.so|/usr/lib64/libGL.so.1|/usr/lib64/libGL.so.1.2.0|/usr/bin/nvidia-modprobe

It would be awesome for swupd repair to not break the NVIDIA driver installation. Above, added /usr/lib/libGL.so.1 (lib dir) because the NVIDIA driver install makes a symbolic link to /opt/nvidia/lib64/libGL.so.1 and not sure if repair will remove it. The other GL files under /usr/lib/{lib32,lib64} are removed during the NVIDIA driver installation and reside under /opt/nvidia/{lib32,lib64}.

My wish is for swupd repair, when repairing devpkg-mesa, to not restore the GL files on systems running the NVIDIA driver.

# lsmod | grep '^nvidia'
nvidia_drm             53248  6
nvidia_modeset       1183744  7 nvidia_drm
nvidia              19738624  307 nvidia_modeset
nvidiafb               53248  0

Thank you.

Edit: See this post. The NVIDIA driver provides a nice speedup.

Edit: List of files to not restore during swupd repair.

# from /usr/lib, symbolic link added during NVIDIA driver installation
/usr/lib/libGL.so.1 -> /opt/nvidia/lib64/libGL.so.1

# from /usr/lib32
libEGL.so        libGLESv1_CM.so        libGLESv2.so        libGL.so
libEGL.so.1      libGLESv1_CM.so.1      libGLESv2.so.2      libGL.so.1
libEGL.so.1.0.0  libGLESv1_CM.so.1.1.0  libGLESv2.so.2.0.0  libGL.so.1.2.0

# from /usr/lib64
libEGL.so        libGLESv1_CM.so        libGLESv2.so        libGL.so
libEGL.so.1      libGLESv1_CM.so.1      libGLESv2.so.2      libGL.so.1
libEGL.so.1.0.0  libGLESv1_CM.so.1.1.0  libGLESv2.so.2.0.0  libGL.so.1.2.0

Edit: Also do not remove /usr/bin/nvidia-modprobe. It is a critical file and where NVIDIA looks for it (i.e. running clinfo as a non-root user).

@Gui2Barbieri
Copy link

+1 to this issue, would be nice to have the NVIDIA's drivers to coexist in Clear Linux OS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marioroy @inmanturbo @Gui2Barbieri