[Open-scap] RPM based remediation hangs on SUSE.

S, Gautam gautams at hpe.com
Thu Mar 31 06:32:39 UTC 2016 

Hello folks,

I am looking at a rather obscure issue related to the way the RPM library behaves on SUSE. While trying to run remediation for a rule related to RPMs, the process hangs until it finally times out.

# oscap xccdf eval --profile test --remediate sles11-xccdf.xml
Title   Uninstall bind Package
Rule    package_bind_removed
Ident   CCE-27030-6
Result  fail


--- Starting Remediation ---

Title   Uninstall bind Package
Rule    package_bind_removed
Ident   CCE-27030-6

<<Hangs for a while here>>

Result  error

I have collected openscap verbose logs and RPM logs and it looks like there is a deadlock.

>From RPM verbose mode logs while the fix is running the "rpm -e" operation:

D: opening  db environment /var/lib/rpm/Packages create:cdb:mpool:private
D: opening  db index       /var/lib/rpm/Packages create mode=0x42
warning: waiting for exclusive lock on /var/lib/rpm/Packages
error: cannot get exclusive lock on /var/lib/rpm/Packages
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm/Packages
error: cannot open Packages index using db3 - Operation not permitted (1)

Using strace, we can see that it attempts to acquire this WR lock multiple times until it finally times out and returns failure:

fcntl(3, F_SETLK, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}) = -1 EAGAIN (Resource temporarily unavailable)

RPM does not get exclusive mode lock because Openscap seems to be acquiring the lock in read mode:

# lsof /var/lib/rpm/Packages [Command run while the hang is seen]
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
probe_rpm 16875 root    3rR  REG    8,2 53420032 352263 /var/lib/rpm/Packages
rpm       16891 root    3u   REG    8,2 53420032 352263 /var/lib/rpm/Packages

# ps -a [Command run while the hang is seen]
  PID TTY          TIME CMD
16859 pts/0    00:00:00 oscap
16865 pts/0    00:00:00 probe_system_in
16870 pts/0    00:00:00 probe_family
16875 pts/0    00:00:00 probe_rpminfo
16885 pts/0    00:00:00 probe_system_in
16890 pts/0    00:00:00 bash
16891 pts/0    00:00:00 rpm
16934 pts/2    00:00:00 ps
#

The RPM library call made in function src/OVAL/probes/unix/linux/rpminfo.c:probe_init, rpmtsCreate() and the subsequent rpmtsInitIterator() result in a read lock being taken on the file /var/lib/rpm/Packages.
This read lock seems to be released when rpmtsFree() call is made from probe_fini.

The particular probe_rpminfo in question is not related to the OVAL check of the rule but related to the CPE platform check.

>From the additional traces I added to openscap:
D: probe_rpminfo: ("seap.msg" ":id" 0 (("rpminfo_object" ":id" "oval:org.open-scap.cpe.sles-release:obj:1" ":oval_version" "5.10.1" ) (("name" ":operation" 5 ":var_check" 1 ) "sles-release" ) ) ) [probe_rpminfo(7045):Thream Name(7f901b36c700):seap-packet.c:904:SEAP_packet_recv]
...
I: probe_rpminfo: gautam : probe_init: Init 1 rpmts [probe_rpminfo(7050):Thream Name(7f45fcd527c0):rpminfo.c:325:probe_init]
<<Fix runs between the rpmts create and free .i.e lock acquire and release>>
I: probe_rpminfo: gautam : probe_fini: Free 1 rpmts [probe_rpminfo(7045):Thream Name(7f90215a37c0):rpminfo.c:343:probe_fini]

Probe_fini is called in this thread only upon receiving SIGTERM.

Why does this work on RHEL?
On RHEL, the implementation of the RPM command does not seem to be trying to acquire an exclusive mode lock, it also locks in read mode only:

D: opening  db environment /var/lib/rpm cdb:mpool:joinenv
D: opening  db index       /var/lib/rpm/Packages create mode=0x42
D: sanity checking 1 elements                                     >> No message about lock acquisition here!
D: running pre-transaction scripts

# lsof /var/lib/rpm/Packages
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
probe_rpm 33539 root    3rR  REG    8,3 75472896 1048584 /var/lib/rpm/Packages
rpm       33555 root    3uR  REG    8,3 75472896 1048584 /var/lib/rpm/Packages

Is there some design document that explains how openscap spawns the CPE platform check? I am trying to understand if the probe can relinquish the lock by freeing the RPMTs structure before executing the remediation script.

Thank you.

Regards,
Gautam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20160331/d0fe9246/attachment.htm>

More information about the Open-scap-list mailing list