FS#66134 - [earlyoom] Earlyoom commits suicide on OOM when hidepid is enabled.
Attached to Project:
Community Packages
Opened by Steven (Stebalien) - Sunday, 05 April 2020, 18:10 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Monday, 06 April 2020, 10:42 GMT
Opened by Steven (Stebalien) - Sunday, 05 April 2020, 18:10 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Monday, 06 April 2020, 10:42 GMT
|
Details
Description:
Earlyoom is now run with a dynamic user instead of root. This means that, when the proc group is used to restrict access to /proc (using hidepid), earlyoom can't list processes running as other users and always kills itself (the only process it can see). The solution is to add the following to the [Service] section of the earlyoom systemd service: SupplementaryGroups=proc Note: "proc" is a built-in group shipped in the filesystem package. Additional info: * version: 1.5-1 * config and/or log files etc. * first reported upstream https://github.com/rfjakob/earlyoom/issues/184 Steps to reproduce: 1. Enable hidepid as described in https://wiki.archlinux.org/index.php/Security#hidepid. 2. OOM. 3. Observe that earlyoom kills itself. |
This task depends upon
Closed by Massimiliano Torromeo (mtorromeo)
Monday, 06 April 2020, 10:42 GMT
Reason for closing: Fixed
Additional comments about closing: earlyoom-1.5-2
Monday, 06 April 2020, 10:42 GMT
Reason for closing: Fixed
Additional comments about closing: earlyoom-1.5-2
Comment by
Massimiliano Torromeo (mtorromeo) -
Monday, 06 April 2020, 10:27 GMT
While using hidepid and mounting /proc with the proc group is
something that is only configured by the user which should know
how to handle these situations and should add all the exceptions
accordingly, where it makes sense, I'm willing to allow this
change on the basis that the proc group's purpose is to allow
process introspection to its users and earlyoom's inherent
behavior requires such introspection capabilities.