From 86d990e797bbcda6508079ba207b4eff6d094b62 Mon Sep 17 00:00:00 2001 From: Adam Marcus Date: Sun, 19 Jan 2025 23:14:42 -0500 Subject: [PATCH] Investigate and fix CI create DB error (#511) * println debug * lint * More lines * Debug and try a hypothesis * Fix error parsing * Fix nsjail error, surface non-AybErrors more effectively * lint * Remove prints * Remove unnecessary checkout --- src/error.rs | 3 ++- src/hosted_db/sqlite.rs | 20 +++++++++++++++----- tests/set_up_e2e_env.sh | 5 +++++ 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/src/error.rs b/src/error.rs index 96fe25c..8a30d46 100644 --- a/src/error.rs +++ b/src/error.rs @@ -21,11 +21,12 @@ pub enum AybError { CantSetOwnerPermissions { message: String }, DurationParseError { message: String }, NoWriteAccessError { message: String }, + QueryError { message: String }, + RecordNotFound { id: String, record_type: String }, S3ExecutionError { message: String }, S3ConnectionError { message: String }, SnapshotError { message: String }, SnapshotDoesNotExistError, - RecordNotFound { id: String, record_type: String }, Other { message: String }, } diff --git a/src/hosted_db/sqlite.rs b/src/hosted_db/sqlite.rs index 4163321..60e4758 100644 --- a/src/hosted_db/sqlite.rs +++ b/src/hosted_db/sqlite.rs @@ -89,12 +89,22 @@ pub async fn potentially_isolated_sqlite_query( if let Some(isolation) = isolation { let result = run_in_sandbox(Path::new(&isolation.nsjail_path), path, query, query_mode).await?; - if !result.stderr.is_empty() { - let error: AybError = serde_json::from_str(&result.stderr)?; - return Err(error); + let error: Result = serde_json::from_str(&result.stderr); + // If the error could be deserialized into an AybError, + // return that. Otherwise, create a more generic AybError + // to at least surface an issue. + return match error { + Ok(error) => Err(error), + Err(_error) => Err(AybError::QueryError { + message: format!( + "Error message from sandboxed query runner: {}", + result.stderr + ), + }), + }; } else if result.status != 0 { - return Err(AybError::Other { + return Err(AybError::QueryError { message: format!( "Error status from sandboxed query runner: {}", result.status @@ -104,7 +114,7 @@ pub async fn potentially_isolated_sqlite_query( let query_result: QueryResult = serde_json::from_str(&result.stdout)?; return Ok(query_result); } else { - return Err(AybError::Other { + return Err(AybError::QueryError { message: "No results from sandboxed query runner".to_string(), }); } diff --git a/tests/set_up_e2e_env.sh b/tests/set_up_e2e_env.sh index bfd5be8..f54d5ed 100755 --- a/tests/set_up_e2e_env.sh +++ b/tests/set_up_e2e_env.sh @@ -18,3 +18,8 @@ DOCKER_FLAGS="-v ${SCRIPT_PATH}:/etc/localstack/init/ready.d/init-aws.sh" locals # On Ubuntu, assumes these requirements: sudo apt-get install -y libprotobuf-dev protobuf-compiler libnl-route-3-dev scripts/build_nsjail.sh mv nsjail tests/ + +# Starting with Ubuntu 24.x, nsjail won't run with default permissions +# (https://github.com/google/nsjail/issues/236). +sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 +sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0