shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(agent): filter out GOTRACEBACK=none (#16924)

Browse Source 
With the switch to Go 1.24.1, our dogfood workspaces started setting
`GOTRACEBACK=none` in the environment, resulting in missing stacktraces
for users.

This is due to the capability changes we do when
`USE_CAP_NET_ADMIN=true`.

https://github.com/coder/coder/blob/564b387262e5b768c503e5317242d9ab576395d6/provisionersdk/scripts/bootstrap_linux.sh#L60-L76

This most likely triggers a change in securitybits which sets
`_AT_SECURE` for the process.

https://github.com/golang/go/blob/a1ddbdd3ef8b739aab53f20d6ed0a61c3474cf12/src/runtime/os_linux.go#L297-L327

Which in turn triggers secure mode:

https://github.com/golang/go/blob/a1ddbdd3ef8b739aab53f20d6ed0a61c3474cf12/src/runtime/security_unix.go

This should not affect workspaces as template authors can still set the
environment on the agent resource.

See https://pkg.go.dev/runtime#hdr-Security
This commit is contained in:
Mathias Fredriksson
2025-03-17 11:10:14 +02:00
committed by GitHub
parent f01ee963b2
commit df92df4565
3 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
agent/agentexec/cli_linux.go
+4 -1
View File
@@ -17,6 +17,8 @@ import (
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
"golang.org/x/xerrors" "golang.org/x/xerrors"
"kernel.org/pub/linux/libs/security/libcap/cap" "kernel.org/pub/linux/libs/security/libcap/cap"
"github.com/coder/coder/v2/agent/usershell"
) )
// CLI runs the agent-exec command. It should only be called by the cli package. // CLI runs the agent-exec command. It should only be called by the cli package.
@@ -114,7 +116,8 @@ func CLI() error {
// Remove environment variables specific to the agentexec command. This is // Remove environment variables specific to the agentexec command. This is
// especially important for environments that are attempting to develop Coder in Coder. // especially important for environments that are attempting to develop Coder in Coder.
env := os.Environ() ei := usershell.SystemEnvInfo{}
env := ei.Environ()
env = slices.DeleteFunc(env, func(e string) bool { env = slices.DeleteFunc(env, func(e string) bool {
return strings.HasPrefix(e, EnvProcPrioMgmt) || return strings.HasPrefix(e, EnvProcPrioMgmt) ||
strings.HasPrefix(e, EnvProcOOMScore) || strings.HasPrefix(e, EnvProcOOMScore) ||
agent/usershell/usershell.go
+11 -1
View File
@@ -50,7 +50,17 @@ func (SystemEnvInfo) User() (*user.User, error) {
} }
func (SystemEnvInfo) Environ() []string { func (SystemEnvInfo) Environ() []string {
return os.Environ() var env []string
for _, e := range os.Environ() {
// Ignore GOTRACEBACK=none, as it disables stack traces, it can
// be set on the agent due to changes in capabilities.
// https://pkg.go.dev/runtime#hdr-Security.
if e == "GOTRACEBACK=none" {
continue
}
env = append(env, e)
}
return env
} }
func (SystemEnvInfo) HomeDir() (string, error) { func (SystemEnvInfo) HomeDir() (string, error) {
agent/usershell/usershell_test.go
+9
View File
@@ -43,4 +43,13 @@ func TestGet(t *testing.T) {
require.NotEmpty(t, shell) require.NotEmpty(t, shell)
}) })
}) })
t.Run("Remove GOTRACEBACK=none", func(t *testing.T) {
t.Setenv("GOTRACEBACK", "none")
ei := usershell.SystemEnvInfo{}
env := ei.Environ()
for _, e := range env {
require.NotEqual(t, "GOTRACEBACK=none", e)
}
})
} }