Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libraries: Update librpm to version 4.16.1.2 #6850

Merged
merged 1 commit into from
Jan 31, 2021
Merged

libraries: Update librpm to version 4.16.1.2 #6850

merged 1 commit into from
Jan 31, 2021

Conversation

theopolis
Copy link
Member

@theopolis theopolis commented Dec 23, 2020
edited

This updates our librpm to a more recent version. This new version includes support for a RO BDB, where the implementation is included in rpm. This needs more testing but it may support parsing older databases without us needing to package a version of berkeley-db. This PR does not use the dbd_ro backend, but we can make this simple code change in a follow up PR.

The revert patch: 0001-Revert-Always-open-and-initialize-the-entire-databas.patch is required to support older RPM databases (see my comment below).

@theopolis theopolis added Linux libraries For things referring to osquery third party libraries do not merge Do not merge PR as it's pending on some discussion or external factor. Reviewer should have context. labels Dec 23, 2020
@theopolis
Copy link
Member Author

theopolis commented Dec 27, 2020
edited

Updating the version of rpm does not work out of the box:

./osqueryd -S -A rpm_packages --verbose
[...]
I1227 16:41:14.760280 10746 glog_logger.cpp:49] RPM notice: Failed to read auxiliary vector, /proc not mounted?
I1227 16:41:14.761495 10746 glog_logger.cpp:49] RPM notice: /var/lib/rpm/Filetriggername: pread: Bad file descriptor
I1227 16:41:14.761505 10746 glog_logger.cpp:49] RPM notice: could not open /var/lib/rpm/Filetriggername: Bad file descriptor
I1227 16:41:14.761512 10746 glog_logger.cpp:49] RPM notice: cannot open Filetriggername index using bdb_ro - Operation not permitted (1)
I1227 16:41:14.761534 10746 glog_logger.cpp:49] RPM notice: cannot open Packages database in

@theopolis
Copy link
Member Author

theopolis commented Dec 27, 2020
edited

I believe this is the commit that breaks our support for read-only reading of various older DBs: rpm-software-management/rpm@8cd161b

For example on a clean centos6 install, the file /var/lib/rpm/Filetriggername does not exist. In rpm versions prior to this commit the only database files expected/parsed were Name and Packages.

@theopolis theopolis force-pushed the rpm_4.16.1.2 branch 2 times, most recently from 2e65e3c to 00eba61 Compare December 28, 2020 20:34
@theopolis theopolis removed the do not merge Do not merge PR as it's pending on some discussion or external factor. Reviewer should have context. label Dec 28, 2020
@theopolis
Copy link
Member Author

theopolis commented Dec 28, 2020
edited

In follow up PRs we can (1) swap the db3 with bdb_ro backend and remove thirdparty-berkeley-db linkage, and (2) enable support for more modern RPM database types: NDB, SQLite.

@theopolis
Copy link
Member Author

I believe this is the commit that breaks our support for read-only reading of various older DBs: rpm-software-management/rpm@8cd161b

For example on a clean centos6 install, the file /var/lib/rpm/Filetriggername does not exist. In rpm versions prior to this commit the only database files expected/parsed were Name and Packages.

Heads up @pmatilai, I am sure we are not using the rpm code as intended, but I wanted to make you aware of our use-case. Here ./osquery/tables/system/linux/rpm_packages.cpp#L128 is where we use the rpm APIs.

Our goal is to inspect installed packages and package files across a wide install base (various OS distributions including old versions). Perhaps we should change our code to open the RPM DBs differently?

@gkleiman gkleiman mentioned this pull request Jan 11, 2021
Closed
@theopolis
Copy link
Member Author

I rebased this on top of master, which contains a new unit test to assure RPM packages continues to work.

@theopolis theopolis merged commit 7affec2 into osquery:master Jan 31, 2021
directionless pushed a commit to directionless/osquery that referenced this pull request Feb 3, 2021
@theopolis @directionless
libraries: Update librpm to version 4.16.1.2 (osquery#6850)
065f84f
@directionless directionless mentioned this pull request Feb 5, 2021
Closed
@osquery osquery deleted a comment from amr8457 Feb 9, 2021
@Smjert Smjert mentioned this pull request Mar 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@muffins muffins muffins approved these changes

Assignees
No one assigned
Labels
libraries For things referring to osquery third party libraries Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@theopolis @muffins