From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6486351797115944960 X-Received: by 10.223.186.140 with SMTP id p12mr1023708wrg.16.1510420952392; Sat, 11 Nov 2017 09:22:32 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 10.28.74.23 with SMTP id x23ls238668wma.10.gmail; Sat, 11 Nov 2017 09:22:32 -0800 (PST) X-Google-Smtp-Source: AGs4zMbJiPQMAp9s7KlV67kllt9eqU7OukrHSC5hPoiZMLi0AssI+i5c05rnTYWB/qyRtTNV1r7K X-Received: by 10.28.29.131 with SMTP id d125mr477240wmd.23.1510420952076; Sat, 11 Nov 2017 09:22:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510420952; cv=none; d=google.com; s=arc-20160816; b=nLVDZlP19H1VOCNq+rPTYeA2u6gWqe10CQzBHn120+oC/bOqZSKmhXlnhGosE7muQU pGFzEMY+NeJn7SUH44/DQPxjGpc0YTRVeXQkFow0pf+ZNDojfgWWqIkWD7nUFwxuTIhi WtulYV9esp/P4qAZBsd509NlEEMgkrbqArZi5dfLdN7yULJv7uDFObBUwa3RsKhu/qgp +bDCfbYQ/BhyRxt/kBddexbl7eX7t6axIDDNCiyzC7d7l4WBFn03McWs3rYT1HTvUJTr ahpthNpXhVKiVbyddAHQpgQjnxg2b0iWln/GxXMiyJ1JPxlP+bQnpd+sga11ffY9/Bv8 qrFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature :arc-authentication-results; bh=ktv46ngI6GC/nUlKQ+ohpdx858ommIgsU8tOjyvBQ94=; b=Ge15AY1CLXK9RIXPb4/hMhVaLu+4PNvNVC1w/774QQT6rCMTYnyclaQ33ZV9F1ofuz Phl4xXc7PmayAXL8ZCz925uOmU+sP29jJrl7bNwq7zL1XOFJB8BLv46wlTvicHOYpJjS befdFToyGbISnM3XxkOEQ0wH4d1Lz6k8LNT729ZDoIcKQaZuZDxn3/SkZck9M/ru/zXQ SX15f6zLAU7gf81HAzURAt58iW4EFgV9FZxEdDOcZ5k/upkkgNEFYEP9xiKteM9zfJ1C pId9N665Du9sDkDjk4ed9FLQoIbzw4jQx1do86lMilUc68b/RSih2jPq4z0BHV055l7Q jAPw== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@googlemail.com header.s=20161025 header.b=uZjx0woq; spf=pass (google.com: domain of benbrenson89@googlemail.com designates 2a00:1450:400c:c09::22f as permitted sender) smtp.mailfrom=benbrenson89@googlemail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com. [2a00:1450:400c:c09::22f]) by gmr-mx.google.com with ESMTPS id r6si59969wrg.2.2017.11.11.09.22.32 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 Nov 2017 09:22:32 -0800 (PST) Received-SPF: pass (google.com: domain of benbrenson89@googlemail.com designates 2a00:1450:400c:c09::22f as permitted sender) client-ip=2a00:1450:400c:c09::22f; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@googlemail.com header.s=20161025 header.b=uZjx0woq; spf=pass (google.com: domain of benbrenson89@googlemail.com designates 2a00:1450:400c:c09::22f as permitted sender) smtp.mailfrom=benbrenson89@googlemail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: by mail-wm0-x22f.google.com with SMTP id r68so7942767wmr.1 for ; Sat, 11 Nov 2017 09:22:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=ktv46ngI6GC/nUlKQ+ohpdx858ommIgsU8tOjyvBQ94=; b=uZjx0woqV8mia4V0pmSmrUEaQ2jQPuPJYrHIQcuPOyGJM5pS01nLOn4WVMvCmz7Uqe 16KncP133A7Z7LILd/qz7QR7vJUuIqqKLQ6PEOz+GZf07MnHSFmwrfVEilwEKLlurrh/ 9dT0Eik+NU0IoHOiEAXwYDzr04w2TGfeyBXDxO+nU8Q2RTE4GGowUN6pBaBXe3ettUxJ 0FhaYOYOA+zqYa69+7FFuKPPD94nlXVf29QDMZS+ReiBfttL66zwA3dnLiUY+eL7gAfR /q2L6lh2UqygKM/sqk/fngbKZz4n+nT3xQ4bjefb5x92PGmA1glGP8Va3YEjG7ejUXgB 6jLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ktv46ngI6GC/nUlKQ+ohpdx858ommIgsU8tOjyvBQ94=; b=G8l4J7m5tkaDyCJNXBPJMez5SG/wPU4KwlNcOzsgFAtw/GCrcRXUG3gFVPCTDWI8KZ xE46E4+y9emI9KhnIKAfPAIFX/Cu9qg23RFNVQth6X6jEKK3eHQbQvob+xXVDMQ2+Tyg uF88N4pvGBzFb1raaKK9vDfumgLIGH8NEfl8eS50NMCtlKKRCDu6F7iGM8DR6Sq9M7Yh OGgbh99PQlt1XppIqXJcu8Oe4oYULdBxy5WRkyuTlE3UmS3ZK3Ie0fdIkURT7t8OftCL VzBTHGM6sUbqAJampMcvISB7531NdzI7PNcfsXQ1Fs2tx+AeARLeshh1j47IBXoOD4mh Nnpw== X-Gm-Message-State: AJaThX7cpH7yacW2edRJVB0WB1T1sjH7pPp4FDQhBcXjs00QZF1XcfKl tSg2krF2Y9FoqtjZP0EO1wv5sqR7 X-Received: by 10.80.131.38 with SMTP id 35mr5548011edh.291.1510420951399; Sat, 11 Nov 2017 09:22:31 -0800 (PST) Return-Path: Received: from [192.168.0.11] ([178.27.65.121]) by smtp.gmail.com with ESMTPSA id k51sm11015900ede.42.2017.11.11.09.22.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 Nov 2017 09:22:30 -0800 (PST) Subject: Re: PRoot Isar summary To: Alexander Smirnov , Jan Kiszka , isar-users@googlegroups.com References: <1496e693-490f-16d6-0957-c9281ed7dd3e@ilbers.de> <7d48c419-34e0-b63a-2542-85a1c03ec764@ilbers.de> From: Benedikt Niedermayr Message-ID: <9950a893-2f7b-c841-7db2-b8e7926b1d88@googlemail.com> Date: Sat, 11 Nov 2017 18:22:29 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <7d48c419-34e0-b63a-2542-85a1c03ec764@ilbers.de> Content-Type: multipart/mixed; boundary="------------35D31656EF00D19C04B1FF3C" Content-Language: en-US X-TUID: ncVaO8o70DVN This is a multi-part message in MIME format. --------------35D31656EF00D19C04B1FF3C Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Am 10.11.2017 um 20:42 schrieb Alexander Smirnov: > Hi, > > On 11/10/2017 09:59 PM, Jan Kiszka wrote: >> On 2017-11-09 10:57, Alexander Smirnov wrote: >>> Hello everybody, >>> >>> I've tried to completely switch Isar to PRoot, so here are the problems >>> I've faced with: >>> >>> 1. PRoot doesn't work with UID/GID, all the files in PRoot are owned by >>> root. The command 'chown' doesn't have any effect. >>> >>> 2. Some system commands are failed in PRoot: passwd, chpasswd. I see >>> message: System error, no other clues (but for Wheezy these commands >>> work). >>> >>> 3. mkfs.ext4 doesn't work under proot, lots of files are dropped in >>> resulting image. >>> >>> So, summary: >>> ============ >>> >>> 1. PRoot could be an intermediate option for: >>>   + Buildchroot creation. >>>   + Packages building. >>>   - Drawback: works slowly. >> >> Aren't issues 1 and 2 from above affecting these use cases as well? >> > > For now I don't have any facts about problems with buildchroot, but my > test includes only 'hello' and 'example-raw' applications. > >  - Regarding UID/GID, what I've seen for now, these manipulations are > done in postinst scripts. >  - Passwd/chpasswd commands are also used in postinst scripts (for > example initrd package), there is no need to have passwords in > buildchroot because we are working under root. > > So, roughly speaking, buildchroot is only needed to compile and pack > the binary package, what doesn't require multi-UID/GID and passwords > support. > > But for sure, it needs to build much more real packages to have more > precise statistics. :-( > > So I've created dedicated branch 'asmirnov/proot' for possible > experiments in future. > >>> >>> 2. For image generation the other tool should be considered. >>> >> >> What is plan B now? Plan C remains falling back to VM builds, I suppose. > > So there are 2 options remain for evaluation: >  - fakeroot >  - pseudo > > I'd like to evaluate these tools for the features, that are uncovered > now: > >  - rootfs with UID/GID support: in general PRoot is able to generate > multistrap rootfs with just *upacked* Debian packages, all the > problems occur when I try to run 'dpkg-configure -a' inside this rootfs. > >  - ext2fs image generation (AFAIK this already is supported by Yocto, > but unfortunately I don't know too much, I need to take a look first). > > From this evaluation I'd like to get two points: > > 1. Could we somehow implement quick PoC to drop 'sudo' for Isar. This > PoC could be based on several tools in parallel. > > 2. If the item above is possible - then choose one dedicated tool and > try to adapt it for our needs. > > Alex > Ok bad news, but I faced the same problems, when trying to use one of these tools. Each tool has own drawbacks and benefits, but no tool combines multiple drawbacks to fit our needs. I don't want to bother you, but why can't we try to focus on running builds with docker support? Create a wrapper around "bitbake" which first performs a docker container setup and then runs the bitbake build. Using such wrapper can make the docker thing almost transparent. I know there are some problems getting a docker container secure, but maybe a focus on trying to get a docker based isar build secure, is easier to reach than the our current approaches? It is possible to drop some capabilities for docker in order to make it more secure (e.g. don't allow to create dev files). A mount command is also not required since, new versions of mkfs have the "-d" option included (specifiy a directory, which copied into the filesystem image). So no sys_admin capabilities would be needed. It is also possible to customize other things within the container to make it more secure: - Add only required commands to sudoers file. - Modify permissions to files/directories. - Think about which commands within isar really need root privileges, and drop those. I think, if somebody seriously wants to exploit the container, he will also reach that with a non-root based build. The attachment contains a (very basic and rudimentary) approach of running docker based isar builds. Benedikt --------------35D31656EF00D19C04B1FF3C Content-Type: text/plain; charset=UTF-8; name="isar" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="isar" IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwojCiMgQ29weXJpZ2h0IChDKSAyMDE3IE1peGVkIE1v ZGUgR21iSAojCiMgVGhpcyBwcm9ncmFtIGlzIGZyZWUgc29mdHdhcmU7IHlvdSBjYW4gcmVk aXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkKIyBpdCB1bmRlciB0aGUgdGVybXMgb2YgdGhl IEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIHZlcnNpb24gMiBhcwojIHB1Ymxpc2hlZCBi eSB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLgojCiMgVGhpcyBwcm9ncmFtIGlzIGRp c3RyaWJ1dGVkIGluIHRoZSBob3BlIHRoYXQgaXQgd2lsbCBiZSB1c2VmdWwsCiMgYnV0IFdJ VEhPVVQgQU5ZIFdBUlJBTlRZOyB3aXRob3V0IGV2ZW4gdGhlIGltcGxpZWQgd2FycmFudHkg b2YKIyBNRVJDSEFOVEFCSUxJVFkgb3IgRklUTkVTUyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBP U0UuICBTZWUgdGhlCiMgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0 YWlscy4KIwojIFlvdSBzaG91bGQgaGF2ZSByZWNlaXZlZCBhIGNvcHkgb2YgdGhlIEdOVSBH ZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGFsb25nCiMgd2l0aCB0aGlzIHByb2dyYW07IGlmIG5v dCwgd3JpdGUgdG8gdGhlIEZyZWUgU29mdHdhcmUgRm91bmRhdGlvbiwgSW5jLiwKIyA1MSBG cmFua2xpbiBTdHJlZXQsIEZpZnRoIEZsb29yLCBCb3N0b24sIE1BIDAyMTEwLTEzMDEgVVNB LgojIE1haW4gSVNBUiBleGVjdXRhYmxlLiBCaXRiYWtlIGl0c2VsZiBjYW5ub3QgYmUgZXhl Y3V0ZWQsIGluc3RlYWQgY2FsbCB0aGlzIHdyYXBwZXIgZm9yCiMgcnVubmluZyBidWlsZHMu CiMKCmltcG9ydCBhcmdwYXJzZQppbXBvcnQgc3lzCmltcG9ydCBkb2NrZXIKaW1wb3J0IGxv Z2dpbmcKaW1wb3J0IHRyYWNlYmFjawppbXBvcnQgb3MKZnJvbSB0aHJlYWRpbmcgaW1wb3J0 IFRocmVhZAoKIyBSZW1vdmUgY2FwYWJpbGl0aWVzIGZyb20gY29udGFpbmVyIGluY3JlYXNp bmcKIyBob3N0IHN5c3RlbSBzYXZldHkuCkNBUF9EUk9QID0gWydNS05PRCddCgoKZGVmIGdl dF9sb2dnZXIoKToKICAgIGxvZ2dlciA9IGxvZ2dpbmcuZ2V0TG9nZ2VyKCdpc2FyJykKICAg IGZvcm1hdHRlciA9IGxvZ2dpbmcuRm9ybWF0dGVyKCclKGFzY3RpbWUpcy0lKG5hbWUpcy0l KGxldmVsbmFtZSlzOiAlKG1lc3NhZ2UpcycpCgogICAgbG9nZ2VyLnNldExldmVsKGxvZ2dp bmcuREVCVUcpCgogICAgc2hhbmRsZXIgPSBsb2dnaW5nLlN0cmVhbUhhbmRsZXIoKQogICAg c2hhbmRsZXIuc2V0TGV2ZWwobG9nZ2luZy5ERUJVRykKICAgIHNoYW5kbGVyLnNldEZvcm1h dHRlcihmb3JtYXR0ZXIpCgogICAgbG9nZ2VyLmFkZEhhbmRsZXIoc2hhbmRsZXIpCgogICAg cmV0dXJuIGxvZ2dlcgoKIyBBZGQgZnVuY3Rpb24gdHJhY2luZwpkZWYgYWRkbG9nKGZ1bmMp OgogICAgZGVmIHdyYXBwZXIoKmFyZ3MsICoqa3dhcmdzKToKICAgICAgICBsb2cuZGVidWco J1N0YXJ0aW5nICVzICIiIiVzIiIiJyAlIChmdW5jLl9fbmFtZV9fLCBmdW5jLl9fZG9jX18p KQogICAgICAgIGZ1bmMoKmFyZ3MsICoqa3dhcmdzKQogICAgICAgIGxvZy5kZWJ1ZygnRmlu aXNoZWQgJXMgIiIiJXMiIiInICUgKGZ1bmMuX19uYW1lX18sIGZ1bmMuX19kb2NfXykpCiAg ICByZXR1cm4gd3JhcHBlcgoKCmxvZyA9IGdldF9sb2dnZXIoKQoKZGVmIGRvY2tlcl9sb2co c3RyZWFtX2hhbmRsZXIpOgogICAgIiIiIFRocmVhZGVkIGhhbmRsZXIgZm9yIHJlY2Vpdmlu ZyBjdXJyZW50IGNvbnRhaW5lciBhbmQgYWxzbyBpbWFnZSBidWlsZCBsb2dzLgoKICAgICAg ICBQcmludCBzdGF0dXMgbGluZXMgaW4gcGxhY2UgaW5zdGVhZCBvZiB3cml0aW5nIHRob3Nl IGxvZ3MgaW50byBuZXh0IG5ld2xpbmVzOgoKICAgICAgICB7InN0YXR1cyI6IkV4dHJhY3Rp bmciLCJwcm9ncmVzc0RldGFpbCI6eyJjdXJyZW50Ijo0MDM3MDE3NiwidG90YWwiOjQ1MTI5 MDg4fSwicHJvZ3Jlc3MiOiJbPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT1cdTAwM2UgICAgICBdIDQwLjM3IE1CLzQ1LjEzIE1CIiwiaWQiOiIzZTE3YzZl YWU2NmMifQogICAgICAgIHsic3RhdHVzIjoiRXh0cmFjdGluZyIsInByb2dyZXNzRGV0YWls Ijp7ImN1cnJlbnQiOjQwODI4OTI4LCJ0b3RhbCI6NDUxMjkwODh9LCJwcm9ncmVzcyI6Ils9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT1cdTAwM2UgICAg IF0gNDAuODMgTUIvNDUuMTMgTUIiLCJpZCI6IjNlMTdjNmVhZTY2YyJ9CiAgICAgICAgeyJz dGF0dXMiOiJFeHRyYWN0aW5nIiwicHJvZ3Jlc3NEZXRhaWwiOnsiY3VycmVudCI6NDEyODc2 ODAsInRvdGFsIjo0NTEyOTA4OH0sInByb2dyZXNzIjoiWz09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PVx1MDAzZSAgICAgXSA0MS4yOSBNQi80NS4xMyBN QiIsImlkIjoiM2UxN2M2ZWFlNjZjIn0KICAgICAgICB7InN0YXR1cyI6IkV4dHJhY3Rpbmci LCJwcm9ncmVzc0RldGFpbCI6eyJjdXJyZW50Ijo0MTc0NjQzMiwidG90YWwiOjQ1MTI5MDg4 fSwicHJvZ3Jlc3MiOiJbPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PVx1MDAzZSAgICBdIDQxLjc1IE1CLzQ1LjEzIE1CIiwiaWQiOiIzZTE3YzZlYWU2 NmMifQogICAgICAgIHsic3RhdHVzIjoiRXh0cmFjdGluZyIsInByb2dyZXNzRGV0YWlsIjp7 ImN1cnJlbnQiOjQyMjA1MTg0LCJ0b3RhbCI6NDUxMjkwODh9LCJwcm9ncmVzcyI6Ils9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09XHUwMDNlICAgIF0g NDIuMjEgTUIvNDUuMTMgTUIiLCJpZCI6IjNlMTdjNmVhZTY2YyJ9CiAgICAgICAgeyJzdGF0 dXMiOiJFeHRyYWN0aW5nIiwicHJvZ3Jlc3NEZXRhaWwiOnsiY3VycmVudCI6NDI2NjM5MzYs InRvdGFsIjo0NTEyOTA4OH0sInByb2dyZXNzIjoiWz09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09XHUwMDNlICAgXSA0Mi42NiBNQi80NS4xMyBNQiIs ImlkIjoiM2UxN2M2ZWFlNjZjIn0KICAgICAgICB7InN0YXR1cyI6IkV4dHJhY3RpbmciLCJw cm9ncmVzc0RldGFpbCI6eyJjdXJyZW50Ijo0MzEyMjY4OCwidG90YWwiOjQ1MTI5MDg4fSwi cHJvZ3Jlc3MiOiJbPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT1cdTAwM2UgICBdIDQzLjEyIE1CLzQ1LjEzIE1CIiwiaWQiOiIzZTE3YzZlYWU2NmMi fQogICAgICAgIHsic3RhdHVzIjoiRXh0cmFjdGluZyIsInByb2dyZXNzRGV0YWlsIjp7ImN1 cnJlbnQiOjQzNTgxNDQwLCJ0b3RhbCI6NDUxMjkwODh9LCJwcm9ncmVzcyI6Ils9PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT1cdTAwM2UgIF0gNDMu NTggTUIvNDUuMTMgTUIiLCJpZCI6IjNlMTdjNmVhZTY2YyJ9CiAgICAgICAgeyJzdGF0dXMi OiJFeHRyYWN0aW5nIiwicHJvZ3Jlc3NEZXRhaWwiOnsiY3VycmVudCI6NDQwNDAxOTIsInRv dGFsIjo0NTEyOTA4OH0sInByb2dyZXNzIjoiWz09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PVx1MDAzZSAgXSA0NC4wNCBNQi80NS4xMyBNQiIsImlk IjoiM2UxN2M2ZWFlNjZjIn0KCiAgICAiIiIKICAgIGZvciBpIGluIHN0cmVhbV9oYW5kbGVy OgoKICAgICAgICBpZiBpc2luc3RhbmNlKGksIGRpY3QpOgogICAgICAgICAgICAjIEltYWdl IGJ1aWxkIGxvZ3MKCiAgICAgICAgICAgICMKICAgICAgICAgICAgIyBkaWZmZXJlbnQga2V5 cyBwb3NzaWJsZSAoc3RyZWFtLCBzdGF0dXMpCiAgICAgICAgICAgICMKICAgICAgICAgICAg I2kgPSBpWydzdHJlYW0nXQogICAgICAgICAgICBwcmludChpLnN0cmlwKCkpCiAgICAgICAg ZWxzZToKICAgICAgICAgICAgIyBDb250YWluZXIgbG9ncwogICAgICAgICAgICBwcmludChp LmRlY29kZSgpLnN0cmlwKCkpCgoKY2xhc3MgSXNhckRvY2tlcigpOgoKICAgIGRlZiBfX2lu aXRfXyhzZWxmLCBhcmdzKToKICAgICAgICB0cnk6CiAgICAgICAgICAgIHNlbGYuY2xpZW50 ID0gZG9ja2VyLmZyb21fZW52KCkKICAgICAgICBleGNlcHQ6CiAgICAgICAgICAgIHRyYWNl YmFjay5wcmludF9leGMoKQogICAgICAgICAgICBsb2cuZXJyb3IoJ0Nhbm5vdCBjb25uZWN0 IHRvIHRoZSBkb2NrZXIgc29ja2V0ISBFeGNpdGluZyBub3cuLi4nKQogICAgICAgICAgICBl eGl0KDIpICMgRU5PRU5UCgogICAgICAgIHNlbGYuYnVpbGRkaXIgICA9IG9zLmVudmlyb25b J0JVSUxERElSJ10KICAgICAgICBzZWxmLmJzcGRpciAgICAgPSBvcy5wYXRoLnJlYWxwYXRo KG9zLnBhdGguam9pbihzZWxmLmJ1aWxkZGlyLCAnLi4nKSkKICAgICAgICBzZWxmLmRvY2tl cmRpciAgPSBhcmdzLnBhdGgKCiAgICAgICAgc2VsZi5jYXBfZHJvcCAgID0gQ0FQX0RST1AK ICAgICAgICBzZWxmLmRvY2tlcmRpcgogICAgICAgIHNlbGYudm9sdW1lX2JpbmRzID0gewog ICAgICAgICAgICBzZWxmLmJzcGRpciA6IHsKICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAnYmluZCcgOiBzZWxmLmJzcGRpciwKICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAnbW9kZScgOiAncncnLAogICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAg ICB9CgogICAgICAgIHNlbGYuaG9zdGNvbmZpZyA9IHNlbGYuY2xpZW50LmNyZWF0ZV9ob3N0 X2NvbmZpZyhwcml2aWxlZ2VkPUZhbHNlLCBjYXBfZHJvcD1zZWxmLmNhcF9kcm9wLCBiaW5k cz1zZWxmLnZvbHVtZV9iaW5kcykKCgogICAgQGFkZGxvZwogICAgZGVmIGJ1aWxkKHNlbGYp OgogICAgICAgICIiIiBCdWlsZCB0aGUgaXNhciBkb2NrZXIgaW1hZ2UuICIiIgogICAgICAg IG9zLmNoZGlyKHNlbGYuYnVpbGRkaXIpCgogICAgICAgIHNlbGYuYmxvZ3MgPSBzZWxmLmNs aWVudC5idWlsZChwYXRoPXNlbGYuZG9ja2VyZGlyLCBybT1UcnVlLCB0YWc9J2lzYXJfaW1h Z2U6bmFub3BpJywgZGVjb2RlPUZhbHNlKQogICAgICAgIHRocmVhZCA9IFRocmVhZCh0YXJn ZXQ9ZG9ja2VyX2xvZywgYXJncz0oc2VsZi5ibG9ncywgKSkKICAgICAgICB0aHJlYWQuc3Rh cnQoKQogICAgICAgIHRocmVhZC5qb2luKCkKCgogICAgQGFkZGxvZwogICAgZGVmIF9jcmVh dGUoc2VsZiwgY21kKToKICAgICAgICAiIiIgQ3JlYXRlIHRoZSBjb250YWluZXIgd2l0aG91 dCBzdGFydGluZyBpdC4iIiIKICAgICAgICB0cnk6CiAgICAgICAgICAgIHNlbGYuY29udGFp bmVyID0gc2VsZi5jbGllbnQuY3JlYXRlX2NvbnRhaW5lcihpbWFnZT0naXNhcl9pbWFnZTpu YW5vcGknLCBjb21tYW5kPWNtZCwgaG9zdF9jb25maWc9c2VsZi5ob3N0Y29uZmlnKQogICAg ICAgIGV4Y2VwdDoKICAgICAgICAgICAgdHJhY2ViYWNrLnByaW50X2V4YygpCiAgICAgICAg ICAgIGxvZy5lcnJvcignQ2Fubm90IGNyZWF0ZSBjb250YWluZXIhIEV4Y2l0aW5nIG5vdy4u LicpCiAgICAgICAgICAgIGV4aXQoMSkKCiAgICBAYWRkbG9nCiAgICBkZWYgcnVuKHNlbGYs IGNtZCk6CiAgICAgICAgIiIiIFJ1biBhIGNvbW1hbmQgaW4gdGhlIGNvbnRhaW5lci4gIiIi CiAgICAgICAgIwogICAgICAgICMgVE9ETzogVXNlIGV4ZWNfY3JlYXRlIGluc3RlYWQsIHNv IF9jcmVhdGUgaXMgbm90IHJlcXVpcmVkIGFueW1vcmUuCiAgICAgICAgIyAgICAgICBCVVQh ITogSXMgaXQgcG9zc2libGUgdG8gZHJvcCBjYXBhYmlsaXRpZXMgdGhlbj8KICAgICAgICAj CiAgICAgICAgc2VsZi5fY3JlYXRlKGNtZCkKCiAgICAgICAgdHJ5OgogICAgICAgICAgICBz ZWxmLmNsaWVudC5zdGFydChjb250YWluZXI9c2VsZi5jb250YWluZXIuZ2V0KCdJZCcpKQog ICAgICAgICAgICBzZWxmLmNsb2dzID0gc2VsZi5jbGllbnQubG9ncyhjb250YWluZXI9c2Vs Zi5jb250YWluZXIuZ2V0KCdJZCcpLCBzdHJlYW09VHJ1ZSkKCiAgICAgICAgICAgICMgVGhy ZWFkIGZvciByZWNlaXZpbmcgY3VycmVudCBjb250YWluZXIgbG9ncwogICAgICAgICAgICB0 aHJlYWQgPSBUaHJlYWQodGFyZ2V0PWRvY2tlcl9sb2csIGFyZ3M9KHNlbGYuY2xvZ3MsICkp CiAgICAgICAgICAgIHRocmVhZC5zdGFydCgpCgogICAgICAgICAgICBzZWxmLnJldGNvZGUg PSBzZWxmLmNsaWVudC53YWl0KGNvbnRhaW5lcj1zZWxmLmNvbnRhaW5lci5nZXQoJ0lkJykp CiAgICAgICAgICAgIHRocmVhZC5qb2luKCkKCiAgICAgICAgICAgIGlmIHNlbGYucmV0Y29k ZSAhPSAwOgogICAgICAgICAgICAgICAgbG9nLndhcm5pbmcoJ0NvbW1hbmQgcmV0dXJuIG5v biB6ZXJvIHN0YXR1cyEnKQogICAgICAgIGV4Y2VwdDoKICAgICAgICAgICAgdHJhY2ViYWNr LnByaW50X2V4YygpCiAgICAgICAgICAgIGxvZy5lcnJvcignRXhlY3V0aW5nIGRvY2tlciBj b250YWluZXIhIEV4Y2l0aW5nIG5vdy4uLicpCiAgICAgICAgICAgIGV4aXQoMSkKCgpkZWYg cnVuX2RvY2tlcihhcmdzKToKICAgIGxvZy5kZWJ1ZygnUnVubmluZyBkb2NrZXIgc3ViY29t bWFuZCcpCiAgICBkYyA9IElzYXJEb2NrZXIoYXJncykKCiAgICBpZiBhcmdzLnNldHVwOgog ICAgICAgIGRjLmJ1aWxkKCkKICAgIGVsaWYgYXJncy5ydW46CiAgICAgICAgZGMucnVuKGFy Z3MucnVuKQoKZGVmIHJ1bl9iaXRiYWtlKGFyZ3MpOgogICAgbG9nLmRlYnVnKCdSdW5uaW5n IGJpdGJha2Ugc3ViY29tbWFuZCcpCiAgICBkYyA9IElzYXJEb2NrZXIoYXJncykKICAgIGJ1 aWxkZGlyID0gb3MucGF0aC5iYXNlbmFtZShkYy5idWlsZGRpcikKCiAgICBsb2cuZGVidWco J0FyZ3M6ICVzJyAlIGFyZ3MuYXJncykKICAgIGxvZy5kZWJ1ZygnQnVpbGQgZGlyZWN0b3J5 OiAlcycgJSBidWlsZGRpcikKICAgIGNtZCA9ICJiYXNoIC1jICdjZCAlczsgc291cmNlIHNl dHVwLWVudmlyb25tZW50ICVzOyBiaXRiYWtlICVzJyIgJSAoZGMuYnNwZGlyLCBidWlsZGRp ciwgYXJncy5hcmdzKQoKICAgIGxvZy5kZWJ1ZyhjbWQpCiAgICBkYy5ydW4oY21kKQoKCgoj CiMgQ2xpCiMKcGFyc2VyID0gYXJncGFyc2UuQXJndW1lbnRQYXJzZXIocHJvZz0naXNhcicp CnBhcnNlci5hZGRfYXJndW1lbnQoJy0tcGF0aCcsIHR5cGU9c3RyLCBkZWZhdWx0PScuL2Rv Y2tlcicsIGhlbHA9J1BhdGggdG8gdGhlIGRpcmVjdG9yeSBob2xkaW5nIHRoZSBkb2NrZXJm aWxlLiBEZWZhdWx0cyB0byAkQlVJTERESVIvZG9ja2VyJykKc3VicGFyc2VycyA9IHBhcnNl ci5hZGRfc3VicGFyc2VycygpCgojIGNyZWF0ZSB0aGUgcGFyc2VyIGZvciB0aGUgZG9ja2Vy IGNvbW1hbmQKZG9ja2VyX3BhcnNlciA9IHN1YnBhcnNlcnMuYWRkX3BhcnNlcignZG9ja2Vy JywgaGVscD0nZG9ja2VyIC0taGVscCcpCmRvY2tlcl9wYXJzZXIuYWRkX2FyZ3VtZW50KCct LWNyZWF0ZScsIGFjdGlvbj0nc3RvcmVfdHJ1ZScsIGhlbHA9J0NyZWF0ZXMgdGhlIGJhc2lj IGRvY2tlciBpbWFnZSB3aGVyZSBpc2FyIGJ1aWxkcyBydW4uJwogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdUaGUg ZG9ja2VyZmlsZSBzcGVjaWZpZWQgYnkgLS1wYXRoIGlzIHVzZWQuJykKZG9ja2VyX3BhcnNl ci5hZGRfYXJndW1lbnQoJy0tcnVuJywgdHlwZT1zdHIsIGhlbHA9J1J1biBhIGNvbW1hbmQg aW4gdGhlIGRvY2tlciBjb250YWluZXIuJykKZG9ja2VyX3BhcnNlci5zZXRfZGVmYXVsdHMo ZnVuYz1ydW5fZG9ja2VyKQoKCiMgY3JlYXRlIHRoZSBwYXJzZXIgZm9yIHRoZSBiaXRiYWtl IGNvbW1hbmQKYml0YmFrZV9wYXJzZXIgPSBzdWJwYXJzZXJzLmFkZF9wYXJzZXIoJ2JpdGJh a2UnLCBoZWxwPSdiaXRiYWtlIC0taGVscCcpCmJpdGJha2VfcGFyc2VyLmFkZF9hcmd1bWVu dCgnLS1hcmdzJywgdHlwZT1zdHIsIHJlcXVpcmVkPVRydWUsIGhlbHA9J0FyZ3VtZW50cyBm b3J3YXJkZWQgdG8gYml0YmFrZSBjb21tYW5kLicKICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICdUaGUgY29tcGxldGUgYXJndW1lbnQgc3RyaW5nIHdpbGwgYmUg YXBwZW5kZWQgdG8gdGhlIGJpdGJha2UgY29tbWFuZC4nKQpiaXRiYWtlX3BhcnNlci5zZXRf ZGVmYXVsdHMoZnVuYz1ydW5fYml0YmFrZSkKCmFyZ3MgPSBwYXJzZXIucGFyc2VfYXJncyhz eXMuYXJndlsxOl0pCgphcmdzLmZ1bmMoYXJncykK --------------35D31656EF00D19C04B1FF3C--