add detection for custom libraries registered by ld.so.conf

[PeterMocary]

The in-place upgrade doesn't support custom libraries linked using the ld.so configuration. The new actor introduced in this PR detects if the configuration was tempered with and creates high severity report in such case. In order to detect customization in the ld.so configuration, it needs to check the main /etc/ld.so.conf and the /etc/ld.so.conf.d/.

Firstly the /etc/ld.so.conf where one can include other configuration files (by default /etc/ld.so.conf.d/*.conf is included for packages to copy their configuration in) and specify other directories for third parry libraries as well. The actor expects only includes in this file since the default configuration seems to be using the /etc/ld.so.conf.d directory to extend the configuration rather then adding libraries into the main config (based on the default configuration on rhel7 and rhel8).

Secondly, the included configs need configs need to be evaluated. The actor flags a config file as custom whenever it doesn't belong to a package or when the package is not Red Hat signed. This way only configuration that is supported by Red Hat will not be detected as custom.

Manually tested on internal Vagrant box rhel7 and rhel8. I left some of the debug logs in there for easy testing, please just mark those that shouldn't stay in your review and I'll remove them.

Jira ref.: OAMG-4460
BZ ref.: BZ-1927700 / RHEL-11958

[github-actions]

Thank you for contributing to the Leapp project!

Please note that every PR needs to comply with the Leapp Guidelines and must pass all tests in order to be mergeable.
If you want to request a review or rebuild a package in copr, you can use following commands as a comment:

• review please @oamg/developers to notify leapp developers of the review request
• /packit copr-build to submit a public copr build using packit

Packit will automatically schedule regression tests for this PR's build and latest upstream leapp build. If you need a different version of leapp from PR#42, use /packit test oamg/leapp#42

To launch regression testing public members of oamg organization can leave the following comment:

• /rerun to schedule basic regression tests using this pr build and latest upstream leapp build as artifacts
• /rerun 42 to schedule basic regression tests using this pr build and leapp*PR42* as artifacts
• /rerun-sst to schedule sst tests using this pr build and latest upstream leapp build as artifacts
• /rerun-sst 42 to schedule sst tests using this pr build and leapp*PR42* as artifacts

Please open ticket in case you experience technical problem with the CI. (RH internal only)

Note: In case there are problems with tests not being triggered automatically on new PR/commit or pending for a long time, please contact leapp-infra.

[PeterMocary]

The actor now creates High severity report only. The inhibitor was removed as discussed in the BZ thread.

[dkubek]

LGTM! Did not find any major flaw in the code. Manually tested on a VM for both RHEL7/8. In testing I tried combinations of empty files, comments and custom paths for both /etc/ld.so.conf and custom drop-ins in /etc/ld.so.conf.d and the report is created as advertised.

[matejmatuska]

Apart from the comments the code works as expected on RHEL8

[pirat89]

@PeterMocary fix please unit-tests and rebase (with the squash of commits)

[PeterMocary]

The failing tests weren't caused by this PR, I made them green by disabling some not really important warnings (logging-not-lazy, logging-format-interpolation) and fixing the deprecated-method warning for current_logger.warn() method. Due to the fact that I decided to disable some warnings I will not squash it yet and wait for your feedback @pirat89.

[pirat89]

@PeterMocary seems good to me. switch the last commit for the linters to be the first one and keep it separated.

EDIT: by that, I commented just the changes made regarding the linter & spellchecker

[pirat89]

this should be tested with an installed and enabled RH SCL to see the behaviour. I am not sure in that one particular case whether such configs are tracked by installed RH RPMs.

Also The summary should be extended. Current summary does not include information why we report this to customer. what are the reasons? what could happen? etc. The title is speaking about third party libraries but in the summary I cannot see anything like that.

Also be aware of speaking about unsupported configuration files. We should rather say that these files seems to not be managed by RH products and as such they are not treated during the upgrade. The responsibility for them is on users and potentially they could impact the in-place upgrade negatively.

[pirat89]

see my previous comments. we can sync later to discuss more details.

[PeterMocary]

I addressed the comments and rebased.

• added simple detection of LD_LIBRARY_PATH as discussed offline.
• RHSCL won't be solved in this PR (bit more information in the ticket OAMG-4460)
• New report looks something like this:

----------------------------------------
Risk Factor: high
Title: Detected customized configuration for dynamic linker.
Summary: Custom configurations to the dynamic linker could potentially impact the upgrade in a negative way. The custom configuration includes modifications to /etc/ld.so.conf, custom or modified drop in config files in the /etc/ld.so.conf.d directory and additional entries in the LD_LIBRARY_PATH variable. These modifications configure the dynamic linker to use different libraries that might not be provided by Red Hat products. The following custom configurations were detected by leapp:
- The /etc/ld.so.conf file has unexpected contents:
    - aaa
- The following drop in config files were marked as custom:
    - /etc/ld.so.conf.d/custom_config.conf
    - /etc/ld.so.conf.d/dyninst-x86_64.conf
- The variable "LD_LIBRARY_PATH" contains unexpected dynamic linker configuration.
Remediation: [hint] Remove or revert the custom ld.so configuration and apply the changes using the ldconfig command.
Key: cc9bd972af70b7a27f66a37b11a00dcfcb73b1bc
----------------------------------------

Feel free to suggest changes if you think that this is not informative enough or if the formating is bad. Also the remediation hint might need some improvements.

[pirat89]

I am sorry I get to the proper review so late. I completely overlooked earlier that the actor in checksphase is interacting with the system, this needs to be split into two actors. The report looks good, just with minor change(s).

[pirat89]

@PeterMocary btw, deadline has been shifted to Thu - see my msg on slack with more details.

[PeterMocary]

I rebased the branch and addressed the comments. The original actor was split into two actors:

• scan_dynamic_linker_configuration - contains most of the logic and creates new model named DynamicLinkerConfiguration
• check_dynamic_linker_configuration - checks if the configuration is custom based on the message produced by above actor and prints a report

I also added LD_PRELOAD variable to the mix, since it allows user to set some libraries as well

The new full report looks like this:

----------------------------------------
Risk Factor: high
Title: Detected customized configuration for dynamic linker.
Summary: Custom configurations to the dynamic linker could potentially impact the upgrade in a negative way. The custom configuration includes modifications to /etc/ld.so.conf, custom or modified drop in config files in the /etc/ld.so.conf.d directory and additional entries in the LD_LIBRARY_PATH or LD_PRELOAD variables. These modifications configure the dynamic linker to use different libraries that might not be provided by Red Hat products or might not be present during the whole upgrade process. The following custom configurations were detected by leapp:
- The /etc/ld.so.conf file has unexpected contents:
    - custom line 123
    - custom other line
- The following drop in config files were marked as custom:
    - /etc/ld.so.conf.d/mariadb-x86_64.conf
    - /etc/ld.so.conf.d/custom.conf
- The following variables contain unexpected dynamic linker configuration:
    - LD_LIBRARY_PATH
    - LD_PRELOAD
Remediation: [hint] Remove or revert the custom dynamic linker configurations and apply the changes using the ldconfig command. In case of possible active software collections we suggest disabling them persistently.
Key: cc9bd972af70b7a27f66a37b11a00dcfcb73b1bc
----------------------------------------

I tested it only once to generate this report on RHEL7.

[PeterMocary]

@pirat89 @matejmatuska @dkubek When you have time please review, so I can fix possible problems before the deadline :)

[pirat89]

@PeterMocary by a quick look, i found problematic just names of config classes in models, but rest of the code seems good to me. I will get to it tomorrow (wed) to finish it. thanks for the fast changes!

[PeterMocary]

Tests are failing on unrelated error now. Apparently, pylint decided that target_user_space_creator is too large. [C0302 too-many-lines] Too many lines in module (1047/1000) File: repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py, line 1, in

[pirat89]

I did rebase (with squash) and updated the commit msg to be more descriptive. Tests should be passing now. waiting for the results

[dkubek]

Had time to only look through code and apart from minor sugestions lgtm.

all issues adressed

[pirat89]

lgtm and tests passed.

[pirat89]

Tested manually, it seems everything is ok.

• with installed and active SCL + custom config added

----------------------------------------
Risk Factor: high
Title: Detected customized configuration for dynamic linker.
Summary: Custom configurations to the dynamic linker could potentially impact the upgrade in a negative way. The custom configuration includes modifications to /etc/ld.so.conf, custom or modified drop in config files in the /etc/ld.so.conf.d directory and additional entries in the LD_LIBRARY_PATH or LD_PRELOAD variables. These modifications configure the dynamic linker to use different libraries that might not be provided by Red Hat products or might not be present during the whole upgrade process. The following custom configurations were detected by leapp:
- The following drop in config files were marked as custom:
    - /etc/ld.so.conf.d/myconf.conf
- The following variables contain unexpected dynamic linker configuration:
    - LD_LIBRARY_PATH
Remediation: [hint] Remove or revert the custom dynamic linker configurations and apply the changes using the ldconfig command. In case of possible active software collections we suggest disabling them persistently.
Key: cc9bd972af70b7a27f66a37b11a00dcfcb73b1bc
----------------------------------------

• same as above but mariadb ld conf has been modified

---

Risk Factor: high
Title: Detected customized configuration for dynamic linker.
Summary: Custom configurations to the dynamic linker could potentially impact the upgrade in a negative way. The custom configuration includes modifications to /etc/ld.so.conf, custom or modified drop in config files in the /etc/ld.so.conf.d directory and additional entries in the LD_LIBRARY_PATH or LD_PRELOAD variables. These modifications configure the dynamic linker to use different libraries that might not be provided by Red Hat products or might not be present during the whole upgrade process. The following custom configurations were detected by leapp:

• The following drop in config files were marked as custom:
  • /etc/ld.so.conf.d/mariadb-x86_64.conf
  • /etc/ld.so.conf.d/myconf.conf
• The following variables contain unexpected dynamic linker configuration:
  • LD_LIBRARY_PATH
    Remediation: [hint] Remove or revert the custom dynamic linker configurations and apply the changes using the ldconfig command. In case of possible active software collections we suggest disabling them persistently.
    Key: cc9bd972af70b7a27f66a37b11a00dcfcb73b1bc

---