Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to use in github actions #2

Open
mariocj89 opened this issue May 8, 2023 · 2 comments
Open

Document how to use in github actions #2

mariocj89 opened this issue May 8, 2023 · 2 comments
Labels
documentation Improvements or additions to documentation

Comments

@mariocj89
Copy link
Contributor

Users might get the following error in CI:

💀 Engine error: No such process 💀

The specified process cannot be traced. This could be because the tracer
has insufficient privileges (the required capability is CAP_SYS_PTRACE).
Unprivileged processes cannot trace processes that they cannot send signals
to or those running set-user-ID/set-group-ID programs, for security reasons.
Alternatively, the process may already be being traced.

If your uid matches the uid of the target process you want to analyze, you
can do one of the following to get 'ptrace' scope permissions:

* If you are running inside a Docker container, you need to make sure you
  start the container using the '--cap-add=SYS_PTRACE' or '--privileged'
  command line arguments. Notice that this may not be enough if you are not
  running as 'root' inside the Docker container as you may need to disable
  hardening (see next points).

* Try running again with elevated permissions by running 'sudo -E !!'.

* You can disable kernel hardening for the current session temporarily (until
  a reboot happens) by running 'echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope'.

Rather than waiting for them to get the error to notice it, document that when running in github actions they should have a step that runs echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope.

We can add this in a section of the README file.
@mariocj89 mariocj89 added the documentation Improvements or additions to documentation label May 8, 2023
@JoanFM
Copy link

JoanFM commented May 16, 2023

I get this error also in my local machine without Github Actions.


The specified process cannot be traced. This could be because the tracer
has insufficient privileges (the required capability is CAP_SYS_PTRACE).
Unprivileged processes cannot trace processes that they cannot send signals
to or those running set-user-ID/set-group-ID programs, for security reasons.
Alternatively, the process may already be being traced.

If your uid matches the uid of the target process you want to analyze, you
can do one of the following to get 'ptrace' scope permissions:

* If you are running inside a Docker container, you need to make sure you
  start the container using the '--cap-add=SYS_PTRACE' or '--privileged'
  command line arguments. Notice that this may not be enough if you are not
  running as 'root' inside the Docker container as you may need to disable
  hardening (see next points).

* Try running again with elevated permissions by running 'sudo -E !!'.

* You can disable kernel hardening for the current session temporarily (until
  a reboot happens) by running 'echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope'.

@mariocj89
Copy link
Contributor Author

mariocj89 commented May 17, 2023
edited
Loading

You need indeed to do the step recommended on the error message:

  • You can disable kernel hardening for the current session temporarily (until
    a reboot happens) by running 'echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope'.

See

pytest-pystack/.github/workflows/validate.yaml

Line 50 in 1e19e00

- name: Disable ptrace security restrictions
for an example

@Czaki Czaki mentioned this issue Oct 17, 2023
Merged
Czaki added a commit to napari/napari that referenced this issue Oct 20, 2023
@Czaki @brisvag
Disable ptrace protection to make pytest-pystack work (#6343)
e5e3143 
# Description

We add `pytest-pystack` in #6310 but do not fully check example so it
ends with:

```
  The specified process cannot be traced. This could be because the tracer
  has insufficient privileges (the required capability is CAP_SYS_PTRACE).
  Unprivileged processes cannot trace processes that they cannot send signals
  to or those running set-user-ID/set-group-ID programs, for security reasons.
  Alternatively, the process may already be being traced.
  
  If your uid matches the uid of the target process you want to analyze, you
  can do one of the following to get 'ptrace' scope permissions:
  
  * If you are running inside a Docker container, you need to make sure you
    start the container using the '--cap-add=SYS_PTRACE' or '--privileged'
    command line arguments. Notice that this may not be enough if you are not
    running as 'root' inside the Docker container as you may need to disable
    hardening (see next points).
  
  * Try running again with elevated permissions by running 'sudo -E !!'.
  
  * You can disable kernel hardening for the current session temporarily (until
    a reboot happens) by running 'echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope'.
```


https://github.com/napari/napari/actions/runs/6477123186/job/17587080688?pr=6331#step:11:149

So I added a missed line to the workflow. 

bloomberg/pytest-pystack#2

Co-authored-by: Lorenzo Gaifas <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mariocj89 @JoanFM