-
Notifications
You must be signed in to change notification settings - Fork 169
/
Copy pathisolate-check-environment
executable file
·318 lines (291 loc) · 8.94 KB
/
isolate-check-environment
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
#!/bin/bash
#
# Identifies potential sources issues when using isolate.
#
# (c) 2017 Bernard Blackham <bernard@blackham.com.au>
# (c) 2022-2024 Martin Mares <mj@ucw.cz>
# (c) 2024 Stephan Gomer <me@sadfun.org>
#
usage() {
cat <<EOT >&2
Usage: $0 [-q|--quiet] [-e|--execute]
Use this script to identify sources of run-time variability and other issues on
Linux machines which may affect isolate. If --execute is not specified, the
recommended actions are written to stdout as an executable shell script,
otherwise, using --execute will attempt to make changes to make the system
behave more deterministically. The changes performed by --execute persist only
until a reboot. To persist across reboots, the standard output from this script
should be added to /etc/rc.local or some other script that is run on each boot.
Alternately, you could add the following line to /etc/rc.local to automatically
apply these changes on boot, but use this with caution as not all issues can
be resolved in this way.
isolate-check-environment --quiet --execute
The exit status of this script will be 0 if all checks pass, or 1 if some
checks have failed.
Note that there are more strategies to reduce run-time variability further.
See the man page of isolate for details under REPRODUCIBILITY.
EOT
exit 2
}
# Parse options.
args=$(getopt -o "ehq" --long "execute,help,quiet" -- "$@") || usage
eval set -- "$args"
quiet=
execute=
while : ; do
case "$1" in
-q|--quiet) quiet=1 ; shift ;;
-e|--execute) execute=1 ; shift ;;
-h|--help) usage ;;
--) shift ; break ;;
*) usage ;;
esac
done
[ -n "$*" ] && usage
# Some helper boilerplate machinery.
exit_status=0
if [ -n "$TERM" -a "$TERM" != dumb ] ; then
red=$(tput setaf 1)
green=$(tput setaf 2)
yellow=$(tput setaf 3)
normal=$(tput sgr0)
else
red=
green=
yellow=
normal=
fi
# Return true (0) if we are being quiet.
quiet() {
[ -n "$quiet" ]
}
# Print all arguments to stderr as warning.
warn() {
quiet || echo "${yellow}WARNING:${normal}" "$*" >&2
}
# Print first argument to stderr as warning, and second argument to stdout as
# the recommended remedial action, or execute if --execute is given.
action() {
quiet || warn "$1"
if [ -n "$execute" ] ; then
quiet || echo "+ $2"
sh -c "$2"
else
quiet || echo $2
fi
}
print_start_check() {
quiet && return
print_check_status=1
echo -n "Checking for $@ ... " >&2
}
print_fail() {
exit_status=1
quiet && return
[ -n "$print_check_status" ] && echo "${red}FAIL${normal}" >&2
print_check_status=
}
print_dubious() {
exit_status=1
quiet && return
[ -n "$print_check_status" ] && echo "${yellow}CAUTION${normal}" >&2
print_check_status=
}
print_skipped() {
quiet && return
[ -n "$print_check_status" ] && echo "SKIPPED (not detected)" >&2
print_check_status=
}
print_finish() {
quiet && return
[ -n "$print_check_status" ] && echo "${green}PASS${normal}" >&2
print_check_status=
}
# Check that cgroups are enabled.
cgroup_check() {
local cgroup=$1
print_start_check "cgroup support for $cgroup"
if ! test -f "$cg_root/$cgroup" ; then
print_dubious
warn "the $cgroup is not present. isolate --cg cannot be used."
fi
print_finish
}
# Check that cgroups are enabled.
if ! cg_root=$(isolate --print-cg-root 2>/dev/null) ; then
warn "cgroup root not found. isolate --cg cannot be used."
exit_status=1
else
quiet || echo "Using cgroup root: $cg_root"
cgroup_check cpuset.cpus
cgroup_check cpuset.mems
cgroup_check cpu.stat
cgroup_check cgroup.procs
cgroup_check memory.events
cgroup_check memory.max
fi
# Check that swap is either disabled or accounted for.
swap_check() {
print_start_check "swap"
# If swap is disabled, there is nothing to worry about.
local swaps
swaps=$(swapon --noheadings)
if [ -n "$swaps" ] ; then
# Swap is enabled. We had better have the memory.swap support in the memory cgroup.
if ! test -f "$cg_root/memory.swap.current" ; then
print_fail
action \
"swap is enabled, but swap accounting is not. isolate will not be able to enforce memory limits." \
"swapoff -a"
else
print_dubious
warn "swap is enabled, and although accounted for, may still give run-time variability under memory pressure."
fi
fi
print_finish
}
swap_check
# Check that CPU frequency scaling is disabled.
cpufreq_check() {
print_start_check "CPU frequency scaling"
local anycpus policy
anycpus=
# Ensure cpufreq governor is set to performance on all CPUs
for cpufreq_file in $(find /sys/devices/system/cpu/cpufreq/ -name scaling_governor) ; do
policy=$(cat $cpufreq_file)
if [ "$policy" != "performance" ] ; then
print_fail
action \
"cpufreq governor set to '$policy', but 'performance' would be better" \
"echo performance > $cpufreq_file"
fi
anycpus=1
done
[ -z "$anycpus" ] && print_skipped
print_finish
}
cpufreq_check
# Check that Intel frequency boost is disabled
intel_boost_check() {
print_start_check "Intel frequency boost"
local val
if val=$(cat /sys/devices/system/cpu/intel_pstate/no_turbo 2>/dev/null) ; then
if [ "$val" -ne 1 ] ; then
print_fail
action \
"frequency boosting is enabled." \
"echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo"
fi
else
print_skipped
fi
print_finish
}
intel_boost_check
# Check that general frequency boost is disabled
general_boost_check() {
print_start_check "general frequency boost"
local val
if val=$(cat /sys/devices/system/cpu/cpufreq/boost 2>/dev/null) ; then
if [ "$val" -ne 0 ] ; then
print_fail
action \
"frequency boosting is enabled." \
"echo 0 > /sys/devices/system/cpu/cpufreq/boost"
fi
else
print_skipped
fi
print_finish
}
general_boost_check
# Check that address space layout randomisation is disabled.
aslr_check() {
print_start_check "kernel address space randomisation"
local val
if val=$(cat /proc/sys/kernel/randomize_va_space 2>/dev/null) ; then
if [ "$val" -ne 0 ] ; then
print_fail
action \
"address space randomisation is enabled." \
"echo 0 > /proc/sys/kernel/randomize_va_space"
fi
else
print_skipped
fi
print_finish
}
aslr_check
# Check that transparent huge-pages are disabled, as this leads to
# non-determinism depending on whether the kernel can allocate 2 MiB pages or
# not.
thp_check() {
print_start_check "transparent hugepage support"
local val
if val=$(cat /sys/kernel/mm/transparent_hugepage/enabled 2>/dev/null) ; then
case $val in
*'[never]'*) ;;
*) print_fail
action \
"transparent hugepages are enabled." \
"echo never > /sys/kernel/mm/transparent_hugepage/enabled" ;;
esac
fi
if val=$(cat /sys/kernel/mm/transparent_hugepage/defrag 2>/dev/null) ; then
case $val in
*'[never]'*) ;;
*) print_fail
action \
"transparent hugepage defrag is enabled." \
"echo never > /sys/kernel/mm/transparent_hugepage/defrag" ;;
esac
fi
if val=$(cat /sys/kernel/mm/transparent_hugepage/khugepaged/defrag 2>/dev/null) ; then
if [ "$val" -ne 0 ] ; then
print_fail
action \
"khugepaged defrag is enabled." \
"echo 0 > /sys/kernel/mm/transparent_hugepage/khugepaged/defrag"
fi
fi
print_finish
}
thp_check
# Piping of core dumps to programs can make program crashes significantly
# slower. Unfortunetely, dumps to pipes are not affected by RLIMIT_CORE,
# so we cannot easily disable them inside the sandbox.
core_check() {
print_start_check "core file pattern"
local val
if val="$(cat /proc/sys/kernel/core_pattern)" ; then
if [ "${val:0:1}" = '|' ] ; then
print_fail
action \
"core files are piped to a program." \
"echo core >/proc/sys/kernel/core_pattern"
fi
else
print_skipped
fi
print_finish
}
core_check
# Without protected_hardlinks, the user running Isolate could trick it into
# changing ownership of unrelated files.
hardlink_check() {
print_start_check "hard link protection"
local val
if val="$(cat /proc/sys/fs/protected_hardlinks)" ; then
if [ $val = 0 ] ; then
print_fail
action \
"hardlink protection is disabled." \
"echo 1 >/proc/sys/fs/protected_hardlinks"
fi
else
print_skipped
fi
print_finish
}
hardlink_check
exit $exit_status