fix(agent): filter out GOTRACEBACK=none
#16924
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
With the switch to Go 1.24.1, our dogfood workspaces started setting `GOTRACEBACK=none` in the environment, resulting in missing stacktraces for users. This is due to the capability changes we do when `USE_CAP_NET_ADMIN=true`. https://github.com/coder/coder/blob/564b387262e5b768c503e5317242d9ab576395d6/provisionersdk/scripts/bootstrap_linux.sh#L60-L76 This most likely triggers a change in securitybits which sets `_AT_SECURE` for the process. https://github.com/golang/go/blob/a1ddbdd3ef8b739aab53f20d6ed0a61c3474cf12/src/runtime/os_linux.go#L297-L327 Which in turn triggers secure mode: https://github.com/golang/go/blob/a1ddbdd3ef8b739aab53f20d6ed0a61c3474cf12/src/runtime/security_unix.go A better fix may be to read `/proc/self/environ` to figure out if this was set by the runtime or manually, but I'm not sure we should care about that. A template author can still set the environment on the agent resource. See https://pkg.go.dev/runtime#hdr-Security
sreya
approved these changes
Mar 14, 2025
sreya
reviewed
Mar 14, 2025
| // Ignore GOTRACEBACK=none, as it disables stack traces, it can | ||
| // be set on the agent due to changes in capabilities. | ||
| // https://pkg.go.dev/runtime#hdr-Security. | ||
| if e == "GOTRACEBACK=none" { |
There was a problem hiding this comment.
Is there any way for us to override this for ourselves that doesn't also override it for any user of coder? Seems like we're choosing for any user of coder that GOTRACEBACK shouldn't be set.
There was a problem hiding this comment.
On Linux, we could theoretically read /proc/self/environ to figure out if it was set externally or by the Go runtime. I'm not sure it's worth the lift though.
If someone sets this env in, say, a docker container resource. Yes, it will be filtered out for child-processes (which arguably may be the right thing to do anyway). But if someone sets it on the agent resource (which is the recommended way anyway), they absolutely still can.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
With the switch to Go 1.24.1, our dogfood workspaces started setting
GOTRACEBACK=nonein the environment, resulting in missing stacktracesfor users.
This is due to the capability changes we do when
USE_CAP_NET_ADMIN=true.coder/provisionersdk/scripts/bootstrap_linux.sh
Lines 60 to 76 in 564b387
This most likely triggers a change in securitybits which sets
_AT_SECUREfor the process.https://github.com/golang/go/blob/a1ddbdd3ef8b739aab53f20d6ed0a61c3474cf12/src/runtime/os_linux.go#L297-L327
Which in turn triggers secure mode:
https://github.com/golang/go/blob/a1ddbdd3ef8b739aab53f20d6ed0a61c3474cf12/src/runtime/security_unix.go
A better fix may be to read
/proc/self/environto figure out if thiswas set by the runtime or manually, but I'm not sure we should care
about that. A template author can still set the environment on the agent
resource.
See https://pkg.go.dev/runtime#hdr-Security