On Mon, Aug 26, 2024 at 10:57:12AM +0200, Stefano Brivio wrote:On Mon, 26 Aug 2024 18:47:27 +1000 David Gibson <david(a)gibson.dropbear.id.au> wrote:Right. I mean, it's kind of necessarily the former, since the distro makes the decision. And that category will include things in the latter as well.On Mon, Aug 26, 2024 at 10:37:23AM +0200, Stefano Brivio wrote:If you actually use the front-end binary, sure. The issue is the interpretation of "intended" in the FHS description: /usr/libexec includes internal binaries that are not intended to be executed directly by users or shell scripts. ...not intended on a specific distribution? Or due to their nature?On Mon, 26 Aug 2024 18:20:35 +1000 David Gibson <david(a)gibson.dropbear.id.au> wrote:But.. they wouldn't have been in the PATH on the host either, so whatever front end binary is using them must have found them by some other means.On Mon, Aug 26, 2024 at 09:55:47AM +0200, Stefano Brivio wrote: > On Mon, 26 Aug 2024 16:39:01 +1000 > David Gibson <david(a)gibson.dropbear.id.au> wrote: > > > The statement in the comment about /usr/libexec being only for running on > > other hosts simply isn't true, neither in practice nor according to the > > FHS spec[0]. > > I don't remember where I took that meaning of /usr/libexec from, I > guess it's from some outdated packaging guidelines (Fedora? Kata > Containers?). Sure, it makes sense to fix that. > > > Furthermore this logic didn't even handle it correctly, since > > it would only handle binaries _directly_ in /usr/libexec, not those in > > (explicitly FHS permitted) subdirectories under /usr/libexec. > > So, this change breaks the two cases I needed to cover with this, which > are /usr/libexec/kata-agent in general, and /usr/libexec/qemu-kvm on > RHEL 9. Huh.. why?Because they're not in PATH on the guest, so we can't execute them.Fair point, it's not like the mbuto minimal environment needs to be strictly FHS-ishly correct. -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibsonRight, same for kata-agent.As an alternative, we can unconditionally add /usr/libexec to it using $FIXUP. I added the lines moving stuff to /usr/bin before I implemented the $FIXUP mechanism, and I needed to run kata-agent as init. But now that $FIXUP is available, that's probably less invasive.Ah... I guess for qemu-kvm we're intentionally taking what's a support binary on the host and using it as a primary binary on the guest.> What does it fix? I don't have a concrete case, but it would break anything where we're including this support binary, but the "front end" binary looks for it explicitly in /usr/libexec. Which I'd kind of expect to be most support binary cases, since by design /usr/libexec won't generally be in the PATH.I see. Well, given the limited time I can spend on maintaining mbuto, I'd really prefer to just fix concrete issues, but this looks obvious enough -- as long as we have another way to keep qemu-kvm usable in the guest.That's different from the sshd-session case, where it's a support binary in both environments. I'd favour leaving the path of the binary itself alone and explicitly adding a link from /usr/bin for the qemu-kvm case.We could add a link from /usr/bin for all the paths we find in /usr/libexec, then, to keep it more general. But is it really worth the effort compared to just adding /usr/libexec to $PATH on the guest?