Segfault on arm64

[blaggacao]

On arm64/aarch64, precisely on a Rpi3 B, just after sending a message to the team from the cli, the ca server segfaults with:

Started CA bot...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x68a60]

goroutine 38 [running]:
github.com/keybase/go-keybase-chat-bot/kbchat.(*API).Listen.func1(0x4000124280)
	/go/pkg/mod/github.com/keybase/[email protected]/kbchat/kbchat.go:626 +0x2f8
created by github.com/keybase/go-keybase-chat-bot/kbchat.(*API).Listen.func2
	/go/pkg/mod/github.com/keybase/[email protected]/kbchat/kbchat.go:679 +0x28c

Message:
keybase chat send team.ssh.stage "This message kills the auth bot"

Used image: registry.gitlab.com/jitesoft/dockerfiles/keybase-sshca/alpine:latest

It is not consistent, after 5 test 4 in 5 messages killed the bot.

[blaggacao]

@Johannestegner have you observed similar behaviour? It happened with your arm64 builds from the gitlab registry...

[Johannestegner]

Hi there!
I have not tested the bot (nor image) on rpi3, but as soon as I have had breakfast and taken the kids to school I'll test it on my aarch64 server to see if I get the same result.

Is the rpi3 an aarch64 CPU and not a 32b arm version?

[Johannestegner]

Alright, I have checked my docker file and such and it seems like it have been failing in the build pipeline for quite a while. That is, it's probably a bit outdated.
@blaggacao Have you tested with the latest version provided by Keybase?

[blaggacao]

@Johannestegner
I'm using Raspberry Pi 3 Model B V1.2 (writing on the circuit board) which according to here has a Quad Core 1.2GHz Broadcom BCM2837 64bit CPU which according to here is a quad-core ARM Cortex A53 (ARMv8) which according to here has AArch32 for full backward compatibility with Armv7 and AArch64 for 64-bit support and new architectural features.

I'm running on Rancher OS which distributes a 64bit version for Rpi.

Furthermore, I gloriously failed at cross-compiling, even with docker's buildx (it doesn't compile on the RPI itself due to resource constraints, I assume - curiously it seems to hang during a git clone command issued by go get.). That's when I discovered your images and gained trust in them. So no, I couldn't check with the latest keybase's versions, but I'm happy to help fixing/automating your build pipeline for having a reliable source of those docker images under such constraints.

ping to @ddworken to raise awareness that while building things oneself is a great educational strategy and thus benefits secure practices, in the event of trying to build a cheap RPi appliance with excellent glassbreak properties (just pull the plug), officially supported and published images based on @Johannestegner s work would be just about perfect.

[Johannestegner]

I'm very happy to hear that you like my images (i really love writing docker images and optimize them as much as possible, hehe), but my work would really be nothing without the software ;)
It's a great echo-system! :D

I pushed new images based on the latest version of keybase-sshca about 2 hours ago, if the docker images is the way you wish to go, feel free to try the latest version and let me know if the issue persists. My latest image (before current) was badly outdated.

[blaggacao]

Yeah thanks! I just inferred you also run a weekly scheduled pipeline, I'll pull the new latest and check again and then report back. Thanks!

[ddworken]

Thanks for the tag @blaggacao! Having an official Keybase docker file is definitely something we're interested in/planning on doing long term, but getting everything set up such that it can be done securely (reproducible builds and using docker content trust) takes a bit of extra work. :)

And if the latest build from @Johannestegner doesn't work out, I can take a look and see whether I can reproduce and figure anything out.

[blaggacao]

@ddworken Yes please! have a look at this finding, 🙏 #91 (and the linked issues)