Due to yet another security problem in the Linux kernel discovered tonight (currently only known as “ssh-keysign-pwn” with no assigned CVE number yet – Update: now CVE-2026-46333), we have had to deploy a mitigation across all our clusters. As a result, the ‘ptrace’ system call is currently restricted, and that breaks a few things – mostly debugging tools like “gdb”, but also others that might be a bit unexpected.
In particular, we know of the following things that are currently broken:
- gdb
- apptainer pull
These will remain broken until a proper patch for the aforementioned security-problem becomes available. In other words: not before next week.
Update 2026-05-18 16:00: By now a fixed kernel is available for all AlmaLinux versions, which we already started to deploy across those cluster (Alex, Fritz, Helma, Woody) this morning. This however will take some time, and means all frontends and computenodes need to reboot to apply the fix. The mitigation restricting ptrace will automatically be removed whereever the new kernel is running.
There is no update for our Ubuntu based clusters (TinyFat, TinyGPU, Testcluster) yet, so there is no ETA on when the mitigation restricting ptrace can be removed on those clusters yet.
Update 2026-05-18 16:00: A fixed kernel has been deployed on the Fritz cluster, and the mitigation has been removed where that kernel is running. ‘ptrace’ should work normally again on all Fritz frontends, and for all jobs that newly start on Fritz.
Update 2026-05-19 09:00: ‘ptrace’ should now work normally again on all Woody frontends, and for jobs that newly start on Woody.
Update 2026-05-19 12:30: ‘ptrace’ should now work normally again on all Helma frontends, and for jobs that newly start on both Helma-CPU and Helma-GPU.
Update 2026-05-19 16:00: ‘ptrace’ should now work normally again on all Alex frontends, and for jobs that newly start on Alex.
Update 2026-05-19 16:00: general summary as of now: Alex, Fritz, Helma, Woody back to normal. Restrictions remain on: Testcluster, TinyFat, TinyGPU, csnhr (no ETA).