GNU bug report logs -
#37967
guix environment -CN: Operation not permitted mounting host's /var/run/nscd
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 37967 in the body.
You can then email your comments to 37967 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#37967; Package
guix.
(Mon, 28 Oct 2019 17:29:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ivan Vilata i Balaguer <ivan <at> selidor.net>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Mon, 28 Oct 2019 17:29:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi! While using Guix commit `c9fc03a3` on Debian unstable, whenever I run
`guix environment -CN` (either as a normal user or as root) I get an error
like this:
guix environment: error: mount: mount "/var/run/nscd" on "/tmp/guix-directory.6kBgXe//var/run/nscd": Operation not permitted
nscd is installed and working in my host machine.
This command used to work a while ago. Actually, I pulled the Guix commit
right before `5ccec771` ("file-systems: Add /var/run/nscd to
'%network-file-mappings'.") and the command seems to work again (even if I do
not replace the running daemon).
Maybe the later commit introduced some kind of regression?
Thanks and cheers!
--
Ivan Vilata i Balaguer -- https://elvil.net/
Information forwarded
to
bug-guix <at> gnu.org:
bug#37967; Package
guix.
(Tue, 29 Oct 2019 22:18:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 37967 <at> debbugs.gnu.org (full text, mbox):
Bon dia Ivan,
Ivan Vilata i Balaguer <ivan <at> selidor.net> skribis:
> Hi! While using Guix commit `c9fc03a3` on Debian unstable, whenever I run
> `guix environment -CN` (either as a normal user or as root) I get an error
> like this:
>
> guix environment: error: mount: mount "/var/run/nscd" on "/tmp/guix-directory.6kBgXe//var/run/nscd": Operation not permitted
>
> nscd is installed and working in my host machine.
What does ‘uname -rs’ return?
What about ‘ls -ld /var/run/nscd’?
> This command used to work a while ago. Actually, I pulled the Guix commit
> right before `5ccec771` ("file-systems: Add /var/run/nscd to
> '%network-file-mappings'.") and the command seems to work again (even if I do
> not replace the running daemon).
>
> Maybe the later commit introduced some kind of regression?
It definitely has to do with this commit, but I wonder why you’d get
EPERM when bind-mounting /var/run/nscd to a different place!
Gracies,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#37967; Package
guix.
(Tue, 29 Oct 2019 22:49:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 37967 <at> debbugs.gnu.org (full text, mbox):
Salut Ludovic !
Ludovic Courtès (2019-10-29 23:16:49 +0100) wrote:
> Bon dia Ivan,
>
> Ivan Vilata i Balaguer <ivan <at> selidor.net> skribis:
>
> > Hi! While using Guix commit `c9fc03a3` on Debian unstable, whenever I run
> > `guix environment -CN` (either as a normal user or as root) I get an error
> > like this:
> >
> > guix environment: error: mount: mount "/var/run/nscd" on "/tmp/guix-directory.6kBgXe//var/run/nscd": Operation not permitted
> >
> > nscd is installed and working in my host machine.
>
> What does ‘uname -rs’ return?
$ uname -rs
Linux 5.2.0-3-amd64
> What about ‘ls -ld /var/run/nscd’?
$ ls -ld /var/run/nscd
drwxr-xr-x 2 root root 60 Oct 29 15:58 /var/run/nscd
> > This command used to work a while ago. Actually, I pulled the Guix commit
> > right before `5ccec771` ("file-systems: Add /var/run/nscd to
> > '%network-file-mappings'.") and the command seems to work again (even if I do
> > not replace the running daemon).
> >
> > Maybe the later commit introduced some kind of regression?
>
> It definitely has to do with this commit, but I wonder why you’d get
> EPERM when bind-mounting /var/run/nscd to a different place!
>
> Gracies,
> Ludo’.
Yeah, I'm also scratching my head since switching to the previous commit
immediately has it working again, so it's probably not a system config
issue. `O_o`
Cheers!
--
Ivan Vilata i Balaguer -- https://elvil.net/
Information forwarded
to
bug-guix <at> gnu.org:
bug#37967; Package
guix.
(Fri, 01 Nov 2019 14:27:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 37967 <at> debbugs.gnu.org (full text, mbox):
Ivan Vilata i Balaguer <ivan <at> selidor.net> skribis:
> Salut Ludovic !
Hola! :-)
> Ludovic Courtès (2019-10-29 23:16:49 +0100) wrote:
>
>> Bon dia Ivan,
>>
>> Ivan Vilata i Balaguer <ivan <at> selidor.net> skribis:
>>
>> > Hi! While using Guix commit `c9fc03a3` on Debian unstable, whenever I run
>> > `guix environment -CN` (either as a normal user or as root) I get an error
>> > like this:
>> >
>> > guix environment: error: mount: mount "/var/run/nscd" on "/tmp/guix-directory.6kBgXe//var/run/nscd": Operation not permitted
>> >
>> > nscd is installed and working in my host machine.
>>
>> What does ‘uname -rs’ return?
>
> $ uname -rs
> Linux 5.2.0-3-amd64
>
>> What about ‘ls -ld /var/run/nscd’?
>
> $ ls -ld /var/run/nscd
> drwxr-xr-x 2 root root 60 Oct 29 15:58 /var/run/nscd
Hmm, what does this command return:
mkdir /tmp/tt
unshare -mUr mount --bind /var/run/nscd /tmp/tt
?
What about a read-only bind mount like this:
unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
?
What if you try bind-mounting a directory owned by your user?
mkdir /tmp/mine
unshare -mUr mount --bind /tmp/mine /tmp/tt
?
Thanks in advance,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#37967; Package
guix.
(Fri, 01 Nov 2019 15:11:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 37967 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès (2019-11-01 15:26:27 +0100) wrote:
> Ivan Vilata i Balaguer <ivan <at> selidor.net> skribis:
>
> > Ludovic Courtès (2019-10-29 23:16:49 +0100) wrote:
> >>
> >> Ivan Vilata i Balaguer <ivan <at> selidor.net> skribis:
> >>
> >> > Hi! While using Guix commit `c9fc03a3` on Debian unstable, whenever I run
> >> > `guix environment -CN` (either as a normal user or as root) I get an error
> >> > like this:
> >> >
> >> > guix environment: error: mount: mount "/var/run/nscd" on "/tmp/guix-directory.6kBgXe//var/run/nscd": Operation not permitted
> >> >
> >> > nscd is installed and working in my host machine.
> >>
> >> What does ‘uname -rs’ return?
> >
> > $ uname -rs
> > Linux 5.2.0-3-amd64
> >
> >> What about ‘ls -ld /var/run/nscd’?
> >
> > $ ls -ld /var/run/nscd
> > drwxr-xr-x 2 root root 60 Oct 29 15:58 /var/run/nscd
>
> Hmm, what does this command return:
>
> mkdir /tmp/tt
> unshare -mUr mount --bind /var/run/nscd /tmp/tt
>
> ?
$ mkdir /tmp/tt
$ unshare -mUr mount --bind /var/run/nscd /tmp/tt && echo ok
ok
> What about a read-only bind mount like this:
>
> unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
>
> ?
This one looks more interesting:
$ unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt && echo ok
mount: /tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.
$ echo $?
32
> What if you try bind-mounting a directory owned by your user?
>
> mkdir /tmp/mine
> unshare -mUr mount --bind /tmp/mine /tmp/tt
>
> ?
$ mkdir /tmp/mine
$ unshare -mUr mount --bind /tmp/mine /tmp/tt && echo ok
ok
> Thanks in advance,
> Ludo’.
Thanks to you! Saluton,
--
Ivan Vilata i Balaguer -- https://elvil.net/
Information forwarded
to
bug-guix <at> gnu.org:
bug#37967; Package
guix.
(Mon, 04 Nov 2019 03:25:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 37967 <at> debbugs.gnu.org (full text, mbox):
Ivan Vilata i Balaguer (2019-11-01 11:10:02 -0400) wrote:
> Ludovic Courtès (2019-11-01 15:26:27 +0100) wrote:
>
> > […] What about a read-only bind mount like this:
> >
> > unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
> >
> > ?
>
> This one looks more interesting:
>
> $ unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt && echo ok
> mount: /tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.
> $ echo $?
> 32
BTW, I ran that under strace and it looks like the read-only remount fails
after mounting `/var/run/nscd` in the new namespace has succeeded:
$ strace -f unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
[…]
access("/run/mount", R_OK|W_OK) = -1 EACCES (Permission denied)
mount("/run/nscd", "/tmp/tt", 0x14c25b0, MS_RDONLY|MS_BIND, NULL) = 0
mount("none", "/tmp/tt", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
write(2, "mount: ", 7mount: ) = 7
write(2, "/tmp/tt: filesystem was mounted,"..., 89/tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.) = 89
write(2, "\n", 1
[…]
Cheers!
--
Ivan Vilata i Balaguer -- https://elvil.net/
Information forwarded
to
bug-guix <at> gnu.org:
bug#37967; Package
guix.
(Mon, 04 Nov 2019 17:08:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 37967 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Saluton!
Ivan Vilata i Balaguer <ivan <at> selidor.net> skribis:
> Ivan Vilata i Balaguer (2019-11-01 11:10:02 -0400) wrote:
>
>> Ludovic Courtès (2019-11-01 15:26:27 +0100) wrote:
>>
>> > […] What about a read-only bind mount like this:
>> >
>> > unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
>> >
>> > ?
>>
>> This one looks more interesting:
>>
>> $ unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt && echo ok
>> mount: /tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.
>> $ echo $?
>> 32
>
> BTW, I ran that under strace and it looks like the read-only remount fails
> after mounting `/var/run/nscd` in the new namespace has succeeded:
>
> $ strace -f unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
> […]
> access("/run/mount", R_OK|W_OK) = -1 EACCES (Permission denied)
> mount("/run/nscd", "/tmp/tt", 0x14c25b0, MS_RDONLY|MS_BIND, NULL) = 0
> mount("none", "/tmp/tt", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
> write(2, "mount: ", 7mount: ) = 7
> write(2, "/tmp/tt: filesystem was mounted,"..., 89/tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.) = 89
> write(2, "\n", 1
> […]
Weird, why does it remount it?
What does:
mount | grep /run
returns? I just tried on a Debian 10 image with Linux 4.19.0 and /run
is a tmpfs, which may be the reason why read-only bind-mounts fail (or
at least there’s a bug in that area.)
Anyway, below is a patch for you to test. Let me know how it goes. :-)
Thanks,
Ludo’.
[Message part 2 (text/x-patch, inline)]
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index 6cf6ccc53e..6cdb2b749d 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -507,7 +507,8 @@ a bind mount."
;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a
;; symlink to a file in a tmpfs which, for an unknown reason,
;; cannot be bind mounted read-only within the container.
- (writable? (string=? file "/etc/resolv.conf"))))
+ (writable? (or (string=? file "/etc/resolv.conf")
+ (string=? file "/var/run/nscd")))))
(cons "/var/run/nscd" %network-configuration-files)))
(define (file-system-type-predicate type)
Information forwarded
to
bug-guix <at> gnu.org:
bug#37967; Package
guix.
(Mon, 04 Nov 2019 21:25:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 37967 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès (2019-11-04 18:07:05 +0100) wrote:
> Ivan Vilata i Balaguer <ivan <at> selidor.net> skribis:
>
> > BTW, I ran that under strace and it looks like the read-only remount fails
> > after mounting `/var/run/nscd` in the new namespace has succeeded:
> >
> > $ strace -f unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
> > […]
> > access("/run/mount", R_OK|W_OK) = -1 EACCES (Permission denied)
> > mount("/run/nscd", "/tmp/tt", 0x14c25b0, MS_RDONLY|MS_BIND, NULL) = 0
> > mount("none", "/tmp/tt", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
> > write(2, "mount: ", 7mount: ) = 7
> > write(2, "/tmp/tt: filesystem was mounted,"..., 89/tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.) = 89
> > write(2, "\n", 1
> > […]
>
> Weird, why does it remount it?
>
> What does:
>
> mount | grep /run
$ mount | grep /run
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=1641444k,mode=755)
[…]
> returns? I just tried on a Debian 10 image with Linux 4.19.0 and /run
> is a tmpfs, which may be the reason why read-only bind-mounts fail (or
> at least there’s a bug in that area.)
>
> Anyway, below is a patch for you to test. Let me know how it goes. :-)
>
> Thanks,
> Ludo’.
I applied your patch on top of bf7b08c4, pulled Guix and did successfully
start `guix environment -CN`, with network support and all.
Cool! `:)`
> diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
> index 6cf6ccc53e..6cdb2b749d 100644
> --- a/gnu/system/file-systems.scm
> +++ b/gnu/system/file-systems.scm
> @@ -507,7 +507,8 @@ a bind mount."
> ;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a
> ;; symlink to a file in a tmpfs which, for an unknown reason,
> ;; cannot be bind mounted read-only within the container.
> - (writable? (string=? file "/etc/resolv.conf"))))
> + (writable? (or (string=? file "/etc/resolv.conf")
> + (string=? file "/var/run/nscd")))))
> (cons "/var/run/nscd" %network-configuration-files)))
>
> (define (file-system-type-predicate type)
--
Ivan Vilata i Balaguer -- https://elvil.net/
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Mon, 04 Nov 2019 22:38:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ivan Vilata i Balaguer <ivan <at> selidor.net>:
bug acknowledged by developer.
(Mon, 04 Nov 2019 22:38:02 GMT)
Full text and
rfc822 format available.
Message #31 received at 37967-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Ivan Vilata i Balaguer <ivan <at> selidor.net> skribis:
> I applied your patch on top of bf7b08c4, pulled Guix and did successfully
> start `guix environment -CN`, with network support and all.
Awesome, pushed as 625bdf09d344302ec2d5da7f35fe35ca1d128a93.
Gràcies! :-)
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#37967; Package
guix.
(Fri, 08 Nov 2019 19:08:01 GMT)
Full text and
rfc822 format available.
Message #34 received at 37967-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, 04 Nov 2019 23:37:07 +0100
Ludovic Courtès <ludo <at> gnu.org> wrote:
> Hi,
>
> Ivan Vilata i Balaguer <ivan <at> selidor.net> skribis:
>
> > I applied your patch on top of bf7b08c4, pulled Guix and did
> > successfully start `guix environment -CN`, with network support and
> > all.
>
> Awesome, pushed as 625bdf09d344302ec2d5da7f35fe35ca1d128a93.
Hi,
I had the same issue and was too lazy to report. I can confirm that the
commit fixed it.
Thanks for reporting and fixing.
Björn
[Message part 2 (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 07 Dec 2019 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 135 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.