GNU bug report logs -
#45069
BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces
Previous Next
Reported by: yasu <yasu <at> yasuaki.com>
Date: Sun, 6 Dec 2020 12:42:02 UTC
Severity: normal
Merged with 45066
Done: Marius Bakke <marius <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 45069 in the body.
You can then email your comments to 45069 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Sun, 06 Dec 2020 12:42:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
yasu <yasu <at> yasuaki.com>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sun, 06 Dec 2020 12:42:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
I really don't know much about Linux but it looks like the problem I
reported has something to do with Debian?
https://unix.stackexchange.com/questions/303213/how-to-enable-user-namespaces-in-the-kernel-for-unprivileged-unshare
Now, I don't use Debian at all (I use Guix System) and do you think
this is a Bug in Guix (in that this Debian specific word should never
even be mentioned in Guix?)
To summarize this bug again:
The Bug:
The container command no longer works, after the commit
8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e.
guix environment -C
Additional Information:
Instead of working as it did until the commit, the command now
dies with the following error mesage:
guix environment: error: cannot create container:
unprivileged user cannot create user namespaces
guix environment: error: please set
/proc/sys/kernel/unprivileged_userns_clone to "1"
The message "please set
/proc/sys/kernel/unprivileged_userns_clone to "1",
seems irrelevant to Guix System users as it may only relate to
Debian users.
I don't know why this Debian specific message is here in the
first place...
Disclaimer :-):
I am assuming this is indeed Debian specific (I tried to
install LinuxLinux (the Guix default) but failed - my AMD graphics card
won't allow me to even boot, unless I use regular Linux. )
I scanned for the phrase in LinuxLibre source code but there
was no mention of it:
~/Downloads$ tar -xf linux-libre-5.9.12-gnu.tar.xz
~/Downloads$ cd linux-5.9.12/
~/Downloads/linux-5.9.12$ rg -i unprivileged_userns_clone
Just FYI: the problem phrase is indeed found in the Debian
Kernel Patch:
~/co/debian$ rg -i unprivileged_userns_clone
linux/debian/patches/debian/add-sysctl-to-disallow-
unprivileged-CLONE_NEWUSER-by-default.patch
25:+extern int unprivileged_userns_clone;
27:+#define unprivileged_userns_clone 0
36:+ if ((clone_flags & CLONE_NEWUSER) &&
!unprivileged_userns_clone)
47:+ if ((unshare_flags & CLONE_NEWUSER) &&
!unprivileged_userns_clone) {
65:+extern int unprivileged_userns_clone;
77:+ .procname = "unprivileged_userns_clone",
78:+ .data = &unprivileged_userns_clone,
96:+int unprivileged_userns_clone;
Cheers,
Yasu
commit 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33eAuthor: Paul Garlick <
pgarlick <at> tourbillion-technology.com>Date: Thu Dec 3 16:00:18 2020
+0000
linux-container: Correct test for unprivileged user namespace
support.
Fixes <https://bugs.gnu.org/31977>;. Reported by Paul Garlick
<pgarlick <at> tourbillion-technology.com>.
* gnu/build/linux-container.scm (unprivileged-user-namespace-
supported?): Return #f when the 'userns-file' does not exist.
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-
container.scmindex 4a8bed5a9a..3870b50907 100644--- a/gnu/build/linux-
container.scm+++ b/gnu/build/linux-container.scm@@ -44,7 +44,7
@@ (let ((userns-file
"/proc/sys/kernel/unprivileged_userns_clone")) (if (file-exists?
userns-file) (eqv? #\1 (call-with-input-file userns-file read-
char))- #t)))+ #f)))
On Sat, 2020-12-05 at 09:20 +0900, yasu wrote:
> Hi Pj,
> Thank you for you reply (and your wonderful Hacking Guide
> https://gitlab.com/pjotrp/guix-notes/blob/master/HACKING.org)!
> I tried the command and it didn't work...
> I use Guix System (not a foreign distribution) as described at the
> bottom
> -Yasu
>
> On Fri, 2020-12-04 at 19:55 +0100, Pjotr Prins wrote:
> > On Fri, Dec 04, 2020 at 05:32:08PM +0100, zimoun wrote:
> > > Have you tried to do the recommandation?
> > >
> > > please set /proc/sys/kernel/unprivileged_userns_clone to "1"
> >
> > As root:
> >
> > echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> >
> > Yes, it is common on Debian and such.
> >
> > Pj.
>
> root <at> guix ~# echo 1 > /proc/sys/kernel/unprivileged_userns_clone-
> bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or
> directory
> root <at> guix ~# guix system describeGeneration 5631 Dec 05 2020
> 09:09:16 (current) file name: /var/guix/profiles/system-5631-
> link canonical file name:
> /gnu/store/qqzk4kvrhxjcia3hcq3xqrcdi36azzz9-system label: GNU with
> Linux 5.9.12 bootloader: grub-efi root device: label: "my-root"
> kernel: /gnu/store/9a93vpq4aa1c3adiaaa3blwc18r9r7zz-linux-
> 5.9.12/bzImage channels: guix: repository URL:
> https://git.savannah.gnu.org/git/guix.git branch:
> master commit:
> 86d635b85035086d21c319f31f628761df5c82e5 nonguix: repository
> URL: https://gitlab.com/nonguix/nonguix branch:
> master commit: b08ea529d4d36468b20ef4aff6dc87b3de0eff70 guix-
> chromium: repository URL:
> https://gitlab.com/mbakke/guix-chromium.git branch:
> master commit: 2de450b92e5f2624d4f964407686934e22239f7b
> configuration file: /gnu/store/hlma107m2004g6qq00ihm190am5mh9z0-
> configuration.scm
[Message part 2 (text/html, inline)]
[face-smile.png (image/png, inline)]
Merged 45066 45069.
Request was from
Tobias Geerinckx-Rice <me <at> tobias.gr>
to
control <at> debbugs.gnu.org.
(Sun, 06 Dec 2020 15:50:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Sun, 06 Dec 2020 16:17:02 GMT)
Full text and
rfc822 format available.
Message #10 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
yasu 写道:
> Now, I don't use Debian at all (I use Guix System) and do you
> think
> this is a Bug in Guix (in that this Debian specific word should
> never
> even be mentioned in Guix?)
It's not Debian-specific. It is a bug in Guix.
It should try to create a namespace and properly report an error
iff that fails, not prematurely abort after farting about in
/proc.
A separate unprivileged-user-namespace-supported? is broken by
design. Reverting commit 8bc5ca5 works around this but it wasn't
to blame.
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Sun, 06 Dec 2020 16:17:03 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Sun, 06 Dec 2020 17:00:02 GMT)
Full text and
rfc822 format available.
Message #16 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi,
Please try the recommendation. Have you tried it?
please set /proc/sys/kernel/unprivileged_userns_clone to "1"
As root, you just do:
echo 1 > /proc/sys/kernel/unprivileged_userns_clone
then “guix environment -C” should work as expected. To do the trick
automatically with Sheperd, I do not know, but I am sure that the
systemd equivalent
echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf
sysctl --system
seems doable with Guix System.
On my system, and I need explanations if it does not work similarly on
yours, I simply do:
--8<---------------cut here---------------start------------->8---
$ guix environment -C --ad-hoc hello -- hello
guix environment: error: cannot create container: unprivileged user cannot create user namespaces
guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1"
$ su -
Password:
# echo 1 > /proc/sys/kernel/unprivileged_userns_clone
# logout
$ guix environment -C --ad-hoc hello -- hello
Hello, world!
--8<---------------cut here---------------end--------------->8---
Hope that helps,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Sun, 06 Dec 2020 20:52:01 GMT)
Full text and
rfc822 format available.
Message #19 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi Zimoun,
I tried as you suggested but it didn't work...
root <at> guix ~# echo "kernel.unprivileged_userns_clone = 1" >
/etc/sysctl.d/local.conf
-bash: /etc/sysctl.d/local.conf: No such file or directory
root <at> guix ~# sysctl --system
root <at> guix ~# logout
~$ guix environment -C
guix environment: error: cannot create container: unprivileged user
cannot create user namespaces
guix environment: error: please set
/proc/sys/kernel/unprivileged_userns_clone to "1"
Now, if this posting were to be belived, I think this term
kernel.unprivileged_userns_clone
is specific to Debian Linux, and does not exist outside of that circle.
It disables a bit of "hardening" that Debian patches into their
distribution kernel. If you're not running such a kernel, it will
fail
and not do anything, as such a setting doesn't even exist in the
mainline Linux kernel.
I wonder how this term came in to Guix in the first place?
-Yasu
On Sun, 2020-12-06 at 17:56 +0100, zimoun wrote:
> Hi,
>
> Please try the recommendation. Have you tried it?
>
> please set /proc/sys/kernel/unprivileged_userns_clone to "1"
>
> As root, you just do:
>
> echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>
> then “guix environment -C” should work as expected. To do the trick
> automatically with Sheperd, I do not know, but I am sure that the
> systemd equivalent
>
> echo "kernel.unprivileged_userns_clone = 1" >
> /etc/sysctl.d/local.conf
> sysctl --system
>
> seems doable with Guix System.
>
>
> On my system, and I need explanations if it does not work similarly
> on
> yours, I simply do:
>
> --8<---------------cut here---------------start------------->8---
> $ guix environment -C --ad-hoc hello -- hello
> guix environment: error: cannot create container: unprivileged user
> cannot create user namespaces
> guix environment: error: please set
> /proc/sys/kernel/unprivileged_userns_clone to "1"
>
> $ su -
> Password:
> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> # logout
>
> $ guix environment -C --ad-hoc hello -- hello
> Hello, world!
> --8<---------------cut here---------------end--------------->8---
>
> Hope that helps,
> simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Sun, 06 Dec 2020 20:56:01 GMT)
Full text and
rfc822 format available.
Message #22 received at 45069 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi All,
I believe the recommended suggestion is Debian specific is it not?
My kernel supports user namespaces and doesn't expose that file at that
location.
The only way I can work around the issue is to downgrade guix to the commit
on the master branch right before 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e
guix pull --commit=0d5d1bdf911659f60601058e8e1678187b7ba664
--allow-downgrades
Best,
Jesse
On Sun, Dec 6, 2020 at 12:03 PM zimoun <zimon.toutoune <at> gmail.com> wrote:
> Hi,
>
> Please try the recommendation. Have you tried it?
>
> please set /proc/sys/kernel/unprivileged_userns_clone to "1"
>
> As root, you just do:
>
> echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>
> then “guix environment -C” should work as expected. To do the trick
> automatically with Sheperd, I do not know, but I am sure that the
> systemd equivalent
>
> echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf
> sysctl --system
>
> seems doable with Guix System.
>
>
> On my system, and I need explanations if it does not work similarly on
> yours, I simply do:
>
> --8<---------------cut here---------------start------------->8---
> $ guix environment -C --ad-hoc hello -- hello
> guix environment: error: cannot create container: unprivileged user cannot
> create user namespaces
> guix environment: error: please set
> /proc/sys/kernel/unprivileged_userns_clone to "1"
>
> $ su -
> Password:
> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> # logout
>
> $ guix environment -C --ad-hoc hello -- hello
> Hello, world!
> --8<---------------cut here---------------end--------------->8---
>
> Hope that helps,
> simon
>
>
>
>
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Sun, 06 Dec 2020 22:52:01 GMT)
Full text and
rfc822 format available.
Message #25 received at 45069 <at> debbugs.gnu.org (full text, mbox):
I confirm this is fixed. Thank GNU and Guix!! 😄😄
> On Dec 7, 2020, at 06:03, help-debbugs <at> gnu.org wrote:
>
> Your bug report
>
> #45066: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces
>
> which was filed against the guix package, has been closed.
>
> The explanation is attached below, along with your original report.
> If you require more details, please reply to 45069 <at> debbugs.gnu.org.
>
> --
> 45066: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=45066
> GNU Bug Tracking System
> Contact help-debbugs <at> gnu.org with problems
> <mime-attachment>
> <mime-attachment>
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 11:59:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 45069 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi!
I can reproduce the issue since I 'recondigure'd my Guix System.
I'm on cebfb29abb151ede95696181d2446c63504593d7.
Guix' bug?
--
Pierre Neidhardt
https://ambrevar.xyz/
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 12:30:02 GMT)
Full text and
rfc822 format available.
Message #31 received at 45069 <at> debbugs.gnu.org (full text, mbox):
Hi Pierre,
Can you try, as root on Guix System:
$ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
If you could report success or failure that would be helpful; the
unprivileged-user-namespace-supported? test in gnu/build/linux-
container.scm should be the same irrespective of the underlying
distribution (Debian, CentOS, Guix System ...).
Best regards,
Paul.
On Mon, 2020-12-07 at 12:57 +0100, Pierre Neidhardt wrote:
> Hi!
>
> I can reproduce the issue since I 'recondigure'd my Guix System.
> I'm on cebfb29abb151ede95696181d2446c63504593d7.
>
> Guix' bug?
>
>
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 12:42:02 GMT)
Full text and
rfc822 format available.
Message #34 received at 45069 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Just FYI (sorry to interject) , my original email was stripped of html elements? anyway, I was referring to this link https://security.stackexchange.com/questions/209529/what-does-enabling-kernel-unprivileged-userns-clone-do#comment442083_209533 -Yasu
> On Dec 7, 2020, at 21:31, Paul Garlick <pgarlick <at> tourbillion-technology.com> wrote:
>
> Hi Pierre,
>
> Can you try, as root on Guix System:
>
> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>
> If you could report success or failure that would be helpful; the
> unprivileged-user-namespace-supported? test in gnu/build/linux-
> container.scm should be the same irrespective of the underlying
> distribution (Debian, CentOS, Guix System ...).
>
> Best regards,
>
> Paul.
>
>> On Mon, 2020-12-07 at 12:57 +0100, Pierre Neidhardt wrote:
>> Hi!
>>
>> I can reproduce the issue since I 'recondigure'd my Guix System.
>> I'm on cebfb29abb151ede95696181d2446c63504593d7.
>>
>> Guix' bug?
>>
>>
>
>
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 13:33:01 GMT)
Full text and
rfc822 format available.
Message #37 received at 45069 <at> debbugs.gnu.org (full text, mbox):
Hi Pierre,
On Mon, 07 Dec 2020 at 12:57, Pierre Neidhardt <mail <at> ambrevar.xyz> wrote:
> Guix' bug?
You get something as:
$ guix environment -C guix
guix environment: error: cannot create container: unprivileged user cannot create user namespaces
guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1"
right? Have you tried to do the recommendation?
please set /proc/sys/kernel/unprivileged_userns_clone to "1"
in other words, as root:
# echo 1 > /proc/sys/kernel/unprivileged_userns_clone
$ guix environment -C --ad-hoc hello -- hello
and report.
Thanks,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 17:14:02 GMT)
Full text and
rfc822 format available.
Message #40 received at 45069 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Paul,
> Can you try, as root on Guix System:
>
> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
# echo 1 > /proc/sys/kernel/unprivileged_userns_clone
-bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
--
Pierre Neidhardt
https://ambrevar.xyz/
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 17:46:01 GMT)
Full text and
rfc822 format available.
Message #43 received at 45069 <at> debbugs.gnu.org (full text, mbox):
Hi,
On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt <mail <at> ambrevar.xyz> wrote:
>> Can you try, as root on Guix System:
>>
>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>
> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
In gnu/build/linux-container.scm, it reads:
--8<---------------cut here---------------start------------->8---
(define (unprivileged-user-namespace-supported?)
"Return #t if user namespaces can be created by unprivileged users."
(let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
(if (file-exists? userns-file)
(eqv? #\1 (call-with-input-file userns-file read-char))
#t)))
--8<---------------cut here---------------end--------------->8---
Does it mean that the Linux kernel on Guix System does not support
namespaces by unprivileged users?
Turning #t to #f should work on Guix System and it appears to me a
severe bug if not. What do I miss? Please could someone fill my gap? :-)
All the best,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 17:57:02 GMT)
Full text and
rfc822 format available.
Message #46 received at 45069 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2020-12-07, zimoun wrote:
> On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt <mail <at> ambrevar.xyz> wrote:
>
>>> Can you try, as root on Guix System:
>>>
>>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>>
>> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
>
> In gnu/build/linux-container.scm, it reads:
>
> --8<---------------cut here---------------start------------->8---
> (define (unprivileged-user-namespace-supported?)
> "Return #t if user namespaces can be created by unprivileged users."
> (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
> (if (file-exists? userns-file)
> (eqv? #\1 (call-with-input-file userns-file read-char))
> #t)))
> --8<---------------cut here---------------end--------------->8---
>
> Does it mean that the Linux kernel on Guix System does not support
> namespaces by unprivileged users?
> Turning #t to #f should work on Guix System and it appears to me a
> severe bug if not. What do I miss? Please could someone fill my gap? :-)
The /proc/sys/kernel_unprivileged_userns_clone file is specific to
Debian and Ubuntu packaged linux kernel; it is a patchset not applied
upstream, as far as I am aware. I'm not sure if other distros support
disabling and enabling this feature using this mechanism.
https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 19:51:01 GMT)
Full text and
rfc822 format available.
Message #49 received at 45069 <at> debbugs.gnu.org (full text, mbox):
Hi Pierre,
> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or
> directory
Thanks, that gives us a clue. So all or part of the path
'/proc/sys/kernel' is missing?
Best regards,
Paul.
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 20:07:01 GMT)
Full text and
rfc822 format available.
Message #52 received at 45069 <at> debbugs.gnu.org (full text, mbox):
Hi Vagrant,
Sorry if I am naive, I am trying to understand and it appears that
pieces are missing in my bag. :-)
On Mon, 07 Dec 2020 at 09:55, Vagrant Cascadian <vagrant <at> debian.org> wrote:
> The /proc/sys/kernel_unprivileged_userns_clone file is specific to
> Debian and Ubuntu packaged linux kernel; it is a patchset not applied
> upstream, as far as I am aware. I'm not sure if other distros support
> disabling and enabling this feature using this mechanism.
Thanks. I still do not understand the message from Guix System:
--8<---------------cut here---------------start------------->8---
~/co/guix (master)$ guix environment -C guix
guix environment: error: cannot create container: unprivileged user cannot create user namespaces
guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1"
--8<---------------cut here---------------end--------------->8---
(see
<https://yhetil.org/guix/e5c86d238ca5174b745b8ea6cb0cb6ad6b20aa5e.camel <at> yasuaki.com>)
Why does this appear if «set /proc/sys/kernel/unprivileged_userns_clone to "1"»
does not make sense on Guix System?
Then Tobias answered: (see <https://yhetil.org/guix/87k0tux63a.fsf <at> nckx>)
yasu 写道:
> Now, I don't use Debian at all (I use Guix System) and do you
> think
> this is a Bug in Guix (in that this Debian specific word should
> never
> even be mentioned in Guix?)
It's not Debian-specific. It is a bug in Guix.
It should try to create a namespace and properly report an error
iff that fails, not prematurely abort after farting about in
/proc.
A separate unprivileged-user-namespace-supported? is broken by
design. Reverting commit 8bc5ca5 works around this but it wasn't
to blame.
so I miss why does a similar patch as,
> https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
is not applied to Guix System? Is it because a technical or else reason
behind? Or is it simply because no one takes the time to fix the
problem?
All the best,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 20:36:02 GMT)
Full text and
rfc822 format available.
Message #55 received at 45069 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi again,
Paul Garlick <pgarlick <at> tourbillion-technology.com> writes:
> Thanks, that gives us a clue. So all or part of the path
> '/proc/sys/kernel' is missing?
Nope, my /proc/sys/kernel has 121 direct files and directories :/
--
Pierre Neidhardt
https://ambrevar.xyz/
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 07 Dec 2020 21:12:02 GMT)
Full text and
rfc822 format available.
Message #58 received at 45069 <at> debbugs.gnu.org (full text, mbox):
Hi,
On Mon, 07 Dec 2020 at 21:35, Pierre Neidhardt <mail <at> ambrevar.xyz> wrote:
>> Thanks, that gives us a clue. So all or part of the path
>> '/proc/sys/kernel' is missing?
>
> Nope, my /proc/sys/kernel has 121 direct files and directories :/
Well, it is expected. And now all is clear. Explanations starting
there:
<http://logs.guix.gnu.org/guix/2020-12-07.log#211011>
Quickly said, the initial code was assuming Debian-like kernel patches
as Vagrant reported and this is not in the linux-libre source code with
a wrong Guix error message.
One bug is still there. :-)
All the best,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Tue, 08 Dec 2020 03:21:02 GMT)
Full text and
rfc822 format available.
Message #61 received at 45069 <at> debbugs.gnu.org (full text, mbox):
Hi Vagrant,
On +2020-12-07 09:55:31 -0800, Vagrant Cascadian wrote:
> On 2020-12-07, zimoun wrote:
> > On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt <mail <at> ambrevar.xyz> wrote:
> >
> >>> Can you try, as root on Guix System:
> >>>
> >>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> >>
> >> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> >> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
> >
> > In gnu/build/linux-container.scm, it reads:
> >
> > --8<---------------cut here---------------start------------->8---
> > (define (unprivileged-user-namespace-supported?)
> > "Return #t if user namespaces can be created by unprivileged users."
> > (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
> > (if (file-exists? userns-file)
> > (eqv? #\1 (call-with-input-file userns-file read-char))
> > #t)))
> > --8<---------------cut here---------------end--------------->8---
> >
> > Does it mean that the Linux kernel on Guix System does not support
> > namespaces by unprivileged users?
>
> > Turning #t to #f should work on Guix System and it appears to me a
> > severe bug if not. What do I miss? Please could someone fill my gap? :-)
>
> The /proc/sys/kernel_unprivileged_userns_clone file is specific to
> Debian and Ubuntu packaged linux kernel; it is a patchset not applied
> upstream, as far as I am aware. I'm not sure if other distros support
> disabling and enabling this feature using this mechanism.
>
> https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
>
> live well,
and as virtuously as you are able ... so that spies can't help but admire and reflect :)
> vagrant
Another data point FYI:
On my pureos system, which is based on debian upstream:
uname -a
=-> Linux LionPure 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
and
ls -l /proc/sys/kernel/unprivileged_userns_clone
-rw-r--r-- 1 root root 0 Dec 8 03:03 /proc/sys/kernel/unprivileged_userns_clone
and (noticing that the items appear to be short and ascii lines, hence thereupon head :)
--8<---------------cut here---------------start------------->8---
od -a -t x1 /proc/sys/kernel/unprivileged_userns_clone
0000000 0 nl
30 0a
0000002
head /proc/sys/kernel/unprivileged_userns_clone
0
--8<---------------cut here---------------end--------------->8---
Not sure this tells you anything useful, but there is also:
--8<---------------cut here---------------start------------->8---
head /proc/sys/user/*
==> /proc/sys/user/max_cgroup_namespaces <==
128163
==> /proc/sys/user/max_inotify_instances <==
128
==> /proc/sys/user/max_inotify_watches <==
65536
==> /proc/sys/user/max_ipc_namespaces <==
128163
==> /proc/sys/user/max_mnt_namespaces <==
128163
==> /proc/sys/user/max_net_namespaces <==
128163
==> /proc/sys/user/max_pid_namespaces <==
128163
==> /proc/sys/user/max_user_namespaces <==
128163
==> /proc/sys/user/max_uts_namespaces <==
128163
--8<---------------cut here---------------end--------------->8---
HTH some way :)
--
Regards,
Bengt Richter
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Mon, 04 Jan 2021 09:13:02 GMT)
Full text and
rfc822 format available.
Message #64 received at 45069 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
This issue seems to be gone for me with kernel 5.10.x.
I guess it was a kernel bug then.
--
Pierre Neidhardt
https://ambrevar.xyz/
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#45069; Package
guix.
(Wed, 06 Jan 2021 11:09:01 GMT)
Full text and
rfc822 format available.
Message #67 received at submit <at> debbugs.gnu.org (full text, mbox):
On Mon, 07 Dec 2020 05:51:05 +0900
yasu <yasu <at> yasuaki.com> wrote:
> Hi Zimoun,
>
> I tried as you suggested but it didn't work...
>
>
> root <at> guix ~# echo "kernel.unprivileged_userns_clone = 1" >
> /etc/sysctl.d/local.conf
> -bash: /etc/sysctl.d/local.conf: No such file or directory
This could mean you have to create the sysctl.d directory.
Try running this:
```
# mkdir -p /etc/sysctl.d/
# echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf
```
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 03 Feb 2021 12:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 76 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.