GNU bug report logs - #75560
[PATCH] linux-container: Ignore EPERM when attempting to mount /sys.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Tue, 14 Jan 2025 17:05:03 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 75560 in the body.
You can then email your comments to 75560 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#75560; Package guix-patches. (Tue, 14 Jan 2025 17:05:03 GMT) Full text and rfc822 format available.
Acknowledgement sent to Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Tue, 14 Jan 2025 17:05:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: guix-patches <at> gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH] linux-container: Ignore EPERM when attempting to mount /sys.
Date: Tue, 14 Jan 2025 18:03:47 +0100

Fixes <https://issues.guix.gnu.org/61690>.

Until now, this would work:

  guix shell --no-cwd -CWP  -- guix shell -C coreutils -- ls -R /home

… but this would not:

  $ guix shell --no-cwd -CWPN  -- guix shell -C coreutils -- ls -R /home
  guix shell: error: mount: mount "none" on "/tmp/guix-directory.Wnc2OI/sys": Operation not permitted

This is annoying and hardly understandable.  Since we already disable
/sys mounts when sharing the global network namespace is asked (as in
‘guix shell -CN‘), for the very same reason, we can just as well disable
/sys mounts anytime it fails with EPERM.

* gnu/build/linux-container.scm (mount-file-systems): Silently ignore
EPERM when attempting to mount /sys.

Change-Id: If85b1d703ab58a98ea9873f4f8fed71a06b7aa63
---
 gnu/build/linux-container.scm | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index dee6885400..5c303da8c8 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -109,8 +109,14 @@ (define* (mount-file-systems root mounts #:key mount-/sys? mount-/proc?)
   ;; A sysfs mount requires the user to have the CAP_SYS_ADMIN capability in
   ;; the current network namespace.
   (when mount-/sys?
-    (mount* "none" (scope "/sys") "sysfs"
-            (logior MS_NOEXEC MS_NOSUID MS_NODEV MS_RDONLY)))
+    (catch 'system-error
+      (lambda ()
+        (mount* "none" (scope "/sys") "sysfs"
+                (logior MS_NOEXEC MS_NOSUID MS_NODEV MS_RDONLY)))
+      (lambda args
+        ;; EPERM means that CAP_SYS_ADMIN is missing.  Ignore.
+        (unless (= EPERM (system-error-errno args))
+          (apply throw args)))))
 
   (mount* "none" (scope "/dev") "tmpfs"
           (logior MS_NOEXEC MS_STRICTATIME)

base-commit: d804997897d2a531e0e3186e64df798a7e2e0d1a
-- 
2.47.1
bug closed, send any further explanations to 75560 <at> debbugs.gnu.org and Ludovic Courtès <ludo <at> gnu.org> Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Mon, 27 Jan 2025 16:30:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 25 Feb 2025 12:24:12 GMT) Full text and rfc822 format available.
This bug report was last modified 137 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.