bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

[Ivan Vilata i Balaguer]

Hi!  While using Guix commit `c9fc03a3` on Debian unstable, whenever I run
`guix environment -CN` (either as a normal user or as root) I get an error
like this:

    guix environment: error: mount: mount "/var/run/nscd" on "/tmp/guix-directory.6kBgXe//var/run/nscd": Operation not permitted

nscd is installed and working in my host machine.

This command used to work a while ago.  Actually, I pulled the Guix commit
right before `5ccec771` ("file-systems: Add /var/run/nscd to
'%network-file-mappings'.") and the command seems to work again (even if I do
not replace the running daemon).

Maybe the later commit introduced some kind of regression?

Thanks and cheers!

-- 
Ivan Vilata i Balaguer -- https://elvil.net/

bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

[Ludovic Courtès]

Bon dia Ivan,

Ivan Vilata i Balaguer <ivan@selidor.net> skribis:

> Hi!  While using Guix commit `c9fc03a3` on Debian unstable, whenever I run
> `guix environment -CN` (either as a normal user or as root) I get an error
> like this:
>
>     guix environment: error: mount: mount "/var/run/nscd" on "/tmp/guix-directory.6kBgXe//var/run/nscd": Operation not permitted
>
> nscd is installed and working in my host machine.

What does ‘uname -rs’ return?

What about ‘ls -ld /var/run/nscd’?

> This command used to work a while ago.  Actually, I pulled the Guix commit
> right before `5ccec771` ("file-systems: Add /var/run/nscd to
> '%network-file-mappings'.") and the command seems to work again (even if I do
> not replace the running daemon).
>
> Maybe the later commit introduced some kind of regression?

It definitely has to do with this commit, but I wonder why you’d get
EPERM when bind-mounting /var/run/nscd to a different place!

Gracies,
Ludo’.

bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

[Ivan Vilata i Balaguer]

Salut Ludovic !

Ludovic Courtès (2019-10-29 23:16:49 +0100) wrote:

> Bon dia Ivan,
> 
> Ivan Vilata i Balaguer <ivan@selidor.net> skribis:
> 
> > Hi!  While using Guix commit `c9fc03a3` on Debian unstable, whenever I run
> > `guix environment -CN` (either as a normal user or as root) I get an error
> > like this:
> >
> >     guix environment: error: mount: mount "/var/run/nscd" on "/tmp/guix-directory.6kBgXe//var/run/nscd": Operation not permitted
> >
> > nscd is installed and working in my host machine.
> 
> What does ‘uname -rs’ return?

    $ uname -rs
    Linux 5.2.0-3-amd64

> What about ‘ls -ld /var/run/nscd’?

    $ ls -ld /var/run/nscd
    drwxr-xr-x 2 root root 60 Oct 29 15:58 /var/run/nscd

> > This command used to work a while ago.  Actually, I pulled the Guix commit
> > right before `5ccec771` ("file-systems: Add /var/run/nscd to
> > '%network-file-mappings'.") and the command seems to work again (even if I do
> > not replace the running daemon).
> >
> > Maybe the later commit introduced some kind of regression?
> 
> It definitely has to do with this commit, but I wonder why you’d get
> EPERM when bind-mounting /var/run/nscd to a different place!
> 
> Gracies,
> Ludo’.

Yeah, I'm also scratching my head since switching to the previous commit
immediately has it working again, so it's probably not a system config
issue. `O_o`

Cheers!

-- 
Ivan Vilata i Balaguer -- https://elvil.net/

bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

[Ludovic Courtès]

Ivan Vilata i Balaguer <ivan@selidor.net> skribis:

> Salut Ludovic !

Hola!  :-)

> Ludovic Courtès (2019-10-29 23:16:49 +0100) wrote:
>
>> Bon dia Ivan,
>> 
>> Ivan Vilata i Balaguer <ivan@selidor.net> skribis:
>> 
>> > Hi!  While using Guix commit `c9fc03a3` on Debian unstable, whenever I run
>> > `guix environment -CN` (either as a normal user or as root) I get an error
>> > like this:
>> >
>> >     guix environment: error: mount: mount "/var/run/nscd" on "/tmp/guix-directory.6kBgXe//var/run/nscd": Operation not permitted
>> >
>> > nscd is installed and working in my host machine.
>> 
>> What does ‘uname -rs’ return?
>
>     $ uname -rs
>     Linux 5.2.0-3-amd64
>
>> What about ‘ls -ld /var/run/nscd’?
>
>     $ ls -ld /var/run/nscd
>     drwxr-xr-x 2 root root 60 Oct 29 15:58 /var/run/nscd

Hmm, what does this command return:

  mkdir /tmp/tt
  unshare -mUr mount --bind /var/run/nscd /tmp/tt

?

What about a read-only bind mount like this:

  unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt

?

What if you try bind-mounting a directory owned by your user?

  mkdir /tmp/mine
  unshare -mUr mount --bind /tmp/mine /tmp/tt

?

Thanks in advance,
Ludo’.

bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

[Ivan Vilata i Balaguer]

Ludovic Courtès (2019-11-01 15:26:27 +0100) wrote:

> Ivan Vilata i Balaguer <ivan@selidor.net> skribis:
> 
> > Ludovic Courtès (2019-10-29 23:16:49 +0100) wrote:
> >> 
> >> Ivan Vilata i Balaguer <ivan@selidor.net> skribis:
> >> 
> >> > Hi!  While using Guix commit `c9fc03a3` on Debian unstable, whenever I run
> >> > `guix environment -CN` (either as a normal user or as root) I get an error
> >> > like this:
> >> >
> >> >     guix environment: error: mount: mount "/var/run/nscd" on "/tmp/guix-directory.6kBgXe//var/run/nscd": Operation not permitted
> >> >
> >> > nscd is installed and working in my host machine.
> >> 
> >> What does ‘uname -rs’ return?
> >
> >     $ uname -rs
> >     Linux 5.2.0-3-amd64
> >
> >> What about ‘ls -ld /var/run/nscd’?
> >
> >     $ ls -ld /var/run/nscd
> >     drwxr-xr-x 2 root root 60 Oct 29 15:58 /var/run/nscd
> 
> Hmm, what does this command return:
> 
>   mkdir /tmp/tt
>   unshare -mUr mount --bind /var/run/nscd /tmp/tt
> 
> ?

    $ mkdir /tmp/tt
    $ unshare -mUr mount --bind /var/run/nscd /tmp/tt && echo ok
    ok

> What about a read-only bind mount like this:
> 
>   unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
> 
> ?

This one looks more interesting:

    $ unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt && echo ok
    mount: /tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.
    $ echo $?
    32

> What if you try bind-mounting a directory owned by your user?
> 
>   mkdir /tmp/mine
>   unshare -mUr mount --bind /tmp/mine /tmp/tt
> 
> ?

    $ mkdir /tmp/mine
    $ unshare -mUr mount --bind /tmp/mine /tmp/tt && echo ok
    ok

> Thanks in advance,
> Ludo’.

Thanks to you!  Saluton,

-- 
Ivan Vilata i Balaguer -- https://elvil.net/

bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

[Ivan Vilata i Balaguer]

Ivan Vilata i Balaguer (2019-11-01 11:10:02 -0400) wrote:

> Ludovic Courtès (2019-11-01 15:26:27 +0100) wrote:
> 
> > […] What about a read-only bind mount like this:
> > 
> >   unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
> > 
> > ?
> 
> This one looks more interesting:
> 
>     $ unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt && echo ok
>     mount: /tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.
>     $ echo $?
>     32

BTW, I ran that under strace and it looks like the read-only remount fails
after mounting `/var/run/nscd` in the new namespace has succeeded:

    $ strace -f unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
    […]
    access("/run/mount", R_OK|W_OK)         = -1 EACCES (Permission denied)
    mount("/run/nscd", "/tmp/tt", 0x14c25b0, MS_RDONLY|MS_BIND, NULL) = 0
    mount("none", "/tmp/tt", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
    write(2, "mount: ", 7mount: )                  = 7
    write(2, "/tmp/tt: filesystem was mounted,"..., 89/tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.) = 89
    write(2, "\n", 1
    […]

Cheers!

-- 
Ivan Vilata i Balaguer -- https://elvil.net/

bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 1700 bytes --]

Saluton!

Ivan Vilata i Balaguer <ivan@selidor.net> skribis:

> Ivan Vilata i Balaguer (2019-11-01 11:10:02 -0400) wrote:
>
>> Ludovic Courtès (2019-11-01 15:26:27 +0100) wrote:
>> 
>> > […] What about a read-only bind mount like this:
>> > 
>> >   unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
>> > 
>> > ?
>> 
>> This one looks more interesting:
>> 
>>     $ unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt && echo ok
>>     mount: /tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.
>>     $ echo $?
>>     32
>
> BTW, I ran that under strace and it looks like the read-only remount fails
> after mounting `/var/run/nscd` in the new namespace has succeeded:
>
>     $ strace -f unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
>     […]
>     access("/run/mount", R_OK|W_OK)         = -1 EACCES (Permission denied)
>     mount("/run/nscd", "/tmp/tt", 0x14c25b0, MS_RDONLY|MS_BIND, NULL) = 0
>     mount("none", "/tmp/tt", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
>     write(2, "mount: ", 7mount: )                  = 7
>     write(2, "/tmp/tt: filesystem was mounted,"..., 89/tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.) = 89
>     write(2, "\n", 1
>     […]

Weird, why does it remount it?

What does:

  mount | grep /run

returns?  I just tried on a Debian 10 image with Linux 4.19.0 and /run
is a tmpfs, which may be the reason why read-only bind-mounts fail (or
at least there’s a bug in that area.)

Anyway, below is a patch for you to test.  Let me know how it goes.  :-)

Thanks,
Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 759 bytes --]

diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index 6cf6ccc53e..6cdb2b749d 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -507,7 +507,8 @@ a bind mount."
                  ;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a
                  ;; symlink to a file in a tmpfs which, for an unknown reason,
                  ;; cannot be bind mounted read-only within the container.
-                 (writable? (string=? file "/etc/resolv.conf"))))
+                 (writable? (or (string=? file "/etc/resolv.conf")
+                                (string=? file "/var/run/nscd")))))
               (cons "/var/run/nscd" %network-configuration-files)))
 
 (define (file-system-type-predicate type)

bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

[Ivan Vilata i Balaguer]

Ludovic Courtès (2019-11-04 18:07:05 +0100) wrote:

> Ivan Vilata i Balaguer <ivan@selidor.net> skribis:
> 
> > BTW, I ran that under strace and it looks like the read-only remount fails
> > after mounting `/var/run/nscd` in the new namespace has succeeded:
> >
> >     $ strace -f unshare -mUr mount --bind -o ro /var/run/nscd /tmp/tt
> >     […]
> >     access("/run/mount", R_OK|W_OK)         = -1 EACCES (Permission denied)
> >     mount("/run/nscd", "/tmp/tt", 0x14c25b0, MS_RDONLY|MS_BIND, NULL) = 0
> >     mount("none", "/tmp/tt", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
> >     write(2, "mount: ", 7mount: )                  = 7
> >     write(2, "/tmp/tt: filesystem was mounted,"..., 89/tmp/tt: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.) = 89
> >     write(2, "\n", 1
> >     […]
> 
> Weird, why does it remount it?
> 
> What does:
> 
>   mount | grep /run

    $ mount | grep /run
    tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=1641444k,mode=755)
    […]

> returns?  I just tried on a Debian 10 image with Linux 4.19.0 and /run
> is a tmpfs, which may be the reason why read-only bind-mounts fail (or
> at least there’s a bug in that area.)
> 
> Anyway, below is a patch for you to test.  Let me know how it goes.  :-)
> 
> Thanks,
> Ludo’.

I applied your patch on top of bf7b08c4, pulled Guix and did successfully
start `guix environment -CN`, with network support and all.

Cool! `:)`


> diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
> index 6cf6ccc53e..6cdb2b749d 100644
> --- a/gnu/system/file-systems.scm
> +++ b/gnu/system/file-systems.scm
> @@ -507,7 +507,8 @@ a bind mount."
>                   ;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a
>                   ;; symlink to a file in a tmpfs which, for an unknown reason,
>                   ;; cannot be bind mounted read-only within the container.
> -                 (writable? (string=? file "/etc/resolv.conf"))))
> +                 (writable? (or (string=? file "/etc/resolv.conf")
> +                                (string=? file "/var/run/nscd")))))
>                (cons "/var/run/nscd" %network-configuration-files)))
>  
>  (define (file-system-type-predicate type)

-- 
Ivan Vilata i Balaguer -- https://elvil.net/

bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

[Ludovic Courtès]

Hi,

Ivan Vilata i Balaguer <ivan@selidor.net> skribis:

> I applied your patch on top of bf7b08c4, pulled Guix and did successfully
> start `guix environment -CN`, with network support and all.

Awesome, pushed as 625bdf09d344302ec2d5da7f35fe35ca1d128a93.

Gràcies!  :-)

Ludo’.

bug#37967: guix environment -CN: Operation not permitted mounting host's /var/run/nscd

[Björn Höfling]

[-- Attachment #1: Type: text/plain, Size: 512 bytes --]

On Mon, 04 Nov 2019 23:37:07 +0100
Ludovic Courtès <ludo@gnu.org> wrote:

> Hi,
> 
> Ivan Vilata i Balaguer <ivan@selidor.net> skribis:
> 
> > I applied your patch on top of bf7b08c4, pulled Guix and did
> > successfully start `guix environment -CN`, with network support and
> > all.  
> 
> Awesome, pushed as 625bdf09d344302ec2d5da7f35fe35ca1d128a93.

Hi,

I had the same issue and was too lazy to report. I can confirm that the
commit fixed it.

Thanks for reporting and fixing.

Björn

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]