Problem installing Guix on OpenVZ host that uses zfs

Problem installing Guix on OpenVZ host that uses zfs

[Stefan Reichör]

Hi all,

I tried today to install Guix v12.0 on an OpenVZ hoster:
https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#Binary-Installation

But I failed with the following problem:

~/bin% ./guix package -i hello
The following package will be installed:
   hello        2.10    /gnu/store/rvs42awwwby7pq3j0znglmz3vyznvbh1-hello-2.10

The following derivations will be built:
   /gnu/store/3rjlwl02c69c71jdcjcp96r41byqbv54-profile.drv
   /gnu/store/va7p6kn3c5836aw0risjxc0m6s3cj5jx-ca-certificate-bundle.drv
   /gnu/store/qbx513w8j5ikrjjnn2pv7qq91zmpylw8-fonts-dir.drv
   /gnu/store/9b7gxm83y7x4ps2mimp6jpfzx7hjypvd-info-dir.drv
guix package: error: build failed: while setting up the build environment: unable to make filesystem `/' private: Permission denied

~/bin% mount
satazpool/data/subvol-618-disk-1 on / type zfs (rw,noatime,xattr,posixacl)


Is there a work around for this problem?

Thanks,
  Stefan.

Re: Problem installing Guix on OpenVZ host that uses zfs

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1241 bytes --]

On Tue, Apr 11, 2017 at 10:07:30PM +0200, Stefan Reichör wrote:
> Hi all,
> 
> I tried today to install Guix v12.0 on an OpenVZ hoster:
> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#Binary-Installation
> 
> But I failed with the following problem:
> 
> ~/bin% ./guix package -i hello
> The following package will be installed:
>    hello        2.10    /gnu/store/rvs42awwwby7pq3j0znglmz3vyznvbh1-hello-2.10
> 
> The following derivations will be built:
>    /gnu/store/3rjlwl02c69c71jdcjcp96r41byqbv54-profile.drv
>    /gnu/store/va7p6kn3c5836aw0risjxc0m6s3cj5jx-ca-certificate-bundle.drv
>    /gnu/store/qbx513w8j5ikrjjnn2pv7qq91zmpylw8-fonts-dir.drv
>    /gnu/store/9b7gxm83y7x4ps2mimp6jpfzx7hjypvd-info-dir.drv
> guix package: error: build failed: while setting up the build environment: unable to make filesystem `/' private: Permission denied

This comes from DerivationGoal() in 'nix/libstore/build.cc'.

I'm not sure what it's trying to do with `/' and I'm also not familiar
with that rather long function, so can you try attaching to the daemon
with strace [0] and letting us know exactly where it fails?

[0] Something like:
$ strace -f -p $(pgrep guix-daemon | head -n1)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Problem installing Guix on OpenVZ host that uses zfs

[Stefan Reichör]

Hi Leo,

> On Tue, Apr 11, 2017 at 10:07:30PM +0200, Stefan Reichör wrote:
>> Hi all,
>> 
>> I tried today to install Guix v12.0 on an OpenVZ hoster:
>> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#Binary-Installation
>> 
>> But I failed with the following problem:
>> 
>> ~/bin% ./guix package -i hello
>> The following package will be installed:
>>    hello        2.10    /gnu/store/rvs42awwwby7pq3j0znglmz3vyznvbh1-hello-2.10
>> 
>> The following derivations will be built:
>>    /gnu/store/3rjlwl02c69c71jdcjcp96r41byqbv54-profile.drv
>>    /gnu/store/va7p6kn3c5836aw0risjxc0m6s3cj5jx-ca-certificate-bundle.drv
>>    /gnu/store/qbx513w8j5ikrjjnn2pv7qq91zmpylw8-fonts-dir.drv
>>    /gnu/store/9b7gxm83y7x4ps2mimp6jpfzx7hjypvd-info-dir.drv
>> guix package: error: build failed: while setting up the build environment: unable to make filesystem `/' private: Permission denied
>
> This comes from DerivationGoal() in 'nix/libstore/build.cc'.
>
> I'm not sure what it's trying to do with `/' and I'm also not familiar
> with that rather long function, so can you try attaching to the daemon
> with strace [0] and letting us know exactly where it fails?
>
> [0] Something like:
> $ strace -f -p $(pgrep guix-daemon | head -n1)

Cool trick :-)

Here is the part that triggers the problem as I assume (I can send the
full log as well when it is needed):

[pid 31032] open("/proc/self/mountinfo", O_RDONLY) = 17
[pid 31032] read(17, "2860 2854 0:102 / / rw,noatime m"..., 4096) = 4076
[pid 31032] read(17, "", 4096)          = 0
[pid 31032] close(17)                   = 0
[pid 31032] mount(NULL, "/", NULL, MS_PRIVATE, NULL) = -1 EACCES (Permission denied)
[pid 31032] futex(0x7f827449c190, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid 31032] write(2, "while setting up the build envir"..., 97) = 97
[pid 31032] exit_group(1)               = ?
[pid 31028] close(16)                   = 0

The entry for "/" in /proc/self/mountinfo is:
3966 3548 0:102 / / rw,noatime master:129 - zfs satazpool/data/subvol-618-disk-1 rw,xattr,posixacl


Stefan.

Re: Problem installing Guix on OpenVZ host that uses zfs

[Ludovic Courtès]

Hello!

Stefan Reichör <stefan@xsteve.at> skribis:

> Here is the part that triggers the problem as I assume (I can send the
> full log as well when it is needed):
>
> [pid 31032] open("/proc/self/mountinfo", O_RDONLY) = 17
> [pid 31032] read(17, "2860 2854 0:102 / / rw,noatime m"..., 4096) = 4076
> [pid 31032] read(17, "", 4096)          = 0
> [pid 31032] close(17)                   = 0
> [pid 31032] mount(NULL, "/", NULL, MS_PRIVATE, NULL) = -1 EACCES (Permission denied)
> [pid 31032] futex(0x7f827449c190, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> [pid 31032] write(2, "while setting up the build envir"..., 97) = 97
> [pid 31032] exit_group(1)               = ?
> [pid 31028] close(16)                   = 0
>
> The entry for "/" in /proc/self/mountinfo is:
> 3966 3548 0:102 / / rw,noatime master:129 - zfs satazpool/data/subvol-618-disk-1 rw,xattr,posixacl

The corresponding code in nix/libstore/build.cc is this:

--8<---------------cut here---------------start------------->8---
            /* Make all filesystems private.  This is necessary
               because subtrees may have been mounted as "shared"
               (MS_SHARED).  (Systemd does this, for instance.)  Even
               though we have a private mount namespace, mounting
               filesystems on top of a shared subtree still propagates
               outside of the namespace.  Making a subtree private is
               local to the namespace, though, so setting MS_PRIVATE
               does not affect the outside world. */
            Strings mounts = tokenizeString<Strings>(readFile("/proc/self/mountinfo", true), "\n");
            foreach (Strings::iterator, i, mounts) {
                vector<string> fields = tokenizeString<vector<string> >(*i, " ");
                string fs = decodeOctalEscaped(fields.at(4));
                if (mount(0, fs.c_str(), 0, MS_PRIVATE, 0) == -1)
                    throw SysError(format("unable to make filesystem `%1%' private") % fs);
            }
--8<---------------cut here---------------end--------------->8---

So “fs.c_str()” evaluates to “/”, as expected.

Now maybe zfs-on-linux doesn’t implement MS_PRIVATE or has specific
constraints (is it on FUSE?).  Perhaps you should check with the
zfs-on-linux people what they think of it.

Thanks,
Ludo’.