From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: Re: Environment containers Date: Thu, 29 Oct 2015 00:20:38 +0800 Message-ID: References: <87y4epsnjs.fsf@T420.taylan> <87r3kgwpb8.fsf@gnu.org> <87mvv3832q.fsf@gnu.org> <87fv0v6l6v.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33612) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZrTSu-0001Ov-AV for guix-devel@gnu.org; Wed, 28 Oct 2015 12:20:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZrTSp-0001Mp-Pr for guix-devel@gnu.org; Wed, 28 Oct 2015 12:20:44 -0400 In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: "Thompson, David" Cc: guix-devel , 21410@debbugs.gnu.org On 29/10/2015, Thompson, David wrote: > On Wed, Oct 28, 2015 at 11:56 AM, Ludovic Court=C3=A8s wro= te: >> "Thompson, David" skribis: >> >>> On Wed, Oct 28, 2015 at 11:14 AM, Alex Vong >>> wrote: >>>> On 28/10/2015, Ludovic Court=C3=A8s wrote: >>>>> Alex Vong skribis: >>>>> >>>>>> On 27/10/2015, Ludovic Court=C3=A8s wrote: >>>>> >>>>> [...] >>>>> >>>>>>> Do you still experience the test failures mentioned in that report? >>>>>>> If >>>>>>> not, could you email 21410@debbugs.gnu.org, specifying which commit >>>>>>> works for you? >>>>>>> >>>>>> Yes, there are 4 tests still failing with the latest master branch >>>>>> without unprivileged container. >>>>> >>>>> Which tests? Does tests/container.scm pass? >>>>> >>>> It doesn't pass if I run as unprivileged user. It passes if I run as >>>> root. I will be mailing the test logs on another mail. >>> >>> This is because Debian doesn't let unprivileged users create user >>> namespaces without explicitly overriding some configuration. >> >> How could we determine whether this restriction is in place? That would >> allow us to skip the test on these systems. > > I think it is /proc/sys/kernel/unprivileged_userns_clone, but I don't > know what the contents are exactly. 0 when off, 1 when on? Can > someone on Debian confirm? > Yes, I think that's the case. Before I run `$ sysctl -w kernel.unprivileged_userns_clone=3D1', `$ cat /proc/sys/kernel/unprivileged_userns_clone' returns 0. After I run `$ sysctl -w kernel.unprivileged_userns_clone=3D1', `$ cat /proc/sys/kernel/unprivileged_userns_clone' returns 1. > If we can get the test suite passing, I'd like to extract these user > namespace presence tests to a procedure that 'guix environment' can > use to give the user an informative error message in these cases. > > - Dave >