From mboxrd@z Thu Jan 1 00:00:00 1970 From: Drew C Subject: Re: [PATCH] environment: container: Do not remount network files as read-only. Date: Sat, 26 Mar 2016 11:54:24 -0700 Message-ID: References: <87wpozldb5.fsf@gnu.org> <87r3exyt97.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=089e01538c544ddd29052ef83571 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45857) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ajtLw-00024y-S2 for guix-devel@gnu.org; Sat, 26 Mar 2016 14:54:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ajtLt-0001co-Hy for guix-devel@gnu.org; Sat, 26 Mar 2016 14:54:28 -0400 Received: from mail-ob0-x22a.google.com ([2607:f8b0:4003:c01::22a]:34947) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ajtLt-0001cg-9W for guix-devel@gnu.org; Sat, 26 Mar 2016 14:54:25 -0400 Received: by mail-ob0-x22a.google.com with SMTP id fp4so75817872obb.2 for ; Sat, 26 Mar 2016 11:54:24 -0700 (PDT) In-Reply-To: <87r3exyt97.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Cc: guix-devel --089e01538c544ddd29052ef83571 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sat, Mar 26, 2016 at 11:43 AM, Ludovic Court=C3=A8s wrote= : > "Thompson, David" skribis: > > > On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Court=C3=A8s wr= ote: > >> "Thompson, David" skribis: > >> > >>> I noticed that 'guix environment --container --network' didn't work o= n > >>> an Ubuntu machine I was on, and the culprit was remounting things lik= e > >>> /etc/resolv.conf read-only after the initial bind mount. > >> > >> [...] > >> > >>> (file-system-mapping > >>> (source file) > >>> (target file) > >>> - (writable? #f)))) > >>> + ;; An unpriviliged user > might not > >>> + ;; be able to remount > >>> + ;; /etc/resolv.conf as > read-only, > >>> + ;; so we say that it is > writable > >>> + ;; here, even though in > practice > >>> + ;; it is not. > >>> + (writable? #t)))) > >>> %network-configuration-files) > >> > >> Not sure I understand: why would bind-mounting /etc/resolv.conf > >> read-only fail? > > > > I haven't figured out the exact reason yet, but here's a strace > > snippet as proof: > > > > [pid 11334] mount("/etc/resolv.conf", > > "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000, > > MS_RDONLY|MS_BIND, NULL) =3D 0 > > [pid 11334] mount("/etc/resolv.conf", > > "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080, > > MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) =3D -1 EPERM (Operation not > > permitted) > > > > Another Ubuntu user was able to reproduce this as well. > > Looking at the resolvconf man page that Drew mentioned, it seems that > /etc/resolv.conf is a symlink when resolvconf is in used, right? > Correct : $ ls -l /etc/resolv.conf lrwxrwxrwx 1 root root 29 Oct 2 08:36 /etc/resolv.conf -> ../run/resolvconf/resolv.conf > > If yes, does this make a difference: > > > > It may be that the result after this is that you get /etc/resolv.conf in > the container, but it=E2=80=99s a dangling symlink. But isn=E2=80=99t it= the case > already with the patch you propose? > > Thanks for finding all these curiosities. :-) > > Ludo=E2=80=99. > > --089e01538c544ddd29052ef83571 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On S= at, Mar 26, 2016 at 11:43 AM, Ludovic Court=C3=A8s <ludo@gnu.org>= wrote:
"Thompson, David" <dthompson2@worcester.edu> skribis:

> On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Court=C3=A8s <ludo@gnu.org> wrote:
>> "Thompson, David" <dthompson2@worcester.edu> skribis:
>>
>>> I noticed that 'guix environment --container --network'= ; didn't work on
>>> an Ubuntu machine I was on, and the culprit was remounting thi= ngs like
>>> /etc/resolv.conf read-only after the initial bind mount.
>>
>> [...]
>>
>>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 (file-system-mapping
>>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(source file)
>>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(target file)
>>> -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0(writable? #f))))
>>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0;; An unpriviliged user might not
>>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0;; be able to remount
>>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0;; /etc/resolv.conf as read-only,
>>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0;; so we say that it is writable
>>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0;; here, even though in practice
>>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0;; it is not.
>>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0(writable? #t))))
>>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0%network-configuration-files)
>>
>> Not sure I understand: why would bind-mounting /etc/resolv.conf >> read-only fail?
>
> I haven't figured out the exact reason yet, but here's a strac= e
> snippet as proof:
>
> [pid 11334] mount("/etc/resolv.conf",
> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000, > MS_RDONLY|MS_BIND, NULL) =3D 0
> [pid 11334] mount("/etc/resolv.conf",
> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080, > MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) =3D -1 EPERM (Operation not
> permitted)
>
> Another Ubuntu user was able to reproduce this as well.

Looking at the resolvconf man page that Drew mentioned, it seem= s that
/etc/resolv.conf is a symlink when resolvconf is in used, right?

Correct :=C2=A0

$ l= s -l /etc/resolv.conf=C2=A0
lrwxrwxrwx 1 root root 29 Oct =C2=A02= 08:36 /etc/resolv.conf -> ../run/resolvconf/resolv.conf

=C2=A0

If yes, does this make a difference:



It may be that the result after this is that you get /etc/resolv.conf in the container, but it=E2=80=99s a dangling symlink.=C2=A0 But isn=E2=80=99t= it the case
already with the patch you propose?

Thanks for finding all these curiosities.=C2=A0 :-)

Ludo=E2=80=99.


--089e01538c544ddd29052ef83571--