From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id YKVzDs3RzF/mMAAA0tVLHw (envelope-from ) for ; Sun, 06 Dec 2020 12:42:53 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id yBpFCs3RzF+CYQAAB5/wlQ (envelope-from ) for ; Sun, 06 Dec 2020 12:42:53 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 839559403AA for ; Sun, 6 Dec 2020 12:42:52 +0000 (UTC) Received: from localhost ([::1]:37174 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kltNL-0003qe-FJ for larch@yhetil.org; Sun, 06 Dec 2020 07:42:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:43118) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kltLo-0003qT-H6; Sun, 06 Dec 2020 07:41:16 -0500 Received: from mail1.g12.pair.com ([66.39.4.99]:56625) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kltLe-0005JZ-Ug; Sun, 06 Dec 2020 07:41:16 -0500 Received: from mail1.g12.pair.com (localhost [127.0.0.1]) by mail1.g12.pair.com (Postfix) with ESMTP id 09E8A730EE; Sun, 6 Dec 2020 07:41:05 -0500 (EST) Received: from guix.local (w135107.ppp.asahi-net.or.jp [121.1.135.107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail1.g12.pair.com (Postfix) with ESMTPSA id A8ECE730D3; Sun, 6 Dec 2020 07:41:03 -0500 (EST) Message-ID: Subject: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces From: yasu To: bug-guix@gnu.org, pgarlick@tourbillion-technology.com, Pjotr Prins , zimoun Date: Sun, 06 Dec 2020 21:41:00 +0900 In-Reply-To: <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> Content-Type: multipart/related; type="multipart/alternative"; boundary="=-9q7as914a3P2oNvBF+ho" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: none client-ip=66.39.4.99; envelope-from=yasu@yasuaki.com; helo=mail1.g12.pair.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -0.80 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 839559403AA X-Spam-Score: -0.80 X-Migadu-Scanner: ns3122888.ip-94-23-21.eu X-TUID: p5zb3AntdyOv --=-9q7as914a3P2oNvBF+ho Content-Type: multipart/alternative; boundary="=-xLs0Eg6mZ6fRgOC1TYOq" --=-xLs0Eg6mZ6fRgOC1TYOq Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Hi, I really don't know much about Linux but it looks like the problem I reported has something to do with Debian? https://unix.stackexchange.com/questions/303213/how-to-enable-user-namespaces-in-the-kernel-for-unprivileged-unshare Now, I don't use Debian at all (I use Guix System) and do you think this is a Bug in Guix (in that this Debian specific word should never even be mentioned in Guix?) To summarize this bug again: The Bug: The container command no longer works, after the commit 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e. guix environment -C Additional Information: Instead of working as it did until the commit, the command now dies with the following error mesage: guix environment: error: cannot create container: unprivileged user cannot create user namespaces guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1" The message "please set /proc/sys/kernel/unprivileged_userns_clone to "1", seems irrelevant to Guix System users as it may only relate to Debian users. I don't know why this Debian specific message is here in the first place... Disclaimer :-): I am assuming this is indeed Debian specific (I tried to install LinuxLinux (the Guix default) but failed - my AMD graphics card won't allow me to even boot, unless I use regular Linux. ) I scanned for the phrase in LinuxLibre source code but there was no mention of it: ~/Downloads$ tar -xf linux-libre-5.9.12-gnu.tar.xz ~/Downloads$ cd linux-5.9.12/ ~/Downloads/linux-5.9.12$ rg -i unprivileged_userns_clone Just FYI: the problem phrase is indeed found in the Debian Kernel Patch: ~/co/debian$ rg -i unprivileged_userns_clone linux/debian/patches/debian/add-sysctl-to-disallow- unprivileged-CLONE_NEWUSER-by-default.patch 25:+extern int unprivileged_userns_clone; 27:+#define unprivileged_userns_clone 0 36:+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) 47:+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { 65:+extern int unprivileged_userns_clone; 77:+ .procname = "unprivileged_userns_clone", 78:+ .data = &unprivileged_userns_clone, 96:+int unprivileged_userns_clone; Cheers, Yasu commit 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33eAuthor: Paul Garlick < pgarlick@tourbillion-technology.com>Date: Thu Dec 3 16:00:18 2020 +0000 linux-container: Correct test for unprivileged user namespace support. Fixes ;. Reported by Paul Garlick . * gnu/build/linux-container.scm (unprivileged-user-namespace- supported?): Return #f when the 'userns-file' does not exist. diff --git a/gnu/build/linux-container.scm b/gnu/build/linux- container.scmindex 4a8bed5a9a..3870b50907 100644--- a/gnu/build/linux- container.scm+++ b/gnu/build/linux-container.scm@@ -44,7 +44,7 @@ (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) (if (file-exists? userns-file) (eqv? #\1 (call-with-input-file userns-file read- char))- #t)))+ #f))) On Sat, 2020-12-05 at 09:20 +0900, yasu wrote: > Hi Pj, > Thank you for you reply (and your wonderful Hacking Guide > https://gitlab.com/pjotrp/guix-notes/blob/master/HACKING.org)! > I tried the command and it didn't work... > I use Guix System (not a foreign distribution) as described at the > bottom > -Yasu > > On Fri, 2020-12-04 at 19:55 +0100, Pjotr Prins wrote: > > On Fri, Dec 04, 2020 at 05:32:08PM +0100, zimoun wrote: > > > Have you tried to do the recommandation? > > > > > > please set /proc/sys/kernel/unprivileged_userns_clone to "1" > > > > As root: > > > > echo 1 > /proc/sys/kernel/unprivileged_userns_clone > > > > Yes, it is common on Debian and such. > > > > Pj. > > root@guix ~# echo 1 > /proc/sys/kernel/unprivileged_userns_clone- > bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or > directory > root@guix ~# guix system describeGeneration 5631 Dec 05 2020 > 09:09:16 (current) file name: /var/guix/profiles/system-5631- > link canonical file name: > /gnu/store/qqzk4kvrhxjcia3hcq3xqrcdi36azzz9-system label: GNU with > Linux 5.9.12 bootloader: grub-efi root device: label: "my-root" > kernel: /gnu/store/9a93vpq4aa1c3adiaaa3blwc18r9r7zz-linux- > 5.9.12/bzImage channels: guix: repository URL: > https://git.savannah.gnu.org/git/guix.git branch: > master commit: > 86d635b85035086d21c319f31f628761df5c82e5 nonguix: repository > URL: https://gitlab.com/nonguix/nonguix branch: > master commit: b08ea529d4d36468b20ef4aff6dc87b3de0eff70 guix- > chromium: repository URL: > https://gitlab.com/mbakke/guix-chromium.git branch: > master commit: 2de450b92e5f2624d4f964407686934e22239f7b > configuration file: /gnu/store/hlma107m2004g6qq00ihm190am5mh9z0- > configuration.scm --=-xLs0Eg6mZ6fRgOC1TYOq Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
Hi,

I really don't know much about Linux = but it looks like the problem I reported has something to do with Debian?


N= ow, I don't use Debian at all (I use Guix System) and do you think this is = a Bug in Guix (in that this Debian specific word should never even be menti= oned in Guix?)

To summarize this bug again:
<= div>
The Bug:
The container command no longer works, after the commit 8bc5ca5160db= 3d82bd5b6b2b7ed80c96f42bd33e.
guix environment -C

Additional Information:
<= div> Instead of working as it did until the commit, the command now dies wi= th the following error mesage:
guix environment: error: cannot = create container: unprivileged user cannot create user namespaces
guix environment: error: please set /proc/sys/kernel/unprivileged_use= rns_clone to "1"

The message "please set /= proc/sys/kernel/unprivileged_userns_clone to "1",
see= ms irrelevant to Guix System users as it may only relate to Debia= n users.
I don't know why this Debian specific message is he= re in the first place...

Disclaimer 3D"=:
I am assuming this is indeed Debian specific (I tried= to install LinuxLinux (the Guix default) but failed - my AMD graphics card= won't allow me to even boot, unless I use regular Linux. )

<= /div>
I scanned for the phrase in LinuxLibre source code but there = was no mention of it:
~/Downloads$ tar -xf linux-libre-5.9.12-gnu.tar= .xz
~/Downloads$ cd linux-5.9.12/
~/Downloads/linux-5.9= .12$ rg -i unprivileged_userns_clone

Just FYI: the problem phrase is indeed found in the Debian Kernel= Patch:
~/co/debian$ rg -i unprivileged_userns_clone
linux/debian/patches/debian/add-sysctl-to-disallow-unp= rivileged-CLONE_NEWUSER-by-default.patch
25:+extern int u= nprivileged_userns_clone;
27:+#define unprivileged_userns= _clone 0
36:+    if ((clone_flags &am= p; CLONE_NEWUSER) && !unprivileged_userns_clone)
= 47:+    if ((unshare_flags & CLONE_NEWUSER) &&a= mp; !unprivileged_userns_clone) {
65:+extern int unprivil= eged_userns_clone;
77:+     &nbs= p;      .procname    &nbs= p;  =3D "unprivileged_userns_clone",
78:+ =            .data&nbs= p;          =3D &unpr= ivileged_userns_clone,
96:+int unprivileged_userns_clone;=


Ch= eers,
Yasu

<= div>


commit 8bc5ca5160db3d82bd5= b6b2b7ed80c96f42bd33e
<= div>

    Reported by P= aul Garlick <pgar= lick@tourbillion-technology.com>.

 &nb= sp;  * gnu/build/linux-container.scm (unprivileged-user-namespace= -supported?):
    Return #f when the 'userns-= file' does not exist.

diff --git a/gnu/build/linux= -container.scm b/gnu/build/linux-container.scm
index 4a8bed5a9a..= 3870b50907 100644
--- a/gnu/build/linux-container.scm
+= ++ b/gnu/build/linux-container.scm
@@ -44,7 +44,7 @@
&n= bsp;  (let ((userns-file "/proc/sys/kernel/unprivileged_userns= _clone"))
     (if (file-exists? use= rns-file)
         (= eqv? #\1 (call-with-input-file userns-file read-char))
- &nb= sp;      #t)))
+   &= nbsp;    #f)))


= On Sat, 2020-12-05 at 09:20 +0900, yasu wrote:
Hi Pj,

Thank you for you reply (and your = wonderful Hacking Guide https://gitlab.com/pjotrp/guix-notes/blob/master= /HACKING.org)!

I tried the command and it didn= 't work...

I use Guix System (not a foreign distr= ibution) as described at the bottom 3D":-)"

-Yasu


On Fri, 2020-12-04 at 19:55 +0100, Pjotr Prins wrote:
On Fri, Dec 04, 2020 at 05:32:08PM +0100, = zimoun wrote:
Have you tried to do the= recommandation?

     ple= ase set /proc/sys/kernel/unprivileged_userns_clone to "1"

As root:

echo 1 > /proc/sy= s/kernel/unprivileged_userns_clone

Yes, it is comm= on on Debian and such.

Pj.
<= div>

-bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or dir= ectory

      branch: master
      commit: 86d635b85035086d21c319= f31f628761df5c82e5
    nonguix:
&nb= sp;     repository URL: https://gitlab.com/nonguix/nonguix
 = ;     branch: master
   &= nbsp;  commit: b08ea529d4d36468b20ef4aff6dc87b3de0eff70
    guix-chromium:
    &= nbsp; repository URL: https://gitlab.com/mbakke/guix-chromium.git
 &nb= sp;    branch: master
    = ;  commit: 2de450b92e5f2624d4f964407686934e22239f7b
&nb= sp; configuration file: /gnu/store/hlma107m2004g6qq00ihm190am5mh9z0-configu= ration.scm
--=-xLs0Eg6mZ6fRgOC1TYOq-- --=-9q7as914a3P2oNvBF+ho Content-ID: Content-Type: image/png; name="face-smile.png" Content-Disposition: inline; filename="face-smile.png" Content-Transfer-Encoding: base64 iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAADLklEQVR4AV2MA5Q0uRpAb6raPTj9 G2PjvbVt27btPV7btm3btjW23Swklax5P1PwH+49bYNqQsHhEdvaCSGWasA2esRV5mktwrcdfPHb ffyDvx48uvvutqwaugzLOqp1hapwWXNrKDZvHgKBm04z3NYuv/q8TSlf3Vg8UnHmHo89Fvz14K2z NwoN5bxXFqbia627w26JSCqJ1m2YsAtohB9BmDoCJ8lbTz9YGBic+HDBZPVWvz6xATZbZck184oj 22+0x9EJCt/x2HOP8tNImtY1yrBiYYzJcs4591PMBOtufWh4rLdtyZA3OP/lL0dfsW49Zb0GP9CH rrvptgk59iHBzPv80OfyXXsaEYnBrxZP8nVHnm+/+xav42E2226vhA9HnnfQSvWWdOWxDYsSkUhp GX73sxgM0YggHrMB/ZsJo3+ro1GBGvkQy59lrZbaiPKCY+wtVl58y9or/T8V8kbQ6R+xYxESC1PU NS5h+fIoKB9yGVRWsmalJildtONTvPT/1idff7c45AVmcbJkAbmxL8lMeywpcVh1SQx7sYuZGAYD Opdll1UVctwlyEqmhrsRDWvhSJaGPGmEk5sjYiRaKp5+d5bKSklzs0/J/CQC0I6DM5Pn+x+z/NSd p26Jw8orhfEDbYWklFMD/e3L6lI28+yALf8/j++nI9zxxBhYGtsSKD8gn1O0lpWySWsR84oX0N/5 FVKqyV8emJe/6ug7qHyVWgtXEcpMseKiJayywoZIO4lUGtuOYCsXPfY9argNv6SaT77+VkulXxIn 7NS0qkXw7naV+URDkcQSWXQ8ihQW0ooRiDg68LC8LLFAETIJevQC7vrMLfi+Wc/+pG1qdNX6eSsN p2VNqZkIF2tFKDCIQKOlT1DII1yHqPTB8emd83iyXThpx3r2kfcGrrcBVm6MvZDzYrsNFqLF8VAh bAUBESUJKUX4F8OXzLma7qzguYF5zng+2i0Cs92PQxkl+IP9t1icNCp2nzFmi9qSdKI2WRCpqAJg xgvRlYmb9tliB8RLrqsPeO6LkQKA4D/svE7l2rbQJwGbB1ACYAkyGF412Fc/+UHfx/yDnwGHuJ5z 2Cp4/gAAAABJRU5ErkJggg== --=-9q7as914a3P2oNvBF+ho--