all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
@ 2024-05-27 14:55 Ludovic Courtès
  2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Ludovic Courtès @ 2024-05-27 14:55 UTC (permalink / raw)
  To: 71226

On Ubuntu 24.04, ‘guix shell -C’ has its child process (in a separate
mount namespace) fail to mount a tmpfs:

--8<---------------cut here---------------start------------->8---
294642 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 294653
294642 close(15)                        = 0
294642 getuid()                         = 1000
294642 getgid()                         = 1000
294653 close(16)                        = 0
294642 openat(AT_FDCWD, "/proc/294653/setgroups", O_WRONLY|O_CREAT|O_TRUNC, 0666 <unfinished ...>
294653 read(15,  <unfinished ...>
294642 <... openat resumed>)            = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "deny", 4)              = 4
294642 close(6)                         = 0
294642 openat(AT_FDCWD, "/proc/294653/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "1000 1000 1", 11)      = 11
294642 close(6)                         = 0
294642 openat(AT_FDCWD, "/proc/294653/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "1000 1000 1", 11)      = 11
294642 close(6)                         = 0
294642 write(16, "ready", 5)            = 5
294653 <... read resumed>"r", 1)        = 1
294642 write(16, "\n", 1)               = 1
294653 read(15, "e", 1)                 = 1
294642 read(16,  <unfinished ...>
294653 read(15, "a", 1)                 = 1
294653 read(15, "d", 1)                 = 1
294653 read(15, "y", 1)                 = 1
294653 read(15, "\n", 1)                = 1
294653 mount("none", "/tmp/guix-directory.3DaoGp", "tmpfs", 0, NULL) = -1 EACCES (Permission denied)
294653 write(15, "(", 1)                = 1
294642 <... read resumed>"(", 1)        = 1
294653 write(15, "system-error", 12 <unfinished ...>
--8<---------------cut here---------------end--------------->8---

(It used to work on Ubuntu 22.)

Ludo’.




^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#71226: Upstream ubuntu issue
  2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
@ 2024-05-30 13:55 ` W. J. van der Laan
  2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus
  2024-12-19 16:26 ` Marek Felšöci
  2 siblings, 0 replies; 5+ messages in thread
From: W. J. van der Laan @ 2024-05-30 13:55 UTC (permalink / raw)
  To: 71226@debbugs.gnu.org

Upstream ubuntu issue (includes possible workaround): https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115




^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
  2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
@ 2024-07-04 13:05 ` Ricardo Wurmus
  2024-10-15 12:07   ` Ludovic Courtès
  2024-12-19 16:26 ` Marek Felšöci
  2 siblings, 1 reply; 5+ messages in thread
From: Ricardo Wurmus @ 2024-07-04 13:05 UTC (permalink / raw)
  To: 71226; +Cc: ludo

On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
following contents:

--8<---------------cut here---------------start------------->8---
abi <abi/3.0>,

include <tunables/global>

/gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  capability net_admin, # for "guix shell -CN"
  capability sys_admin, # for clone
  capability sys_ptrace, # for user namespaces

  # Allow preparing file systems inside the container root
  mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
  mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
  mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
  mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
  mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
  mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
  mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
  mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
  umount /real-root/,

  pivot_root,

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /gnu/store/** r,
  /gnu/store/**/** r,
  /gnu/store/*-guix-*/etc/ld.so.cache r,
  /gnu/store/*-guix-*/libexec/guix/guile ix,
  /gnu/store/*/bin/* mrix,
  /gnu/store/*/lib/**.so** mr,
  /gnu/store/*/lib/lib*.so* mr,
  /gnu/store/*/libexec/** ix,
  /gnu/store/*/sbin/* mrix,
  /tmp/ rw,
  /tmp/guix-directory** rw,
  /var/guix/** r,
  /var/guix/daemon-socket/socket rw,
  @{PROC}/*/ns/net rw,
  @{PROC}/*/ns/user rw,
  @{PROC}/@{pid}/** rw,
  @{PROC}/self/ rw,
  @{PROC}/self/** rw,
  @{PROC}/sys/kernel/unprivileged_userns_clone rw,

  # These are permissions inside the container after pivot root
  owner / w,
  owner /bin/ w,
  owner /bin/sh w,
  owner /etc/ w,
  owner /etc/group w,
  owner /etc/group.* r,
  owner /etc/group.* w,
  owner /etc/hosts w,
  owner /etc/passwd rw,
  owner /etc/passwd.* r,
  owner /etc/passwd.* w,
  
  owner /home/*/* ra,
  owner /home/*/.cache/guix/profiles/ r,
  owner /home/*/.cache/guix/profiles/* w,
  owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
  owner /real-root/ w,

  allow userns,

}
--8<---------------cut here---------------end--------------->8---

I then loaded the profile with "sudo apparmor_parser -qr
/etc/apparmor.d/guix-shell-container".  "guix shell -C hello" and "guix
shell -CN hello" worked fine.

To refine this policy I used the following process:

1. run "sudo aa-genprof guix" in one terminal
2. run "guix shell -CN hello" in another
3. update /etc/apparmor.d/guix-shell-container as needed (often
replacing temporary directory names with glob patterns)
4. repeat

We may want to create a template file in which we replace all instances
of /gnu/store and /var/guix with their respective configured values and
install the file in the same manner as we do etc/guix-daemon.cil.

I wonder if we need to provide something similar for SELinux where we
only have the guix-daemon policy.

-- 
Ricardo




^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus
@ 2024-10-15 12:07   ` Ludovic Courtès
  0 siblings, 0 replies; 5+ messages in thread
From: Ludovic Courtès @ 2024-10-15 12:07 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: 71226

Hi Ricardo and all,

Ricardo Wurmus <rekado@elephly.net> skribis:

> On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
> following contents:

[...]

> I then loaded the profile with "sudo apparmor_parser -qr
> /etc/apparmor.d/guix-shell-container".  "guix shell -C hello" and "guix
> shell -CN hello" worked fine.

This issue is informally reported quite frequently these days.

Can someone on Ubuntu having this problem confirm that it works for
them?

And then, bonus points if you can create a patch against Guix that (1)
adds the file above under etc/ in the source tree, and (2) changes
‘etc/guix-install.sh’ to perform the above setup step on Apparmor
distros, similar to how SELinux is handled.

That’d be a much appreciated contribution!

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
  2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
  2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus
@ 2024-12-19 16:26 ` Marek Felšöci
  2 siblings, 0 replies; 5+ messages in thread
From: Marek Felšöci @ 2024-12-19 16:26 UTC (permalink / raw)
  To: 71226

Hello to all,

I confirm the issue on my Ubuntu 24.04 installation with Guix coming from apt 
repositories.

I followed the steps from the Ricardo's reply, but the problem persists with the 
same error:

```
guix shell: chyba: mount: mount "none" on "/tmp/guix-directory.DFemEr": Prístup 
odmietnutý
```

Note that in the above message 'Prístup odmietnutý' means 'Access denied'.

Have there been any new developments regarding this issue?

PS: My current Guix generation is based on the commit c3290ce of the official 
Guix channel.

Thank you very much!

Best regards,
Marek





^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-12-22 19:21 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus
2024-10-15 12:07   ` Ludovic Courtès
2024-12-19 16:26 ` Marek Felšöci

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.