* least-authority-wrapper - clone: permission not permitted
@ 2024-12-13 10:06 Marc Coquand
2024-12-28 17:57 ` Ludovic Courtès
0 siblings, 1 reply; 2+ messages in thread
From: Marc Coquand @ 2024-12-13 10:06 UTC (permalink / raw)
To: help-guix
Heya,
I'm trying to /wrap/ my head around least-authority-wrapper.
Specifically, I have a guile script that sends an email with msmtp and
fetches secrets using cat. This is a script that is run by the laminar
service when a build job is complete. Since it doesn't need to access
all secrets I make available through sops-guix, I wanted to try to
containerize it and lock it down from accessing files outside of the
ones it needs.
This is the program that I have:
(least-authority-wrapper
(program-file "after" notify-mail-gexp)
#:name "after"
#:user "laminar"
#:group "laminar"
#:namespaces
'(mnt) ;; This is the namespace causing issues
#:mappings (list
(file-system-mapping
(source (file-append nss-certs "/etc/ssl/certs"))
(target source)
(writable? #t))
(file-system-mapping
(source "/var/lib/laminar")
(target source)
(writable? #t))
(file-system-mapping
(source "/run/secrets/after")
(target source)
(writable? #t)))
#:preserved-environment-variables
'( "USER" "TERM" "JOB" "RESULT" "RUN" "SSL_CERT_FILE" "SSL_CERT_DIR" "GIT_SSL_CAINFO"))
After some debugging, I found that it was the namespace 'mnt that was
causing issues, the script works when I remove it.
The error I'm getting is
Backtrace:
5 (primitive-load "/var/lib/laminar/cfg/after")
In ice-9/eval.scm:
191:35 4 (_ #f)
In gnu/build/linux-container.scm:
300:8 3 (call-with-temporary-directory #<procedure 7f7e58d71a50?>)
397:16 2 (_ "/tmp/guix-directory.nIT1Mt")
239:7 1 (run-container "/tmp/guix-directory.nIT1Mt" (#<<fil?> ?) ?)
In guix/build/syscalls.scm:
1143:12 0 (_ 131089)
guix/build/syscalls.scm:1143:12: In procedure clone: 131089: Operation not permitted
When I try to invoke the script.
Any clue why I'm getting the operation not permitted error?
--
Marc
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: least-authority-wrapper - clone: permission not permitted
2024-12-13 10:06 least-authority-wrapper - clone: permission not permitted Marc Coquand
@ 2024-12-28 17:57 ` Ludovic Courtès
0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2024-12-28 17:57 UTC (permalink / raw)
To: Marc Coquand; +Cc: help-guix
Hi Marc,
Marc Coquand <marc@coquand.email> skribis:
> After some debugging, I found that it was the namespace 'mnt that was
> causing issues, the script works when I remove it.
>
> The error I'm getting is
>
> Backtrace:
> 5 (primitive-load "/var/lib/laminar/cfg/after")
> In ice-9/eval.scm:
> 191:35 4 (_ #f)
> In gnu/build/linux-container.scm:
> 300:8 3 (call-with-temporary-directory #<procedure 7f7e58d71a50?>)
> 397:16 2 (_ "/tmp/guix-directory.nIT1Mt")
> 239:7 1 (run-container "/tmp/guix-directory.nIT1Mt" (#<<fil?> ?) ?)
> In guix/build/syscalls.scm:
> 1143:12 0 (_ 131089)
>
> guix/build/syscalls.scm:1143:12: In procedure clone: 131089: Operation not permitted
>
> When I try to invoke the script.
>
> Any clue why I'm getting the operation not permitted error?
Are unprivileged user namespaces enabled on this system?
If they are, could it be that you’re trying to run this from a namespace
that lacks this capability? (I always forget why exactly you cannot
always create processes in separate namespaces, but there are
restrictions that show up typically when nesting things.)
HTH,
Ludo’.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-12-28 17:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-13 10:06 least-authority-wrapper - clone: permission not permitted Marc Coquand
2024-12-28 17:57 ` Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.