From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH] environment: container: Do not remount network files as read-only. Date: Sat, 26 Mar 2016 19:43:48 +0100 Message-ID: <87r3exyt97.fsf@gnu.org> References: <87wpozldb5.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44833) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ajtBk-0008Ni-0p for guix-devel@gnu.org; Sat, 26 Mar 2016 14:43:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ajtBf-00088u-97 for guix-devel@gnu.org; Sat, 26 Mar 2016 14:43:55 -0400 In-Reply-To: (David Thompson's message of "Sat, 26 Mar 2016 10:06:58 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: "Thompson, David" Cc: guix-devel --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable "Thompson, David" skribis: > On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Court=C3=A8s wrot= e: >> "Thompson, David" skribis: >> >>> I noticed that 'guix environment --container --network' didn't work on >>> an Ubuntu machine I was on, and the culprit was remounting things like >>> /etc/resolv.conf read-only after the initial bind mount. >> >> [...] >> >>> (file-system-mapping >>> (source file) >>> (target file) >>> - (writable? #f)))) >>> + ;; An unpriviliged user m= ight not >>> + ;; be able to remount >>> + ;; /etc/resolv.conf as re= ad-only, >>> + ;; so we say that it is w= ritable >>> + ;; here, even though in p= ractice >>> + ;; it is not. >>> + (writable? #t)))) >>> %network-configuration-files) >> >> Not sure I understand: why would bind-mounting /etc/resolv.conf >> read-only fail? > > I haven't figured out the exact reason yet, but here's a strace > snippet as proof: > > [pid 11334] mount("/etc/resolv.conf", > "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000, > MS_RDONLY|MS_BIND, NULL) =3D 0 > [pid 11334] mount("/etc/resolv.conf", > "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080, > MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) =3D -1 EPERM (Operation not > permitted) > > Another Ubuntu user was able to reproduce this as well. Looking at the resolvconf man page that Drew mentioned, it seems that /etc/resolv.conf is a symlink when resolvconf is in used, right? If yes, does this make a difference: --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm index 58ccf59..a329eeb 100644 --- a/gnu/build/file-systems.scm +++ b/gnu/build/file-systems.scm @@ -378,7 +378,7 @@ corresponds to the symbols listed in FLAGS." (define (regular-file? file-name) "Return #t if FILE-NAME is a regular file." - (eq? (stat:type (stat file-name)) 'regular)) + (memq (stat:type (stat file-name)) '(regular symlink))) (define* (mount-file-system spec #:key (root "/root")) "Mount the file system described by SPEC under ROOT. SPEC must have the --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable It may be that the result after this is that you get /etc/resolv.conf in the container, but it=E2=80=99s a dangling symlink. But isn=E2=80=99t it t= he case already with the patch you propose? Thanks for finding all these curiosities. :-) Ludo=E2=80=99. --=-=-=--