From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project) Date: Sun, 12 Jan 2020 00:27:32 +0100 Message-ID: <87sgkly3ob.fsf@devup.no> References: <87blrb5zf1.fsf@roquette.mug.biscuolo.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:33968) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iqQAN-0003ca-5C for help-guix@gnu.org; Sat, 11 Jan 2020 18:27:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iqQAL-000347-S9 for help-guix@gnu.org; Sat, 11 Jan 2020 18:27:39 -0500 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:60575) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iqQAL-00030H-9Q for help-guix@gnu.org; Sat, 11 Jan 2020 18:27:37 -0500 In-Reply-To: <87blrb5zf1.fsf@roquette.mug.biscuolo.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane-mx.org@gnu.org Sender: "Help-Guix" To: Giovanni Biscuolo , help-guix@gnu.org --=-=-= Content-Type: text/plain Giovanni Biscuolo writes: > if I run the last ungoogled-chromium Guix version in my terminal session > [1] on a Debian 10 server, I get SIGABRT: > > --8<---------------cut here---------------start------------->8--- > [14913:14913:0110/113833.689067:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. > #0 0x561fb4b09f09 base::debug::CollectStackTrace() > > Received signal 6 > #0 0x561fb4b09f09 base::debug::CollectStackTrace() > r8: 0000000000000000 r9: 00007ffc91ca6500 r10: 0000000000000008 r11: 0000000000000246 > r12: 00007ffc91ca7750 r13: 0000000000000170 r14: 00007ffc91ca7910 r15: 00007ffc91ca6780 > di: 0000000000000002 si: 00007ffc91ca6500 bp: 00007ffc91ca6740 bx: 0000000000000006 > dx: 0000000000000000 ax: 0000000000000000 cx: 00007fee29c227fa sp: 00007ffc91ca6578 > ip: 00007fee29c227fa efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000 > trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000 > [end of stack trace] > Calling _exit(1). Core file will not be generated. > --8<---------------cut here---------------end--------------->8--- > > If I run ungoogled-chromium with --no-sandbox it works, but I'd like not > to browse with the sandbox off (I'm going to study how to run my > browsers in a guix container, but it't not the solution AFAIU) > > The same updated version of ungoogled-chromium from Guix on a Debian 10 > laptop does not have this problem, so it's specific to the LTSP > environment I guess > > The chromium binary from Debian 10 on the same LTSP environment does not > have the same problem, it works > > Any suggestion on where to look for problems here, please? The (ungoogled-) Chromium sandbox relies on user namespaces support in the kernel. I guess `guix environment -C` does not work either? Debian disables user namespaces by default, try this command to enable it: sudo sysctl -w kernel.unprivileged_userns_clone=1 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl4aWeQACgkQoqBt8qM6 VPpRDQf/c9CZ3WuYL1PJOA1BJPWSDuZbu3Hg0nAYK9qzwOMaiKbaY6DIlHzu+Z8b JH43WlqvGEX1xsbf2Tjiv9bwJLIjHULDBZ4AGRXlAUH/dzNNnI1togjSpqgOwb0t gqMIuF4OBlt/TzfR03Vxr2RFnNWrC25m91jP2sIUFYNVt0XGSe0jSawoYbuEkKR5 5wyevuosZXLCdKJXBnPGcy6ZZOL/X/fZHsNtTQNOaLq9V5Y4Y2NaXaVQVt4Zq1p8 qJw7GI0ksaUTNYSugSdRuLGFk9sIQwXBqdn6VWK8HF+Z0l7dNfYmFOoOWAwM837u mEE2dlVqx9EGT+LkEAlgSDldqU5pJg== =cuZs -----END PGP SIGNATURE----- --=-=-=--