From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id oJk2CKtY9WP0lwAAbAwnHQ (envelope-from ) for ; Wed, 22 Feb 2023 00:50:03 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id yG7GB6tY9WNUYgAA9RJhRA (envelope-from ) for ; Wed, 22 Feb 2023 00:50:03 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D859A19002 for ; Wed, 22 Feb 2023 00:50:02 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=inria.fr header.s=dc header.b=XyZkCDtx; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=inria.fr (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1677023402; a=rsa-sha256; cv=none; b=tANJA7KV/hiEgPVxHO8YEAWuzv92oPxymVZlt23mhCBQaXlmT57oh3da6SEMlNodouaMOM iH1F9paJe+SD/ZI/b+4mPjAP2jq5nC9WHGuNvv4zg8fe4QLy1/hIZJ5OjuCfLRQNgBiD3Y gg8JOjshiVXDronb0R/b3WAsd3nQz2menmBkfxSTzXdy4SMQXygIjE30ofqRbobIEe1BL2 2+Vgpnwowwd2PF495PtS4twMIisSCUeDNphw+ggzq5r+gZSXOEu+H44kdu/odt83FtokOA fP3aOvMQ5rLuOm0bsWy/kW+961C6FgLwR/iQ0vqk/K7j7djDv2KUfnSobEMhUw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=inria.fr header.s=dc header.b=XyZkCDtx; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=inria.fr (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1677023402; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=I5K1diRR4J7ZhR0xDq1QCFfBoHIwCrqfmCmDFRy6pEA=; b=ejlrMYfpR5VRIzDZuQmBzWgpqwBJ9nyX7E6F7hLZproVXk8PK/ySp43p1LPKhMmrBXiTFw t3TKo729CdGZhwRB9TVvsz0r2B45d+yTDwzwi5/VR8SL79a+pXoq1o11m83mthnWAD5WVP Bs9AIyfsxAcF4fF+98Nggsqv5/w1MTPafrt6CRD7Ah86mXE5kIj7xNe9mPtmQbkO5Ay4JT iZpGP3j9+F5JRfSIbXJZy0zHmBbgwWyYxX5x9wjHIU2OJvoP3teLCBYlk0aQ8sXJGr+TB/ ZxXJUh+ZWdj6BczlB1vNdZSC9SiYcpCDTRoX6z7bDM5cTrkj6DJtQlqax8J1Kg== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pUbOg-0004Yn-3I; Tue, 21 Feb 2023 17:46:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUbOd-0004YK-FL for bug-guix@gnu.org; Tue, 21 Feb 2023 17:46:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pUbOd-0002uV-7q for bug-guix@gnu.org; Tue, 21 Feb 2023 17:46:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pUbOb-0008Dn-Uj; Tue, 21 Feb 2023 17:46:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#61690: Failure to mount /sys in nested =?UTF-8?Q?=E2=80=98guix_?= =?UTF-8?Q?shell=E2=80=99?= container Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: konrad.hinsen@cnrs.fr, bug-guix@gnu.org Resent-Date: Tue, 21 Feb 2023 22:46:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 61690 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 61690@debbugs.gnu.org Cc: Konrad Hinsen X-Debbugs-Original-To: bug-guix@gnu.org X-Debbugs-Original-Xcc: Konrad Hinsen Received: via spool by submit@debbugs.gnu.org id=B.167701953131553 (code B ref -1); Tue, 21 Feb 2023 22:46:01 +0000 Received: (at submit) by debbugs.gnu.org; 21 Feb 2023 22:45:31 +0000 Received: from localhost ([127.0.0.1]:57433 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUbO7-0008Cq-4l for submit@debbugs.gnu.org; Tue, 21 Feb 2023 17:45:31 -0500 Received: from lists.gnu.org ([209.51.188.17]:56844) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUbO5-0008Ch-MW for submit@debbugs.gnu.org; Tue, 21 Feb 2023 17:45:30 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUbO5-0004O9-GU for bug-guix@gnu.org; Tue, 21 Feb 2023 17:45:29 -0500 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUbO2-0002gy-KL for bug-guix@gnu.org; Tue, 21 Feb 2023 17:45:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=I5K1diRR4J7ZhR0xDq1QCFfBoHIwCrqfmCmDFRy6pEA=; b=XyZkCDtxG/GiW8NHoI+mI2h+Nz12Uq2ZoRaTGkXTT4oknBFc4q94b+21 zyi9uLOf7o1PmAFf/bFyRus196wWUz7V70GO9i8+AtMCOtzoI/hE/kko6 9qIGAzpQqZ5PXMw9xQYIa8zpO2ufQtlPSZkkFIIjfM6n6olGbS5AHI5Db c=; X-IronPort-AV: E=Sophos;i="5.97,317,1669071600"; d="scan'208";a="48312903" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Feb 2023 23:45:21 +0100 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Tridi 3 =?UTF-8?Q?Vent=C3=B4se?= an 231 de la =?UTF-8?Q?R=C3=A9volution,?= jour du Violier X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 21 Feb 2023 23:45:20 +0100 Message-ID: <87v8jud4e7.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.104; envelope-from=ludovic.courtes@inria.fr; helo=mail3-relais-sop.national.inria.fr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: X-Migadu-Queue-Id: D859A19002 X-Spam-Score: -3.16 X-Migadu-Spam-Score: -3.16 X-Migadu-Scanner: scn0.migadu.com List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-TUID: UfndcO7lvFiA Hi! As reported by Konrad=C2=B9, nested =E2=80=98guix shell -C=E2=80=99 fails: --8<---------------cut here---------------start------------->8--- $ guix shell -CN guix \ --expose=3D/var/guix/daemon-socket/socket \ --expose=3D/gnu/store \ -- guix shell -C coreutils -- ls / guix shell: error: mount: mount "none" on "/tmp/guix-directory.xO3FIx/sys":= Operation not permitted --8<---------------cut here---------------end--------------->8--- Strace shows this: --8<---------------cut here---------------start------------->8--- 17541 clone(child_stack=3DNULL, flags=3DCLONE_NEWNS|CLONE_NEWCGROUP|CLONE_N= EWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) =3D 7 [=E2=80=A6] 17551 mount("none", "/tmp/guix-directory.d6rKy1", "tmpfs", 0, NULL) =3D 0 17551 mkdir("/tmp", 0777) =3D -1 EEXIST (File exists) 17551 mkdir("/tmp/guix-directory.d6rKy1", 0777) =3D -1 EEXIST (File exists) 17551 mkdir("/tmp/guix-directory.d6rKy1/proc", 0777) =3D 0 17551 mount("none", "/tmp/guix-directory.d6rKy1/proc", "proc", MS_NOSUID|MS= _NODEV|MS_NOEXEC, NULL) =3D 0 17551 mkdir("/tmp", 0777) =3D -1 EEXIST (File exists) 17551 mkdir("/tmp/guix-directory.d6rKy1", 0777) =3D -1 EEXIST (File exists) 17551 mkdir("/tmp/guix-directory.d6rKy1/sys", 0777) =3D 0 17551 mount("none", "/tmp/guix-directory.d6rKy1/sys", "sysfs", MS_RDONLY|MS= _NOSUID|MS_NODEV|MS_NOEXEC, NULL) =3D -1 EPERM (Operation not permitted) --8<---------------cut here---------------end--------------->8--- It does work if the nested =E2=80=98guix shell=E2=80=99 uses =E2=80=98-CN= =E2=80=99 instead of =E2=80=98-C=E2=80=99, thanks to this bit in (gnu build linux-container) (mount-file-systems root mounts #:mount-/proc? (memq 'pid namespaces) #:mount-/sys? (memq 'net namespaces)) ;<--- The reason for this bug seems to be given here: https://github.com/nestybox/sysbox/issues/67#issuecomment-726285026 It=E2=80=99s not clear whether there=E2=80=99s anything we can do, other th= an recommending =E2=80=98-CN=E2=80=99 as well in the nested container. Thoughts? Ludo=E2=80=99. =C2=B9 https://lists.gnu.org/archive/html/guix-devel/2023-02/msg00027.html