* [PATCH] environment: container: Do not remount network files as read-only.
@ 2016-03-17 18:32 Thompson, David
2016-03-18 20:51 ` Ludovic Courtès
0 siblings, 1 reply; 11+ messages in thread
From: Thompson, David @ 2016-03-17 18:32 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 238 bytes --]
I noticed that 'guix environment --container --network' didn't work on
an Ubuntu machine I was on, and the culprit was remounting things like
/etc/resolv.conf read-only after the initial bind mount.
What do y'all think?
Thanks,
- Dave
[-- Attachment #2: 0001-environment-container-Do-not-remount-network-files-a.patch --]
[-- Type: text/x-patch, Size: 1629 bytes --]
From 9820a937ef5ab6793f2495a1ce50ff14abb6ec7c Mon Sep 17 00:00:00 2001
From: David Thompson <dthompson@vistahigherlearning.com>
Date: Thu, 17 Mar 2016 14:01:19 -0400
Subject: [PATCH] environment: container: Do not remount network files as
read-only.
* gnu/scripts/environment.scm (launch-environment/container): Make
network mappings writable.
---
guix/scripts/environment.scm | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index b122b4c..896804b 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -391,7 +391,13 @@ host file systems to mount inside the container."
(file-system-mapping
(source file)
(target file)
- (writable? #f))))
+ ;; An unpriviliged user might not
+ ;; be able to remount
+ ;; /etc/resolv.conf as read-only,
+ ;; so we say that it is writable
+ ;; here, even though in practice
+ ;; it is not.
+ (writable? #t))))
%network-configuration-files)
'())
;; Mappings for the union closure of all inputs.
--
2.6.3
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] environment: container: Do not remount network files as read-only.
2016-03-17 18:32 [PATCH] environment: container: Do not remount network files as read-only Thompson, David
@ 2016-03-18 20:51 ` Ludovic Courtès
2016-03-26 14:06 ` Thompson, David
0 siblings, 1 reply; 11+ messages in thread
From: Ludovic Courtès @ 2016-03-18 20:51 UTC (permalink / raw)
To: Thompson, David; +Cc: guix-devel
"Thompson, David" <dthompson2@worcester.edu> skribis:
> I noticed that 'guix environment --container --network' didn't work on
> an Ubuntu machine I was on, and the culprit was remounting things like
> /etc/resolv.conf read-only after the initial bind mount.
[...]
> (file-system-mapping
> (source file)
> (target file)
> - (writable? #f))))
> + ;; An unpriviliged user might not
> + ;; be able to remount
> + ;; /etc/resolv.conf as read-only,
> + ;; so we say that it is writable
> + ;; here, even though in practice
> + ;; it is not.
> + (writable? #t))))
> %network-configuration-files)
Not sure I understand: why would bind-mounting /etc/resolv.conf
read-only fail?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] environment: container: Do not remount network files as read-only.
2016-03-18 20:51 ` Ludovic Courtès
@ 2016-03-26 14:06 ` Thompson, David
2016-03-26 16:29 ` Drew C
2016-03-26 18:43 ` Ludovic Courtès
0 siblings, 2 replies; 11+ messages in thread
From: Thompson, David @ 2016-03-26 14:06 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Courtès <ludo@gnu.org> wrote:
> "Thompson, David" <dthompson2@worcester.edu> skribis:
>
>> I noticed that 'guix environment --container --network' didn't work on
>> an Ubuntu machine I was on, and the culprit was remounting things like
>> /etc/resolv.conf read-only after the initial bind mount.
>
> [...]
>
>> (file-system-mapping
>> (source file)
>> (target file)
>> - (writable? #f))))
>> + ;; An unpriviliged user might not
>> + ;; be able to remount
>> + ;; /etc/resolv.conf as read-only,
>> + ;; so we say that it is writable
>> + ;; here, even though in practice
>> + ;; it is not.
>> + (writable? #t))))
>> %network-configuration-files)
>
> Not sure I understand: why would bind-mounting /etc/resolv.conf
> read-only fail?
I haven't figured out the exact reason yet, but here's a strace
snippet as proof:
[pid 11334] mount("/etc/resolv.conf",
"/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000,
MS_RDONLY|MS_BIND, NULL) = 0
[pid 11334] mount("/etc/resolv.conf",
"/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080,
MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not
permitted)
Another Ubuntu user was able to reproduce this as well. I find it
kind of silly to mount these files read-only because an unprivileged
user couldn't write to them anyway. WDYT?
- Dave
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] environment: container: Do not remount network files as read-only.
2016-03-26 14:06 ` Thompson, David
@ 2016-03-26 16:29 ` Drew C
2016-03-26 16:49 ` Thompson, David
2016-03-26 18:43 ` Ludovic Courtès
1 sibling, 1 reply; 11+ messages in thread
From: Drew C @ 2016-03-26 16:29 UTC (permalink / raw)
To: Thompson, David; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 3077 bytes --]
On Sat, Mar 26, 2016 at 7:06 AM, Thompson, David <dthompson2@worcester.edu>
wrote:
> On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Courtès <ludo@gnu.org> wrote:
> > "Thompson, David" <dthompson2@worcester.edu> skribis:
> >
> >> I noticed that 'guix environment --container --network' didn't work on
> >> an Ubuntu machine I was on, and the culprit was remounting things like
> >> /etc/resolv.conf read-only after the initial bind mount.
>
One thing that I have run across is the following :
$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
It re-writes that file every time a new network connection is made.
$ man resolvconf
[...]
DESCRIPTION
The resolvconf package comprises a simple database for run-time
name‐
server information and a simple framework for notifying applications
of
changes in that information. Resolvconf thus sets itself up as
the
intermediary between programs that supply nameserver information
and
applications that use that information.
[...]
I am not at all sure if this is the cause of the issue, but I have run into
it many times before with WiFi and me trying to edit it to 8.8.8.8, so I
figure this is a decent time to bring it up.
Cheers,
Drew Crampsie
> >
> > [...]
> >
> >> (file-system-mapping
> >> (source file)
> >> (target file)
> >> - (writable? #f))))
> >> + ;; An unpriviliged user
> might not
> >> + ;; be able to remount
> >> + ;; /etc/resolv.conf as
> read-only,
> >> + ;; so we say that it is
> writable
> >> + ;; here, even though in
> practice
> >> + ;; it is not.
> >> + (writable? #t))))
> >> %network-configuration-files)
> >
> > Not sure I understand: why would bind-mounting /etc/resolv.conf
> > read-only fail?
>
> I haven't figured out the exact reason yet, but here's a strace
> snippet as proof:
>
> [pid 11334] mount("/etc/resolv.conf",
> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000,
> MS_RDONLY|MS_BIND, NULL) = 0
> [pid 11334] mount("/etc/resolv.conf",
> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080,
> MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not
> permitted)
>
> Another Ubuntu user was able to reproduce this as well. I find it
> kind of silly to mount these files read-only because an unprivileged
> user couldn't write to them anyway. WDYT?
>
> - Dave
>
>
[-- Attachment #2: Type: text/html, Size: 4638 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] environment: container: Do not remount network files as read-only.
2016-03-26 16:29 ` Drew C
@ 2016-03-26 16:49 ` Thompson, David
2016-03-26 16:59 ` Drew C
0 siblings, 1 reply; 11+ messages in thread
From: Thompson, David @ 2016-03-26 16:49 UTC (permalink / raw)
To: Drew C; +Cc: guix-devel
On Sat, Mar 26, 2016 at 12:29 PM, Drew C <me@drewc.ca> wrote:
>
> On Sat, Mar 26, 2016 at 7:06 AM, Thompson, David <dthompson2@worcester.edu>
> wrote:
>>
>> On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Courtès <ludo@gnu.org> wrote:
>> > "Thompson, David" <dthompson2@worcester.edu> skribis:
>> >
>> >> I noticed that 'guix environment --container --network' didn't work on
>> >> an Ubuntu machine I was on, and the culprit was remounting things like
>> >> /etc/resolv.conf read-only after the initial bind mount.
>
>
>
> One thing that I have run across is the following :
>
> $ cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 127.0.1.1
>
> It re-writes that file every time a new network connection is made.
>
> $ man resolvconf
> [...]
> DESCRIPTION
> The resolvconf package comprises a simple database for run-time
> name‐
> server information and a simple framework for notifying applications
> of
> changes in that information. Resolvconf thus sets itself up as
> the
> intermediary between programs that supply nameserver information
> and
> applications that use that information.
> [...]
>
> I am not at all sure if this is the cause of the issue, but I have run into
> it many times before with WiFi and me trying to edit it to 8.8.8.8, so I
> figure this is a decent time to bring it up.
Interesting! Is this on Ubuntu as well?
- Dave
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] environment: container: Do not remount network files as read-only.
2016-03-26 16:49 ` Thompson, David
@ 2016-03-26 16:59 ` Drew C
0 siblings, 0 replies; 11+ messages in thread
From: Drew C @ 2016-03-26 16:59 UTC (permalink / raw)
To: Thompson, David; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1991 bytes --]
It is Linux Mint 17.3, which is based on Ubuntu Trusty. So, yes, as far as
I know, it should be the same on a modern Ubuntu distro.
http://manpages.ubuntu.com/manpages/lucid/man8/resolvconf.8.html
-- drewc
On Sat, Mar 26, 2016 at 9:49 AM, Thompson, David <dthompson2@worcester.edu>
wrote:
> On Sat, Mar 26, 2016 at 12:29 PM, Drew C <me@drewc.ca> wrote:
> >
> > On Sat, Mar 26, 2016 at 7:06 AM, Thompson, David <
> dthompson2@worcester.edu>
> > wrote:
> >>
> >> On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Courtès <ludo@gnu.org> wrote:
> >> > "Thompson, David" <dthompson2@worcester.edu> skribis:
> >> >
> >> >> I noticed that 'guix environment --container --network' didn't work
> on
> >> >> an Ubuntu machine I was on, and the culprit was remounting things
> like
> >> >> /etc/resolv.conf read-only after the initial bind mount.
> >
> >
> >
> > One thing that I have run across is the following :
> >
> > $ cat /etc/resolv.conf
> > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> > resolvconf(8)
> > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> > nameserver 127.0.1.1
> >
> > It re-writes that file every time a new network connection is made.
> >
> > $ man resolvconf
> > [...]
> > DESCRIPTION
> > The resolvconf package comprises a simple database for run-time
> > name‐
> > server information and a simple framework for notifying
> applications
> > of
> > changes in that information. Resolvconf thus sets itself up as
> > the
> > intermediary between programs that supply nameserver
> information
> > and
> > applications that use that information.
> > [...]
> >
> > I am not at all sure if this is the cause of the issue, but I have run
> into
> > it many times before with WiFi and me trying to edit it to 8.8.8.8, so I
> > figure this is a decent time to bring it up.
>
> Interesting! Is this on Ubuntu as well?
>
> - Dave
>
[-- Attachment #2: Type: text/html, Size: 2916 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] environment: container: Do not remount network files as read-only.
2016-03-26 14:06 ` Thompson, David
2016-03-26 16:29 ` Drew C
@ 2016-03-26 18:43 ` Ludovic Courtès
2016-03-26 18:54 ` Drew C
2016-03-26 19:23 ` Thompson, David
1 sibling, 2 replies; 11+ messages in thread
From: Ludovic Courtès @ 2016-03-26 18:43 UTC (permalink / raw)
To: Thompson, David; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2058 bytes --]
"Thompson, David" <dthompson2@worcester.edu> skribis:
> On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Courtès <ludo@gnu.org> wrote:
>> "Thompson, David" <dthompson2@worcester.edu> skribis:
>>
>>> I noticed that 'guix environment --container --network' didn't work on
>>> an Ubuntu machine I was on, and the culprit was remounting things like
>>> /etc/resolv.conf read-only after the initial bind mount.
>>
>> [...]
>>
>>> (file-system-mapping
>>> (source file)
>>> (target file)
>>> - (writable? #f))))
>>> + ;; An unpriviliged user might not
>>> + ;; be able to remount
>>> + ;; /etc/resolv.conf as read-only,
>>> + ;; so we say that it is writable
>>> + ;; here, even though in practice
>>> + ;; it is not.
>>> + (writable? #t))))
>>> %network-configuration-files)
>>
>> Not sure I understand: why would bind-mounting /etc/resolv.conf
>> read-only fail?
>
> I haven't figured out the exact reason yet, but here's a strace
> snippet as proof:
>
> [pid 11334] mount("/etc/resolv.conf",
> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000,
> MS_RDONLY|MS_BIND, NULL) = 0
> [pid 11334] mount("/etc/resolv.conf",
> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080,
> MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not
> permitted)
>
> Another Ubuntu user was able to reproduce this as well.
Looking at the resolvconf man page that Drew mentioned, it seems that
/etc/resolv.conf is a symlink when resolvconf is in used, right?
If yes, does this make a difference:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 555 bytes --]
diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm
index 58ccf59..a329eeb 100644
--- a/gnu/build/file-systems.scm
+++ b/gnu/build/file-systems.scm
@@ -378,7 +378,7 @@ corresponds to the symbols listed in FLAGS."
(define (regular-file? file-name)
"Return #t if FILE-NAME is a regular file."
- (eq? (stat:type (stat file-name)) 'regular))
+ (memq (stat:type (stat file-name)) '(regular symlink)))
(define* (mount-file-system spec #:key (root "/root"))
"Mount the file system described by SPEC under ROOT. SPEC must have the
[-- Attachment #3: Type: text/plain, Size: 247 bytes --]
It may be that the result after this is that you get /etc/resolv.conf in
the container, but it’s a dangling symlink. But isn’t it the case
already with the patch you propose?
Thanks for finding all these curiosities. :-)
Ludo’.
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] environment: container: Do not remount network files as read-only.
2016-03-26 18:43 ` Ludovic Courtès
@ 2016-03-26 18:54 ` Drew C
2016-03-26 19:23 ` Thompson, David
1 sibling, 0 replies; 11+ messages in thread
From: Drew C @ 2016-03-26 18:54 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2642 bytes --]
On Sat, Mar 26, 2016 at 11:43 AM, Ludovic Courtès <ludo@gnu.org> wrote:
> "Thompson, David" <dthompson2@worcester.edu> skribis:
>
> > On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Courtès <ludo@gnu.org> wrote:
> >> "Thompson, David" <dthompson2@worcester.edu> skribis:
> >>
> >>> I noticed that 'guix environment --container --network' didn't work on
> >>> an Ubuntu machine I was on, and the culprit was remounting things like
> >>> /etc/resolv.conf read-only after the initial bind mount.
> >>
> >> [...]
> >>
> >>> (file-system-mapping
> >>> (source file)
> >>> (target file)
> >>> - (writable? #f))))
> >>> + ;; An unpriviliged user
> might not
> >>> + ;; be able to remount
> >>> + ;; /etc/resolv.conf as
> read-only,
> >>> + ;; so we say that it is
> writable
> >>> + ;; here, even though in
> practice
> >>> + ;; it is not.
> >>> + (writable? #t))))
> >>> %network-configuration-files)
> >>
> >> Not sure I understand: why would bind-mounting /etc/resolv.conf
> >> read-only fail?
> >
> > I haven't figured out the exact reason yet, but here's a strace
> > snippet as proof:
> >
> > [pid 11334] mount("/etc/resolv.conf",
> > "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000,
> > MS_RDONLY|MS_BIND, NULL) = 0
> > [pid 11334] mount("/etc/resolv.conf",
> > "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080,
> > MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not
> > permitted)
> >
> > Another Ubuntu user was able to reproduce this as well.
>
> Looking at the resolvconf man page that Drew mentioned, it seems that
> /etc/resolv.conf is a symlink when resolvconf is in used, right?
>
Correct :
$ ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 29 Oct 2 08:36 /etc/resolv.conf ->
../run/resolvconf/resolv.conf
>
> If yes, does this make a difference:
>
>
>
> It may be that the result after this is that you get /etc/resolv.conf in
> the container, but it’s a dangling symlink. But isn’t it the case
> already with the patch you propose?
>
> Thanks for finding all these curiosities. :-)
>
> Ludo’.
>
>
[-- Attachment #2: Type: text/html, Size: 4111 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] environment: container: Do not remount network files as read-only.
2016-03-26 18:43 ` Ludovic Courtès
2016-03-26 18:54 ` Drew C
@ 2016-03-26 19:23 ` Thompson, David
2016-03-27 17:43 ` Ludovic Courtès
1 sibling, 1 reply; 11+ messages in thread
From: Thompson, David @ 2016-03-26 19:23 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Sat, Mar 26, 2016 at 2:43 PM, Ludovic Courtès <ludo@gnu.org> wrote:
> "Thompson, David" <dthompson2@worcester.edu> skribis:
>
>> On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Courtès <ludo@gnu.org> wrote:
>>> "Thompson, David" <dthompson2@worcester.edu> skribis:
>>>
>>>> I noticed that 'guix environment --container --network' didn't work on
>>>> an Ubuntu machine I was on, and the culprit was remounting things like
>>>> /etc/resolv.conf read-only after the initial bind mount.
>>>
>>> [...]
>>>
>>>> (file-system-mapping
>>>> (source file)
>>>> (target file)
>>>> - (writable? #f))))
>>>> + ;; An unpriviliged user might not
>>>> + ;; be able to remount
>>>> + ;; /etc/resolv.conf as read-only,
>>>> + ;; so we say that it is writable
>>>> + ;; here, even though in practice
>>>> + ;; it is not.
>>>> + (writable? #t))))
>>>> %network-configuration-files)
>>>
>>> Not sure I understand: why would bind-mounting /etc/resolv.conf
>>> read-only fail?
>>
>> I haven't figured out the exact reason yet, but here's a strace
>> snippet as proof:
>>
>> [pid 11334] mount("/etc/resolv.conf",
>> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000,
>> MS_RDONLY|MS_BIND, NULL) = 0
>> [pid 11334] mount("/etc/resolv.conf",
>> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080,
>> MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not
>> permitted)
>>
>> Another Ubuntu user was able to reproduce this as well.
>
> Looking at the resolvconf man page that Drew mentioned, it seems that
> /etc/resolv.conf is a symlink when resolvconf is in used, right?
>
> If yes, does this make a difference:
/etc/resolv.conf is a symlink, but the patch doesn't work.
> It may be that the result after this is that you get /etc/resolv.conf in
> the container, but it’s a dangling symlink. But isn’t it the case
> already with the patch you propose?
No, /etc/resolv.conf appears as a regular file inside the container,
even though it's a symlink outside. The mount namespace does the
right thing and I can read the contents of it from within the
container. No dangling symlink! :D
I tried using --expose with a symlink as an attempt to replicate the
problem with another file, but things went fine! I'm confused.
What's the correct patch here now? :)
- Dave
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] environment: container: Do not remount network files as read-only.
2016-03-26 19:23 ` Thompson, David
@ 2016-03-27 17:43 ` Ludovic Courtès
2016-03-28 0:32 ` Thompson, David
0 siblings, 1 reply; 11+ messages in thread
From: Ludovic Courtès @ 2016-03-27 17:43 UTC (permalink / raw)
To: Thompson, David; +Cc: guix-devel
"Thompson, David" <dthompson2@worcester.edu> skribis:
> On Sat, Mar 26, 2016 at 2:43 PM, Ludovic Courtès <ludo@gnu.org> wrote:
>> "Thompson, David" <dthompson2@worcester.edu> skribis:
>>
>>> On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Courtès <ludo@gnu.org> wrote:
>>>> "Thompson, David" <dthompson2@worcester.edu> skribis:
>>>>
>>>>> I noticed that 'guix environment --container --network' didn't work on
>>>>> an Ubuntu machine I was on, and the culprit was remounting things like
>>>>> /etc/resolv.conf read-only after the initial bind mount.
>>>>
>>>> [...]
>>>>
>>>>> (file-system-mapping
>>>>> (source file)
>>>>> (target file)
>>>>> - (writable? #f))))
>>>>> + ;; An unpriviliged user might not
>>>>> + ;; be able to remount
>>>>> + ;; /etc/resolv.conf as read-only,
>>>>> + ;; so we say that it is writable
>>>>> + ;; here, even though in practice
>>>>> + ;; it is not.
>>>>> + (writable? #t))))
>>>>> %network-configuration-files)
>>>>
>>>> Not sure I understand: why would bind-mounting /etc/resolv.conf
>>>> read-only fail?
>>>
>>> I haven't figured out the exact reason yet, but here's a strace
>>> snippet as proof:
>>>
>>> [pid 11334] mount("/etc/resolv.conf",
>>> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000,
>>> MS_RDONLY|MS_BIND, NULL) = 0
>>> [pid 11334] mount("/etc/resolv.conf",
>>> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080,
>>> MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not
>>> permitted)
>>>
>>> Another Ubuntu user was able to reproduce this as well.
>>
>> Looking at the resolvconf man page that Drew mentioned, it seems that
>> /etc/resolv.conf is a symlink when resolvconf is in used, right?
>>
>> If yes, does this make a difference:
>
> /etc/resolv.conf is a symlink, but the patch doesn't work.
>
>> It may be that the result after this is that you get /etc/resolv.conf in
>> the container, but it’s a dangling symlink. But isn’t it the case
>> already with the patch you propose?
>
> No, /etc/resolv.conf appears as a regular file inside the container,
> even though it's a symlink outside. The mount namespace does the
> right thing and I can read the contents of it from within the
> container. No dangling symlink! :D
>
> I tried using --expose with a symlink as an attempt to replicate the
> problem with another file, but things went fine! I'm confused.
> What's the correct patch here now? :)
I cannot reproduce the problem with this minimum test case (the two
‘mount’ call succeed):
--8<---------------cut here---------------start------------->8---
(use-modules (guix build syscalls)
(gnu build linux-container))
(chdir "/tmp")
(false-if-exception (delete-file "foo"))
(false-if-exception (umount "bar"))
(false-if-exception (delete-file "bar"))
(symlink "/etc/resolv.conf" "foo")
(close-port (open-output-file "bar"))
(mount "/tmp/foo" "/tmp/bar" "none" (logior MS_BIND MS_RDONLY))
(mount "/tmp/foo" "/tmp/bar" "none" (logior MS_BIND MS_RDONLY MS_REMOUNT))
--8<---------------cut here---------------end--------------->8---
Maybe we should try to throw in ‘call-with-container’ somewhere in there
to be closer to the actual problem, dunno.
It’s a bit frustrating that we don’t understand the situation. If you
wish, I think it’s fine to commit this patch, but please make sure to
mention that the problem occurs when /etc/resolv.conf is a symlink, and
add a link to this discussion.
(FWIW I’m planning to push have the release ready on Monday night.)
Thanks!
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] environment: container: Do not remount network files as read-only.
2016-03-27 17:43 ` Ludovic Courtès
@ 2016-03-28 0:32 ` Thompson, David
0 siblings, 0 replies; 11+ messages in thread
From: Thompson, David @ 2016-03-28 0:32 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Sun, Mar 27, 2016 at 1:43 PM, Ludovic Courtès <ludo@gnu.org> wrote:
> I cannot reproduce the problem with this minimum test case (the two
> ‘mount’ call succeed):
>
> --8<---------------cut here---------------start------------->8---
> (use-modules (guix build syscalls)
> (gnu build linux-container))
>
> (chdir "/tmp")
> (false-if-exception (delete-file "foo"))
> (false-if-exception (umount "bar"))
> (false-if-exception (delete-file "bar"))
>
> (symlink "/etc/resolv.conf" "foo")
> (close-port (open-output-file "bar"))
> (mount "/tmp/foo" "/tmp/bar" "none" (logior MS_BIND MS_RDONLY))
> (mount "/tmp/foo" "/tmp/bar" "none" (logior MS_BIND MS_RDONLY MS_REMOUNT))
> --8<---------------cut here---------------end--------------->8---
>
> Maybe we should try to throw in ‘call-with-container’ somewhere in there
> to be closer to the actual problem, dunno.
>
> It’s a bit frustrating that we don’t understand the situation. If you
> wish, I think it’s fine to commit this patch, but please make sure to
> mention that the problem occurs when /etc/resolv.conf is a symlink, and
> add a link to this discussion.
I found the culprit! This problem occurs with *any* file remounted
read-only from a tmpfs. In Ubuntu, /etc/resolv.conf is a symlink to
/run/resolvconf/resolv.conf, and /run is a tmpfs. I did this to
confirm the issue with another file on GuixSD:
echo foobar > /run/user/foo
guix environment --container --expose=/run/user/foo --ad-hoc coreutils
Where /run/user is a tmpfs. It should fail with an exit status of 1.
I don't know why tmpfs is an issue, nor do I know how work around it.
I've been searching around for answers but haven't found any leads
yet. Any thoughts?
> (FWIW I’m planning to push have the release ready on Monday night.)
Maybe we'll have to punt on this for the release, but I really hope it
can be fixed in time! This is the last thing I need to make networked
containers "just work" on Ubuntu-based distros.
- Dave
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2016-03-28 0:32 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-17 18:32 [PATCH] environment: container: Do not remount network files as read-only Thompson, David
2016-03-18 20:51 ` Ludovic Courtès
2016-03-26 14:06 ` Thompson, David
2016-03-26 16:29 ` Drew C
2016-03-26 16:49 ` Thompson, David
2016-03-26 16:59 ` Drew C
2016-03-26 18:43 ` Ludovic Courtès
2016-03-26 18:54 ` Drew C
2016-03-26 19:23 ` Thompson, David
2016-03-27 17:43 ` Ludovic Courtès
2016-03-28 0:32 ` Thompson, David
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.