From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Thompson, David" Subject: Re: [PATCH] environment: container: Do not remount network files as read-only. Date: Sat, 26 Mar 2016 15:23:06 -0400 Message-ID: References: <87wpozldb5.fsf@gnu.org> <87r3exyt97.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49493) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ajtng-0000KQ-AU for guix-devel@gnu.org; Sat, 26 Mar 2016 15:23:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ajtnf-00078s-29 for guix-devel@gnu.org; Sat, 26 Mar 2016 15:23:08 -0400 Received: from mail-qk0-x22a.google.com ([2607:f8b0:400d:c09::22a]:35224) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ajtne-00078H-SB for guix-devel@gnu.org; Sat, 26 Mar 2016 15:23:06 -0400 Received: by mail-qk0-x22a.google.com with SMTP id o6so64609349qkc.2 for ; Sat, 26 Mar 2016 12:23:06 -0700 (PDT) In-Reply-To: <87r3exyt97.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Cc: guix-devel On Sat, Mar 26, 2016 at 2:43 PM, Ludovic Court=C3=A8s wrote: > "Thompson, David" skribis: > >> On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Court=C3=A8s wro= te: >>> "Thompson, David" skribis: >>> >>>> I noticed that 'guix environment --container --network' didn't work on >>>> an Ubuntu machine I was on, and the culprit was remounting things like >>>> /etc/resolv.conf read-only after the initial bind mount. >>> >>> [...] >>> >>>> (file-system-mapping >>>> (source file) >>>> (target file) >>>> - (writable? #f)))) >>>> + ;; An unpriviliged user = might not >>>> + ;; be able to remount >>>> + ;; /etc/resolv.conf as r= ead-only, >>>> + ;; so we say that it is = writable >>>> + ;; here, even though in = practice >>>> + ;; it is not. >>>> + (writable? #t)))) >>>> %network-configuration-files) >>> >>> Not sure I understand: why would bind-mounting /etc/resolv.conf >>> read-only fail? >> >> I haven't figured out the exact reason yet, but here's a strace >> snippet as proof: >> >> [pid 11334] mount("/etc/resolv.conf", >> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000, >> MS_RDONLY|MS_BIND, NULL) =3D 0 >> [pid 11334] mount("/etc/resolv.conf", >> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080, >> MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) =3D -1 EPERM (Operation not >> permitted) >> >> Another Ubuntu user was able to reproduce this as well. > > Looking at the resolvconf man page that Drew mentioned, it seems that > /etc/resolv.conf is a symlink when resolvconf is in used, right? > > If yes, does this make a difference: /etc/resolv.conf is a symlink, but the patch doesn't work. > It may be that the result after this is that you get /etc/resolv.conf in > the container, but it=E2=80=99s a dangling symlink. But isn=E2=80=99t it= the case > already with the patch you propose? No, /etc/resolv.conf appears as a regular file inside the container, even though it's a symlink outside. The mount namespace does the right thing and I can read the contents of it from within the container. No dangling symlink! :D I tried using --expose with a symlink as an attempt to replicate the problem with another file, but things went fine! I'm confused. What's the correct patch here now? :) - Dave