From mboxrd@z Thu Jan 1 00:00:00 1970 From: Drew C Subject: Re: [PATCH] environment: container: Do not remount network files as read-only. Date: Sat, 26 Mar 2016 09:29:50 -0700 Message-ID: References: <87wpozldb5.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=001a113dddc8483e5f052ef630ad Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54253) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ajr62-00074I-E2 for guix-devel@gnu.org; Sat, 26 Mar 2016 12:29:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ajr60-0005dG-ML for guix-devel@gnu.org; Sat, 26 Mar 2016 12:29:54 -0400 Received: from mail-oi0-x229.google.com ([2607:f8b0:4003:c06::229]:36644) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ajr60-0005d1-G4 for guix-devel@gnu.org; Sat, 26 Mar 2016 12:29:52 -0400 Received: by mail-oi0-x229.google.com with SMTP id r187so127525344oih.3 for ; Sat, 26 Mar 2016 09:29:50 -0700 (PDT) In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: "Thompson, David" Cc: guix-devel --001a113dddc8483e5f052ef630ad Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sat, Mar 26, 2016 at 7:06 AM, Thompson, David wrote: > On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Court=C3=A8s wrot= e: > > "Thompson, David" skribis: > > > >> I noticed that 'guix environment --container --network' didn't work on > >> an Ubuntu machine I was on, and the culprit was remounting things like > >> /etc/resolv.conf read-only after the initial bind mount. > One thing that I have run across is the following : $ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.1.1 It re-writes that file every time a new network connection is made. $ man resolvconf [...] DESCRIPTION The resolvconf package comprises a simple database for run-time name=E2=80=90 server information and a simple framework for notifying applications of changes in that information. Resolvconf thus sets itself up as the intermediary between programs that supply nameserver information and applications that use that information. [...] I am not at all sure if this is the cause of the issue, but I have run into it many times before with WiFi and me trying to edit it to 8.8.8.8, so I figure this is a decent time to bring it up. Cheers, Drew Crampsie > > > > [...] > > > >> (file-system-mapping > >> (source file) > >> (target file) > >> - (writable? #f)))) > >> + ;; An unpriviliged user > might not > >> + ;; be able to remount > >> + ;; /etc/resolv.conf as > read-only, > >> + ;; so we say that it is > writable > >> + ;; here, even though in > practice > >> + ;; it is not. > >> + (writable? #t)))) > >> %network-configuration-files) > > > > Not sure I understand: why would bind-mounting /etc/resolv.conf > > read-only fail? > > I haven't figured out the exact reason yet, but here's a strace > snippet as proof: > > [pid 11334] mount("/etc/resolv.conf", > "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000, > MS_RDONLY|MS_BIND, NULL) =3D 0 > [pid 11334] mount("/etc/resolv.conf", > "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080, > MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) =3D -1 EPERM (Operation not > permitted) > > Another Ubuntu user was able to reproduce this as well. I find it > kind of silly to mount these files read-only because an unprivileged > user couldn't write to them anyway. WDYT? > > - Dave > > --001a113dddc8483e5f052ef630ad Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

= On Sat, Mar 26, 2016 at 7:06 AM, Thompson, David <dthompson2@worces= ter.edu> wrote:
On Fri, = Mar 18, 2016 at 4:51 PM, Ludovic Court=C3=A8s <ludo@gnu.org> wrote:
> "Thompson, David" <dthompson2@worcester.edu> skribis:
>
>> I noticed that 'guix environment --container --network' di= dn't work on
>> an Ubuntu machine I was on, and the culprit was remounting things = like
>> /etc/resolv.conf read-only after the initial bind mount.


One thing that I have run = across is the following :

$ cat /etc/reso= lv.conf=C2=A0
# Dynamic resolv.conf(5) file for glibc resolver(3)= generated by resolvconf(8)
# =C2=A0 =C2=A0 DO NOT EDIT THIS FILE= BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1=

It re-writes that file every time a new net= work connection is made.

$ man resolvconf
[...]
DESCRIPTION
=C2=A0 =C2=A0 =C2= =A0 =C2=A0The resolvconf package comprises a simple database for =C2=A0run-= time =C2=A0name=E2=80=90
=C2=A0 =C2=A0 =C2=A0 =C2=A0server inform= ation and a simple framework for notifying applications of
=C2=A0= =C2=A0 =C2=A0 =C2=A0changes in that information.=C2=A0 Resolvconf thus set= s =C2=A0itself =C2=A0up =C2=A0as =C2=A0the
=C2=A0 =C2=A0 =C2=A0 = =C2=A0intermediary =C2=A0between =C2=A0programs =C2=A0that supply nameserve= r information and
=C2=A0 =C2=A0 =C2=A0 =C2=A0applications that us= e that information.
[...]

I am not= at all sure if this is the cause of the issue, but I have run into it many= times before with WiFi and me trying to edit it to 8.8.8.8, so I figure th= is is a decent time to bring it up.

Cheers,=C2=A0<= /div>

Drew Crampsie

=C2=A0
>
> [...]
>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 (file-system-mapping
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0(source file)
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0(target file)
>> -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0(writable? #f))))
>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0;; An unpriviliged user might not
>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0;; be able to remount
>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0;; /etc/resolv.conf as read-only,
>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0;; so we say that it is writable
>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0;; here, even though in practice
>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0;; it is not.
>> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0(writable? #t))))
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0%n= etwork-configuration-files)
>
> Not sure I understand: why would bind-mounting /etc/resolv.conf
> read-only fail?

I haven't figured out the exact reason yet, but here's a str= ace
snippet as proof:

[pid 11334] mount("/etc/resolv.conf",
"/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000,
MS_RDONLY|MS_BIND, NULL) =3D 0
[pid 11334] mount("/etc/resolv.conf",
"/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080,
MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) =3D -1 EPERM (Operation not
permitted)

Another Ubuntu user was able to reproduce this as well.=C2=A0 I find it
kind of silly to mount these files read-only because an unprivileged
user couldn't write to them anyway.=C2=A0 WDYT?

- Dave


--001a113dddc8483e5f052ef630ad--