Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bwrap breaks under nix-user-chroot since v1.1.0 #57

Open
bjornfor opened this issue Sep 30, 2021 · 4 comments
Open

bwrap breaks under nix-user-chroot since v1.1.0 #57

bjornfor opened this issue Sep 30, 2021 · 4 comments

Comments

@bjornfor
Copy link

In nix-user-chroot-1.0.3 one can use bwrap inside nix-user-chroot[1], but this stopped working in v1.1.0 (and later). I git bisected it to 6288562 being the bad commit.

[1] I wrote a ctest wrapper using bwrap --tmpfs .. to be able to control where ctest writes its state.
@bjornfor
Copy link
Author

Good revision:

$ strace -f -e clone ./nix-user-chroot.bisect-930d889 .nix /nix/store/a5d5gvc408pbskvlmxnpbgy1q09llkfk-bubblewrap-0.4.1/bin/bwrap --dev-bind / / whoami
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f4f1f3b8c10) = 42273
strace: Process 42273 attached
[pid 42273] clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = 42276
strace: Process 42276 attached
bjornfor
[pid 42276] +++ exited with 0 +++
[pid 42273] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=42273, si_uid=2229, si_status=0, si_utime=0, si_stime=1} ---
+++ exited with 0 +++

Bad revision:

$ strace -f -e clone ./nix-user-chroot.bisect-6288562 .nix /nix/store/a5d5gvc408pbskvlmxnpbgy1q09llkfk-bubblewrap-0.4.1/bin/bwrap --dev-bind / / whoami
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fa84d6d8c10) = 41939
strace: Process 41939 attached
[pid 41939] clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = -1 EPERM (Operation not permitted)
bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.
[pid 41939] +++ exited with 1 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=41939, si_uid=2229, si_status=1, si_utime=0, si_stime=1} ---
+++ exited with 1 +++

@bjornfor
Copy link
Author

bwrap itself supports nesting:

$ bwrap --dev-bind / / bwrap --dev-bind / / uname
Linux

@Mic92
Copy link
Member

Mic92 commented Nov 8, 2021

You could probably also use bwrap to re-implement nix-user-chroot than.

@lestephane
Copy link

@bjornfor I'm getting a similar looking error (same error message) when flatpak --install --user-ing an app, using the flatpak command I installed using nix-user-chroot. I can post the full error message if needed, but it looks pretty much like yours.

sysctl kernel.unprivileged_userns_clone is 1 for me

So it looks like creating a 'nested' userns within a nix-user-chroot userns is not possible.

Is this what initial bug report was pointing out? Or am I hitting another problem?

I will try nix-portable, as recommended in the README, to see if I can get any further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Mic92 @bjornfor @lestephane