On Sun, Sep 6, 2015 at 9:47 PM, Alex Vong <[email protected]> wrote: > Hi Dave, > > I have searched the internet according to the information you provided, > I find this bug report <https://github.com/lxc/lxc/issues/250> provides > useful information. > I have written an example program after going through the clone(2) man page. > It demonstrates the problem and is inlined below. > > First, compile the program as `a.out'. > > Consider shell session 1: > > root# echo 0 > /proc/sys/kernel/unprivileged_userns_clone > user$ ./a.out > I am your parent > Start cloning... > Cannot clone! > > Consider shell session 2: > > root# echo 1 > /proc/sys/kernel/unprivileged_userns_clone > user$ ./a.out > I am your parent > Start cloning... > Cloned! > I am your child > > Any idea what's happenning? > I don't know Linux much, for instance I don't know what is container and > namespace in Linux.
It seems that the kernel you are using has disabled the use of unprivileged user namespaces by default. After doing that echo as root, you should be able to run the tests successfully. Could you apply the attached patch and let me know if 'make check TESTS=tests/syscalls.scm' and 'make check TESTS=tests/containers.scm' pass in both when unprivileged user namespaces are disabled and when they are enabled? Thank you! - Dave
From 45e501c051fe5e7f5116c44c44832af14b775527 Mon Sep 17 00:00:00 2001 From: David Thompson <[email protected]> Date: Mon, 7 Sep 2015 15:38:08 -0400 Subject: [PATCH] tests: Detect when user namespaces are disabled for unprivileged users. * guix/tests.scm (%user-namespaces?): New variable. * tests/containers.scm: Skip tests unless user can create user namespaces. * tests/syscalls.scm: Likewise for clone, setns, and pivot-root tests. --- guix/tests.scm | 13 ++++++++++++- tests/containers.scm | 3 ++- tests/syscalls.scm | 10 ++++++---- 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/guix/tests.scm b/guix/tests.scm index cd8eda2..4634323 100644 --- a/guix/tests.scm +++ b/guix/tests.scm @@ -41,7 +41,8 @@ with-derivation-narinfo with-derivation-substitute dummy-package - dummy-origin)) + dummy-origin + %user-namespaces?)) ;;; Commentary: ;;; @@ -259,6 +260,16 @@ default values, and with EXTRA-FIELDS set as specified." (method #f) (uri "http://www.example.com";) (sha256 (base32 (make-string 52 #\x))))) +;; User namespaces are only available on more recent versions of Linux, and +;; some systems do not allow unprivileged users to create them. +(define %user-namespaces? + (and (file-exists? "/proc/self/ns/user") + (or (zero? (getuid)) ; root is OK + (let ((config-file "/proc/sys/kernel/unprivileged_userns_clone")) + (if (file-exists? config-file) + (string=? (call-with-input-file config-file read-string) "1") + #t))))) + ;; Local Variables: ;; eval: (put 'call-with-derivation-narinfo 'scheme-indent-function 1) ;; eval: (put 'call-with-derivation-substitute 'scheme-indent-function 2) diff --git a/tests/containers.scm b/tests/containers.scm index 4783f8e..25e908b 100644 --- a/tests/containers.scm +++ b/tests/containers.scm @@ -17,6 +17,7 @@ ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. (define-module (test-containers) + #:use-module (guix tests) #:use-module (guix utils) #:use-module (guix build syscalls) #:use-module (gnu build linux-container) @@ -28,7 +29,7 @@ ;; Skip these tests unless user namespaces are available and the setgroups ;; file (introduced in Linux 3.19 to address a security issue) exists. -(unless (and (file-exists? "/proc/self/ns/user") +(unless (and %user-namespaces? (file-exists? "/proc/self/setgroups")) (exit 77)) diff --git a/tests/syscalls.scm b/tests/syscalls.scm index 86783b9..a58b41e 100644 --- a/tests/syscalls.scm +++ b/tests/syscalls.scm @@ -18,12 +18,14 @@ ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. (define-module (test-syscalls) + #:use-module (guix tests) #:use-module (guix utils) #:use-module (guix build syscalls) #:use-module (srfi srfi-1) #:use-module (srfi srfi-26) #:use-module (srfi srfi-64) - #:use-module (ice-9 match)) + #:use-module (ice-9 match) + #:use-module (ice-9 rdelim)) ;; Test the (guix build syscalls) module, although there's not much that can ;; actually be tested without being root. @@ -80,7 +82,7 @@ (define (user-namespace pid) (string-append "/proc/" (number->string pid) "/ns/user")) -(unless (file-exists? (user-namespace (getpid))) +(unless %user-namespaces? (test-skip 1)) (test-assert "clone" (match (clone (logior CLONE_NEWUSER SIGCHLD)) @@ -93,7 +95,7 @@ ((_ . status) (= 42 (status:exit-val status)))))))) -(unless (file-exists? (user-namespace (getpid))) +(unless %user-namespaces? (test-skip 1)) (test-assert "setns" (match (clone (logior CLONE_NEWUSER SIGCHLD)) @@ -122,7 +124,7 @@ (waitpid fork-pid) result)))))))) -(unless (file-exists? (user-namespace (getpid))) +(unless %user-namespaces? (test-skip 1)) (test-assert "pivot-root" (match (pipe) -- 2.5.0
