Note that in its final form this isn’t had any testing on an Ubuntu machine, so testing would be appreciated if anyone has an Ubuntu 24.x machine (not a container, need their kernel) with apparmor enabled.
Thanks, Ross > On 12 Sep 2024, at 17:57, Ross Burton via lists.openembedded.org > <[email protected]> wrote: > > If user namespaces are not available (typically because AppArmor is > blocking them), alert the user. > > We consider network isolation sufficiently important that this is a fatal > error, and the user will need to configure AppArmor to allow bitbake to > create a user namespace. > > [ YOCTO #15592 ] > > Signed-off-by: Ross Burton <[email protected]> > --- > meta/classes-global/sanity.bbclass | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > > diff --git a/meta/classes-global/sanity.bbclass > b/meta/classes-global/sanity.bbclass > index 1d242f0f0a0..72dab0fea2b 100644 > --- a/meta/classes-global/sanity.bbclass > +++ b/meta/classes-global/sanity.bbclass > @@ -475,6 +475,29 @@ def check_wsl(d): > bb.warn("You are running bitbake under WSLv2, this works properly > but you should optimize your VHDX file eventually to avoid running out of > storage space") > return None > > +def check_userns(): > + """ > + Check that user namespaces are functional, as they're used for network > isolation. > + """ > + > + # There is a known failure case with AppAmrmor where the unshare() call > + # succeeds (at which point the uid is nobody) but writing to the uid_map > + # fails (so the uid isn't reset back to the user's uid). We can detect > this. > + parentuid = os.getuid() > + pid = os.fork() > + if not pid: > + try: > + bb.utils.disable_network() > + except: > + pass > + os._exit(parentuid != os.getuid()) > + > + ret = os.waitpid(pid, 0)[1] > + if ret: > + bb.fatal("User namespaces are not usable by BitBake, possibly due to > AppArmor.\n" > + "See > https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions > for more information.") > + > + > # Require at least gcc version 8.0 > # > # This can be fixed on CentOS-7 with devtoolset-6+ > @@ -641,6 +664,7 @@ def check_sanity_version_change(status, d): > status.addresult(check_git_version(d)) > status.addresult(check_perl_modules(d)) > status.addresult(check_wsl(d)) > + status.addresult(check_userns()) > > missing = "" > > -- > 2.34.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204450): https://lists.openembedded.org/g/openembedded-core/message/204450 Mute This Topic: https://lists.openembedded.org/mt/108416977/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
