Ross Burton via lists.openembedded.org <ross.burton= [email protected]> escreveu (quinta, 12/09/2024 à(s) 17:57):
> If user namespaces are not available (typically because AppArmor is > blocking them), alert the user. > > We consider network isolation sufficiently important that this is a fatal > error, and the user will need to configure AppArmor to allow bitbake to > create a user namespace. > > [ YOCTO #15592 ] > > Signed-off-by: Ross Burton <[email protected]> > --- > meta/classes-global/sanity.bbclass | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > > diff --git a/meta/classes-global/sanity.bbclass > b/meta/classes-global/sanity.bbclass > index 1d242f0f0a0..72dab0fea2b 100644 > --- a/meta/classes-global/sanity.bbclass > +++ b/meta/classes-global/sanity.bbclass > @@ -475,6 +475,29 @@ def check_wsl(d): > bb.warn("You are running bitbake under WSLv2, this works > properly but you should optimize your VHDX file eventually to avoid running > out of storage space") > return None > > +def check_userns(): > + """ > + Check that user namespaces are functional, as they're used for > network isolation. > + """ > + > + # There is a known failure case with AppAmrmor where the unshare() > call > + # succeeds (at which point the uid is nobody) but writing to the > uid_map > + # fails (so the uid isn't reset back to the user's uid). We can > detect this. > + parentuid = os.getuid() > + pid = os.fork() > + if not pid: > + try: > + bb.utils.disable_network() > + except: > + pass > + os._exit(parentuid != os.getuid()) > + > + ret = os.waitpid(pid, 0)[1] > + if ret: > + bb.fatal("User namespaces are not usable by BitBake, possibly due > to AppArmor.\n" > + "See > https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions > for more information.") > The error message could be better imo. It will also happen inside a docker container that runs without the NET_ADMIN capability, which is the default. https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities Jose > + > + > # Require at least gcc version 8.0 > # > # This can be fixed on CentOS-7 with devtoolset-6+ > @@ -641,6 +664,7 @@ def check_sanity_version_change(status, d): > status.addresult(check_git_version(d)) > status.addresult(check_perl_modules(d)) > status.addresult(check_wsl(d)) > + status.addresult(check_userns()) > > missing = "" > > -- > 2.34.1 > > > > > -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204454): https://lists.openembedded.org/g/openembedded-core/message/204454 Mute This Topic: https://lists.openembedded.org/mt/108416977/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
