Richard Purdie <[email protected]> escreveu (quinta, 12/09/2024 à(s) 21:37):
> On Thu, 2024-09-12 at 18:29 +0100, Jose Quaresma via > lists.openembedded.org wrote: > > > > > > Ross Burton via lists.openembedded.org > > <[email protected]> escreveu (quinta, > > 12/09/2024 à(s) 17:57): > > > If user namespaces are not available (typically because AppArmor is > > > blocking them), alert the user. > > > > > > We consider network isolation sufficiently important that this is a > > > fatal > > > error, and the user will need to configure AppArmor to allow > > > bitbake to > > > create a user namespace. > > > > > > [ YOCTO #15592 ] > > > > > > Signed-off-by: Ross Burton <[email protected]> > > > --- > > > meta/classes-global/sanity.bbclass | 24 ++++++++++++++++++++++++ > > > 1 file changed, 24 insertions(+) > > > > > > diff --git a/meta/classes-global/sanity.bbclass b/meta/classes- > > > global/sanity.bbclass > > > index 1d242f0f0a0..72dab0fea2b 100644 > > > --- a/meta/classes-global/sanity.bbclass > > > +++ b/meta/classes-global/sanity.bbclass > > > @@ -475,6 +475,29 @@ def check_wsl(d): > > > bb.warn("You are running bitbake under WSLv2, this > > > works properly but you should optimize your VHDX file eventually to > > > avoid running out of storage space") > > > return None > > > > > > +def check_userns(): > > > + """ > > > + Check that user namespaces are functional, as they're used for > > > network isolation. > > > + """ > > > + > > > + # There is a known failure case with AppAmrmor where the > > > unshare() call > > > + # succeeds (at which point the uid is nobody) but writing to > > > the uid_map > > > + # fails (so the uid isn't reset back to the user's uid). We > > > can detect this. > > > + parentuid = os.getuid() > > > + pid = os.fork() > > > + if not pid: > > > + try: > > > + bb.utils.disable_network() > > > + except: > > > + pass > > > + os._exit(parentuid != os.getuid()) > > > + > > > + ret = os.waitpid(pid, 0)[1] > > > + if ret: > > > + bb.fatal("User namespaces are not usable by BitBake, > > > possibly due to AppArmor.\n" > > > + "See > > > > https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions > > > for more information.") > > > > > > > > > The error message could be better imo. > > It will also happen inside a docker container that runs without the > > NET_ADMIN capability, which is the default. > > > https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities > > Did you actually observe that? > No, I have not tested the patch. > > If the unshare() fails, the uids will still match and I don't think the > error message will trigger but I could be wrong. > What we want to detect is where the unshare() works but the uid mapping > then fails which is the annoying apparmor corner case. > Right, when I first read it I thought the error would be when it failed to create the network namespace and not for things related to the user namespace. So probably what I said doesn't make sense, however it is still impossible to create the network namespace under the conditions I mentioned. I Understand now and will play a bit with the patch to check. Thanks for the clarification. Jose > Cheers, > > Richard > -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204476): https://lists.openembedded.org/g/openembedded-core/message/204476 Mute This Topic: https://lists.openembedded.org/mt/108416977/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
