Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces
Hi All, I believe the recommended suggestion is Debian specific is it not? My kernel supports user namespaces and doesn't expose that file at that location. The only way I can work around the issue is to downgrade guix to the commit on the master branch right before 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e guix pull --commit=0d5d1bdf911659f60601058e8e1678187b7ba664 --allow-downgrades Best, Jesse On Sun, Dec 6, 2020 at 12:03 PM zimoun wrote: > Hi, > > Please try the recommendation. Have you tried it? > > please set /proc/sys/kernel/unprivileged_userns_clone to "1" > > As root, you just do: > > echo 1 > /proc/sys/kernel/unprivileged_userns_clone > > then “guix environment -C” should work as expected. To do the trick > automatically with Sheperd, I do not know, but I am sure that the > systemd equivalent > > echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf > sysctl --system > > seems doable with Guix System. > > > On my system, and I need explanations if it does not work similarly on > yours, I simply do: > > --8<---cut here---start->8--- > $ guix environment -C --ad-hoc hello -- hello > guix environment: error: cannot create container: unprivileged user cannot > create user namespaces > guix environment: error: please set > /proc/sys/kernel/unprivileged_userns_clone to "1" > > $ su - > Password: > # echo 1 > /proc/sys/kernel/unprivileged_userns_clone > # logout > > $ guix environment -C --ad-hoc hello -- hello > Hello, world! > --8<---cut here---end--->8--- > > Hope that helps, > simon > > > >
Re: Adjustments to Docker related packages and service
On Mon, Sep 21, 2020 at 6:18 AM Efraim Flashner wrote: ... > > From ac3277477bda6741ff3a8af9530c2fd68e2bb062 Mon Sep 17 00:00:00 2001 > > From: Jesse Dowell > > Date: Sat, 19 Sep 2020 12:45:39 -0400 > > Subject: [PATCH 4/4] gnu: docker: use nftables via iptables-legacy > > > > I think you meant nftables via iptables > > > --- > > gnu/packages/docker.scm | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/gnu/packages/docker.scm b/gnu/packages/docker.scm > > index 825aa1ef0f..322f00026f 100644 > > --- a/gnu/packages/docker.scm > > +++ b/gnu/packages/docker.scm > > @@ -438,8 +438,8 @@ built-in registry server of Docker.") > >("pvdisplay" "lvm2" "sbin/pvdisplay") > >("blkid" "util-linux" "sbin/blkid") > >("unpigz" "pigz" "bin/unpigz") > > - ("iptables" "iptables" "sbin/iptables") > > - ("iptables-legacy" "iptables" "sbin/iptables") > > + ("iptables" "iptables" "sbin/iptables-nft") > > + ("iptables-legacy" "iptables" "sbin/iptables-legacy") > > I checked the iptables package. 'iptables' and 'iptables-legacy' are > both symlinks for 'xtables-legacy-multi'. There is another binary for > 'iptables-nft' which is a symlink for 'xtables-nft-multi'. Checking > through the source there aren't actually any references to > iptables-legacy in the docker tarball (except in the Dockerfile). > > Guix has services for both iptables and nftables. I'd rather not break > existing workflows by switching iptables in docker to nftables. Also I > don't know if it is possible to easily support both in the same package. > > >("ip" "iproute2" "sbin/ip")) > > > > (substitute-Command* > > -- > > 2.28.0 > > > > I've pushed the first 3 patches and I'd love to have some other input > on the iptables/nftables bit in the 4th patch. > > -- > Efraim Flashner אפרים פלשנר > GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 > Confidentiality cannot be guaranteed on emails sent or received unencrypted Hi Efraim, Thanks for reviewing the patches! I figured the nftables change would require more thought and input. Here's my 2 cents... > > + ("iptables" "iptables" "sbin/iptables-nft") > > + ("iptables-legacy" "iptables" "sbin/iptables-legacy") ... > I checked the iptables package. 'iptables' and 'iptables-legacy' are > both symlinks for 'xtables-legacy-multi'. There is another binary for > 'iptables-nft' which is a symlink for 'xtables-nft-multi'. Checking > through the source there aren't actually any references to > iptables-legacy in the docker tarball (except in the Dockerfile). My memory is a little foggy here but I think the goal is to fool Docker into using nftables with the rename. It does work for me locally - all Docker attempts to create iptables rules get translated into the equivalent nftables rules. I'll try and test soon to see what happens without that change. It's possible the "iptables-legacy" line isn't needed at all but I suspect the iptables-nft line is. In terms of whether defaulting Docker to nftables is appropriate...I don't know what's best for Guix but it does seem that many distros are updating their default firewall to use nftables (Debian, Fedora, etc). Anecdotally - the nftables compatibility layer works great for me :). Best, Jesse
Adjustments to Docker related packages and service
Hello Guix, I've been maintaining a set of patches to Docker in Guix that fix/modify various aspects of the package and service in ways that are helpful to me. I'd like to get these changes upstream if possible but I don't know which of these changes might be qualified as a patch vs a bug fix. Also, it's possible that I'm unaware of side-effects that these changes might have on use-cases outside of my own scope of work. The patches are attached. I think that each patch might stand independently on its own but I haven't tested them in that configuration. A quick summary of each patch 0001-gnu-docker-Synchronize-docker-dependencies-with-the-.patch This patch synchronizes docker-libnetwork and go-sctp with the current version of docker. Without this patch, I've encountered some issues (I forget the specifics offhand - sorry). Also, I believe this is an appropriate change based on comments in the guix source code for the packages and build instructions I've seen elsewhere. 0002-gnu-docker-compile-docker-with-seccomp-enabled.patch I utilize docker seccomp profiles and the current version of docker on guix does not support them. This seems safe enough to enable for everyone but perhaps there's something I'm overlooking? 0003-services-docker-shepherd-service-fix-enable-proxy-op.patch This is a bug fix. I don't think the current code properly disables the userland-proxy when the option is set to false. 0004-gnu-docker-use-nftables-via-iptables-legacy.patch I'm guessing this patch won't fly as-is but it's helpful for systems using nftables instead of iptables. I could try to adjust it to make it flexible if there's any interest. That's everything. Any suggestions or comments would be much appreciated. Best, Jesse From 53e80970f69f2e15be8d320a8e1995ffd0bd8cb0 Mon Sep 17 00:00:00 2001 From: Jesse Dowell Date: Sat, 19 Sep 2020 12:08:27 -0400 Subject: [PATCH 1/4] gnu: docker: Synchronize docker dependencies with the current version of docker. --- gnu/packages/docker.scm | 17 ++--- gnu/packages/networking.scm | 8 +--- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/gnu/packages/docker.scm b/gnu/packages/docker.scm index bc7e02ec46..69905e59bb 100644 --- a/gnu/packages/docker.scm +++ b/gnu/packages/docker.scm @@ -48,6 +48,8 @@ #:use-module (gnu packages version-control) #:use-module (gnu packages virtualization)) +;; Note - when changing Docker versions it is important to update the versions +;; of several associated packages (docker-libnetwork and go-sctp). (define %docker-version "19.03.12") (define-public python-docker @@ -246,9 +248,10 @@ network attachments.") (define docker-libnetwork ;; There are no recent release for libnetwork, so choose the last commit of ;; the branch that Docker uses, as can be seen in the Docker source file - ;; 'hack/dockerfile/install/proxy.installer'. - (let ((commit "4725f2163fb214a6312f3beae5991f838ec36326") -(version "18.09") + ;; 'hack/dockerfile/install/proxy.installer'. NOTE - It is important that + ;; this version is kept in sync with the version of Docker being used. + (let ((commit "026aabaa659832804b01754aaadd2c0f420c68b6") +(version "19.03") (revision "1")) (package (name "docker-libnetwork") @@ -256,12 +259,12 @@ network attachments.") (source (origin (method git-fetch) (uri (git-reference - (url "https://github.com/docker/libnetwork;) + (url "https://github.com/moby/libnetwork;) (commit commit))) (file-name (git-file-name name version)) (sha256 (base32 - "1zpnxki8qfzha6ljahpwd3vkzmjhsvkmf73w6crm4ilxxw5vnpfb")) + "0bli21vn5v7bssw3ydym4jfdjsldhb47fld88kng7d138wl70lkw")) ;; Delete bundled ("vendored") free software source code. (modules '((guix build utils))) (snippet '(begin @@ -269,8 +272,8 @@ network attachments.") #t (build-system go-build-system) (arguments - `(#:import-path "github.com/docker/libnetwork/")) - (home-page "https://github.com/docker/libnetwork/;) + `(#:import-path "github.com/moby/libnetwork/")) + (home-page "https://github.com/moby/libnetwork/;) (synopsis "Networking for containers") (description "Libnetwork provides a native Go implementation for connecting containers. The goal of @code{libnetwork} is to deliver a robust diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm index 1c2e7cf979..964701af1a 100644 --- a/gnu/packages/networking.scm +++ b/gnu/packages/networking.scm @@ -1435,8 +1435,10 @@ handli