[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61690: Failure to mount /sys in nested ‘guix shell’ container
From: |
Ludovic Courtès |
Subject: |
bug#61690: Failure to mount /sys in nested ‘guix shell’ container |
Date: |
Tue, 21 Feb 2023 23:45:20 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hi!
As reported by Konrad¹, nested ‘guix shell -C’ fails:
--8<---------------cut here---------------start------------->8---
$ guix shell -CN guix \
--expose=/var/guix/daemon-socket/socket \
--expose=/gnu/store \
-- guix shell -C coreutils -- ls /
guix shell: error: mount: mount "none" on "/tmp/guix-directory.xO3FIx/sys":
Operation not permitted
--8<---------------cut here---------------end--------------->8---
Strace shows this:
--8<---------------cut here---------------start------------->8---
17541 clone(child_stack=NULL,
flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD)
= 7
[…]
17551 mount("none", "/tmp/guix-directory.d6rKy1", "tmpfs", 0, NULL) = 0
17551 mkdir("/tmp", 0777) = -1 EEXIST (File exists)
17551 mkdir("/tmp/guix-directory.d6rKy1", 0777) = -1 EEXIST (File exists)
17551 mkdir("/tmp/guix-directory.d6rKy1/proc", 0777) = 0
17551 mount("none", "/tmp/guix-directory.d6rKy1/proc", "proc",
MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0
17551 mkdir("/tmp", 0777) = -1 EEXIST (File exists)
17551 mkdir("/tmp/guix-directory.d6rKy1", 0777) = -1 EEXIST (File exists)
17551 mkdir("/tmp/guix-directory.d6rKy1/sys", 0777) = 0
17551 mount("none", "/tmp/guix-directory.d6rKy1/sys", "sysfs",
MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not
permitted)
--8<---------------cut here---------------end--------------->8---
It does work if the nested ‘guix shell’ uses ‘-CN’ instead of ‘-C’,
thanks to this bit in (gnu build linux-container)
(mount-file-systems root mounts
#:mount-/proc? (memq 'pid namespaces)
#:mount-/sys? (memq 'net
namespaces)) ;<---
The reason for this bug seems to be given here:
https://github.com/nestybox/sysbox/issues/67#issuecomment-726285026
It’s not clear whether there’s anything we can do, other than
recommending ‘-CN’ as well in the nested container.
Thoughts?
Ludo’.
¹ https://lists.gnu.org/archive/html/guix-devel/2023-02/msg00027.html
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#61690: Failure to mount /sys in nested ‘guix shell’ container,
Ludovic Courtès <=