From unknown Fri Jun 20 07:13:24 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#45069 <45069@debbugs.gnu.org> To: bug#45069 <45069@debbugs.gnu.org> Subject: Status: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces Reply-To: bug#45069 <45069@debbugs.gnu.org> Date: Fri, 20 Jun 2025 14:13:24 +0000 retitle 45069 BUG: Re: guix environment: error: cannot create container: un= privileged user cannot create user namespaces reassign 45069 guix submitter 45069 yasu severity 45069 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 06 07:41:23 2020 Received: (at submit) by debbugs.gnu.org; 6 Dec 2020 12:41:23 +0000 Received: from localhost ([127.0.0.1]:49101 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kltLr-0004J5-1G for submit@debbugs.gnu.org; Sun, 06 Dec 2020 07:41:23 -0500 Received: from lists.gnu.org ([209.51.188.17]:59556) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kltLo-0004Ix-VY for submit@debbugs.gnu.org; Sun, 06 Dec 2020 07:41:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:43118) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kltLo-0003qT-H6; Sun, 06 Dec 2020 07:41:16 -0500 Received: from mail1.g12.pair.com ([66.39.4.99]:56625) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kltLe-0005JZ-Ug; Sun, 06 Dec 2020 07:41:16 -0500 Received: from mail1.g12.pair.com (localhost [127.0.0.1]) by mail1.g12.pair.com (Postfix) with ESMTP id 09E8A730EE; Sun, 6 Dec 2020 07:41:05 -0500 (EST) Received: from guix.local (w135107.ppp.asahi-net.or.jp [121.1.135.107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail1.g12.pair.com (Postfix) with ESMTPSA id A8ECE730D3; Sun, 6 Dec 2020 07:41:03 -0500 (EST) Message-ID: Subject: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces From: yasu To: bug-guix@gnu.org, pgarlick@tourbillion-technology.com, Pjotr Prins , zimoun Date: Sun, 06 Dec 2020 21:41:00 +0900 In-Reply-To: <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> Content-Type: multipart/related; type="multipart/alternative"; boundary="=-9q7as914a3P2oNvBF+ho" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: none client-ip=66.39.4.99; envelope-from=yasu@yasuaki.com; helo=mail1.g12.pair.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: Guix Devel X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-9q7as914a3P2oNvBF+ho Content-Type: multipart/alternative; boundary="=-xLs0Eg6mZ6fRgOC1TYOq" --=-xLs0Eg6mZ6fRgOC1TYOq Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Hi, I really don't know much about Linux but it looks like the problem I reported has something to do with Debian? https://unix.stackexchange.com/questions/303213/how-to-enable-user-namespaces-in-the-kernel-for-unprivileged-unshare Now, I don't use Debian at all (I use Guix System) and do you think this is a Bug in Guix (in that this Debian specific word should never even be mentioned in Guix?) To summarize this bug again: The Bug: The container command no longer works, after the commit 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e. guix environment -C Additional Information: Instead of working as it did until the commit, the command now dies with the following error mesage: guix environment: error: cannot create container: unprivileged user cannot create user namespaces guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1" The message "please set /proc/sys/kernel/unprivileged_userns_clone to "1", seems irrelevant to Guix System users as it may only relate to Debian users. I don't know why this Debian specific message is here in the first place... Disclaimer :-): I am assuming this is indeed Debian specific (I tried to install LinuxLinux (the Guix default) but failed - my AMD graphics card won't allow me to even boot, unless I use regular Linux. ) I scanned for the phrase in LinuxLibre source code but there was no mention of it: ~/Downloads$ tar -xf linux-libre-5.9.12-gnu.tar.xz ~/Downloads$ cd linux-5.9.12/ ~/Downloads/linux-5.9.12$ rg -i unprivileged_userns_clone Just FYI: the problem phrase is indeed found in the Debian Kernel Patch: ~/co/debian$ rg -i unprivileged_userns_clone linux/debian/patches/debian/add-sysctl-to-disallow- unprivileged-CLONE_NEWUSER-by-default.patch 25:+extern int unprivileged_userns_clone; 27:+#define unprivileged_userns_clone 0 36:+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) 47:+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { 65:+extern int unprivileged_userns_clone; 77:+ .procname = "unprivileged_userns_clone", 78:+ .data = &unprivileged_userns_clone, 96:+int unprivileged_userns_clone; Cheers, Yasu commit 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33eAuthor: Paul Garlick < pgarlick@tourbillion-technology.com>Date: Thu Dec 3 16:00:18 2020 +0000 linux-container: Correct test for unprivileged user namespace support. Fixes ;. Reported by Paul Garlick . * gnu/build/linux-container.scm (unprivileged-user-namespace- supported?): Return #f when the 'userns-file' does not exist. diff --git a/gnu/build/linux-container.scm b/gnu/build/linux- container.scmindex 4a8bed5a9a..3870b50907 100644--- a/gnu/build/linux- container.scm+++ b/gnu/build/linux-container.scm@@ -44,7 +44,7 @@ (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) (if (file-exists? userns-file) (eqv? #\1 (call-with-input-file userns-file read- char))- #t)))+ #f))) On Sat, 2020-12-05 at 09:20 +0900, yasu wrote: > Hi Pj, > Thank you for you reply (and your wonderful Hacking Guide > https://gitlab.com/pjotrp/guix-notes/blob/master/HACKING.org)! > I tried the command and it didn't work... > I use Guix System (not a foreign distribution) as described at the > bottom > -Yasu > > On Fri, 2020-12-04 at 19:55 +0100, Pjotr Prins wrote: > > On Fri, Dec 04, 2020 at 05:32:08PM +0100, zimoun wrote: > > > Have you tried to do the recommandation? > > > > > > please set /proc/sys/kernel/unprivileged_userns_clone to "1" > > > > As root: > > > > echo 1 > /proc/sys/kernel/unprivileged_userns_clone > > > > Yes, it is common on Debian and such. > > > > Pj. > > root@guix ~# echo 1 > /proc/sys/kernel/unprivileged_userns_clone- > bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or > directory > root@guix ~# guix system describeGeneration 5631 Dec 05 2020 > 09:09:16 (current) file name: /var/guix/profiles/system-5631- > link canonical file name: > /gnu/store/qqzk4kvrhxjcia3hcq3xqrcdi36azzz9-system label: GNU with > Linux 5.9.12 bootloader: grub-efi root device: label: "my-root" > kernel: /gnu/store/9a93vpq4aa1c3adiaaa3blwc18r9r7zz-linux- > 5.9.12/bzImage channels: guix: repository URL: > https://git.savannah.gnu.org/git/guix.git branch: > master commit: > 86d635b85035086d21c319f31f628761df5c82e5 nonguix: repository > URL: https://gitlab.com/nonguix/nonguix branch: > master commit: b08ea529d4d36468b20ef4aff6dc87b3de0eff70 guix- > chromium: repository URL: > https://gitlab.com/mbakke/guix-chromium.git branch: > master commit: 2de450b92e5f2624d4f964407686934e22239f7b > configuration file: /gnu/store/hlma107m2004g6qq00ihm190am5mh9z0- > configuration.scm --=-xLs0Eg6mZ6fRgOC1TYOq Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
Hi,

I really don't know much about Linux = but it looks like the problem I reported has something to do with Debian?


N= ow, I don't use Debian at all (I use Guix System) and do you think this is = a Bug in Guix (in that this Debian specific word should never even be menti= oned in Guix?)

To summarize this bug again:
<= div>
The Bug:
The container command no longer works, after the commit 8bc5ca5160db= 3d82bd5b6b2b7ed80c96f42bd33e.
guix environment -C

Additional Information:
<= div> Instead of working as it did until the commit, the command now dies wi= th the following error mesage:
guix environment: error: cannot = create container: unprivileged user cannot create user namespaces
guix environment: error: please set /proc/sys/kernel/unprivileged_use= rns_clone to "1"

The message "please set /= proc/sys/kernel/unprivileged_userns_clone to "1",
see= ms irrelevant to Guix System users as it may only relate to Debia= n users.
I don't know why this Debian specific message is he= re in the first place...

Disclaimer 3D"=:
I am assuming this is indeed Debian specific (I tried= to install LinuxLinux (the Guix default) but failed - my AMD graphics card= won't allow me to even boot, unless I use regular Linux. )

<= /div>
I scanned for the phrase in LinuxLibre source code but there = was no mention of it:
~/Downloads$ tar -xf linux-libre-5.9.12-gnu.tar= .xz
~/Downloads$ cd linux-5.9.12/
~/Downloads/linux-5.9= .12$ rg -i unprivileged_userns_clone

Just FYI: the problem phrase is indeed found in the Debian Kernel= Patch:
~/co/debian$ rg -i unprivileged_userns_clone
linux/debian/patches/debian/add-sysctl-to-disallow-unp= rivileged-CLONE_NEWUSER-by-default.patch
25:+extern int u= nprivileged_userns_clone;
27:+#define unprivileged_userns= _clone 0
36:+    if ((clone_flags &am= p; CLONE_NEWUSER) && !unprivileged_userns_clone)
= 47:+    if ((unshare_flags & CLONE_NEWUSER) &&a= mp; !unprivileged_userns_clone) {
65:+extern int unprivil= eged_userns_clone;
77:+     &nbs= p;      .procname    &nbs= p;  =3D "unprivileged_userns_clone",
78:+ =            .data&nbs= p;          =3D &unpr= ivileged_userns_clone,
96:+int unprivileged_userns_clone;=


Ch= eers,
Yasu

<= div>


commit 8bc5ca5160db3d82bd5= b6b2b7ed80c96f42bd33e
<= div>

    Reported by P= aul Garlick <pgar= lick@tourbillion-technology.com>.

 &nb= sp;  * gnu/build/linux-container.scm (unprivileged-user-namespace= -supported?):
    Return #f when the 'userns-= file' does not exist.

diff --git a/gnu/build/linux= -container.scm b/gnu/build/linux-container.scm
index 4a8bed5a9a..= 3870b50907 100644
--- a/gnu/build/linux-container.scm
+= ++ b/gnu/build/linux-container.scm
@@ -44,7 +44,7 @@
&n= bsp;  (let ((userns-file "/proc/sys/kernel/unprivileged_userns= _clone"))
     (if (file-exists? use= rns-file)
         (= eqv? #\1 (call-with-input-file userns-file read-char))
- &nb= sp;      #t)))
+   &= nbsp;    #f)))


= On Sat, 2020-12-05 at 09:20 +0900, yasu wrote:
Hi Pj,

Thank you for you reply (and your = wonderful Hacking Guide https://gitlab.com/pjotrp/guix-notes/blob/master= /HACKING.org)!

I tried the command and it didn= 't work...

I use Guix System (not a foreign distr= ibution) as described at the bottom 3D":-)"

-Yasu


On Fri, 2020-12-04 at 19:55 +0100, Pjotr Prins wrote:
On Fri, Dec 04, 2020 at 05:32:08PM +0100, = zimoun wrote:
Have you tried to do the= recommandation?

     ple= ase set /proc/sys/kernel/unprivileged_userns_clone to "1"

As root:

echo 1 > /proc/sy= s/kernel/unprivileged_userns_clone

Yes, it is comm= on on Debian and such.

Pj.
<= div>

-bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or dir= ectory

      branch: master
      commit: 86d635b85035086d21c319= f31f628761df5c82e5
    nonguix:
&nb= sp;     repository URL: https://gitlab.com/nonguix/nonguix
 = ;     branch: master
   &= nbsp;  commit: b08ea529d4d36468b20ef4aff6dc87b3de0eff70
    guix-chromium:
    &= nbsp; repository URL: https://gitlab.com/mbakke/guix-chromium.git
 &nb= sp;    branch: master
    = ;  commit: 2de450b92e5f2624d4f964407686934e22239f7b
&nb= sp; configuration file: /gnu/store/hlma107m2004g6qq00ihm190am5mh9z0-configu= ration.scm
--=-xLs0Eg6mZ6fRgOC1TYOq-- --=-9q7as914a3P2oNvBF+ho Content-ID: Content-Type: image/png; name="face-smile.png" Content-Disposition: inline; filename="face-smile.png" Content-Transfer-Encoding: base64 iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAADLklEQVR4AV2MA5Q0uRpAb6raPTj9 G2PjvbVt27btPV7btm3btjW23Swklax5P1PwH+49bYNqQsHhEdvaCSGWasA2esRV5mktwrcdfPHb ffyDvx48uvvutqwaugzLOqp1hapwWXNrKDZvHgKBm04z3NYuv/q8TSlf3Vg8UnHmHo89Fvz14K2z NwoN5bxXFqbia627w26JSCqJ1m2YsAtohB9BmDoCJ8lbTz9YGBic+HDBZPVWvz6xATZbZck184oj 22+0x9EJCt/x2HOP8tNImtY1yrBiYYzJcs4591PMBOtufWh4rLdtyZA3OP/lL0dfsW49Zb0GP9CH rrvptgk59iHBzPv80OfyXXsaEYnBrxZP8nVHnm+/+xav42E2226vhA9HnnfQSvWWdOWxDYsSkUhp GX73sxgM0YggHrMB/ZsJo3+ro1GBGvkQy59lrZbaiPKCY+wtVl58y9or/T8V8kbQ6R+xYxESC1PU NS5h+fIoKB9yGVRWsmalJildtONTvPT/1idff7c45AVmcbJkAbmxL8lMeywpcVh1SQx7sYuZGAYD Opdll1UVctwlyEqmhrsRDWvhSJaGPGmEk5sjYiRaKp5+d5bKSklzs0/J/CQC0I6DM5Pn+x+z/NSd p26Jw8orhfEDbYWklFMD/e3L6lI28+yALf8/j++nI9zxxBhYGtsSKD8gn1O0lpWySWsR84oX0N/5 FVKqyV8emJe/6ug7qHyVWgtXEcpMseKiJayywoZIO4lUGtuOYCsXPfY9argNv6SaT77+VkulXxIn 7NS0qkXw7naV+URDkcQSWXQ8ihQW0ooRiDg68LC8LLFAETIJevQC7vrMLfi+Wc/+pG1qdNX6eSsN p2VNqZkIF2tFKDCIQKOlT1DII1yHqPTB8emd83iyXThpx3r2kfcGrrcBVm6MvZDzYrsNFqLF8VAh bAUBESUJKUX4F8OXzLma7qzguYF5zng+2i0Cs92PQxkl+IP9t1icNCp2nzFmi9qSdKI2WRCpqAJg xgvRlYmb9tliB8RLrqsPeO6LkQKA4D/svE7l2rbQJwGbB1ACYAkyGF412Fc/+UHfx/yDnwGHuJ5z 2Cp4/gAAAABJRU5ErkJggg== --=-9q7as914a3P2oNvBF+ho-- From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 06 10:49:53 2020 Received: (at control) by debbugs.gnu.org; 6 Dec 2020 15:49:53 +0000 Received: from localhost ([127.0.0.1]:50846 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klwIL-00010x-Ky for submit@debbugs.gnu.org; Sun, 06 Dec 2020 10:49:53 -0500 Received: from tobias.gr ([80.241.217.52]:56816) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klwIJ-00010f-6v for control@debbugs.gnu.org; Sun, 06 Dec 2020 10:49:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=DZRxnzGLX6bRd7de7/RN6M+ZN+IyLVFe6OTFLjHf5S4=; h=date:to:from; b=Bt2 iD+ZwjCxiRjrfoANIzE2ApQ4VA30D+mfYQAaOyq7gIPLuei4fFO2f8Ta/0tiiDMO/coiQp zSYHOBGqQBMawjn1eH7K21wUeddIkgJIoTDFqUfA/FwlPCBnOK5TpmmNM7PCHVai+dqAmk YaXH6ya9JSWZoPQ57qZyqLbzSxgGmRIE3fdlREw3R/73JAhE9VA8LVpQKgvlNuCGynkG6C QFt8duGl5i94X+ji9pz4lRHORKTrM4RVOUv37bUPXYvn1S0ZtjpvwzBRrijtjYsyKTPEya zNgS4LQHKiI5grZRD2sBdwyeYCXV+zeS7WNSRahMnSYgvdXo8CnXlyxbytA== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id e37a3271 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO) for ; Sun, 6 Dec 2020 15:50:04 +0000 (UTC) BIMI-Selector: v=BIMI1; s=default; From: Tobias Geerinckx-Rice To: control@debbugs.gnu.org Date: Sun, 06 Dec 2020 16:49:48 +0100 Message-ID: <87mtyrvsrn.fsf@nckx> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Spam-Score: 1.7 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: merge 45066 45069 Content analysis details: (1.7 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [80.241.217.52 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject 2.0 BODY_EMPTY No body text in message X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.7 (/) merge 45066 45069 From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 06 11:16:53 2020 Received: (at submit) by debbugs.gnu.org; 6 Dec 2020 16:16:53 +0000 Received: from localhost ([127.0.0.1]:51001 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klwiT-0003we-JB for submit@debbugs.gnu.org; Sun, 06 Dec 2020 11:16:53 -0500 Received: from lists.gnu.org ([209.51.188.17]:56972) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klwiS-0003wX-A6 for submit@debbugs.gnu.org; Sun, 06 Dec 2020 11:16:52 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:48584) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1klwiP-0004Hq-4o; Sun, 06 Dec 2020 11:16:51 -0500 Received: from tobias.gr ([2a02:c205:2020:6054::1]:38982) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1klwiL-0005ha-Rm; Sun, 06 Dec 2020 11:16:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=L9j/owulZYpt6JUKuSk2/QyoULuad5NNSYBfQR8B+ms=; h=date:in-reply-to: references:subject:cc:to:from; b=aFbpGky40o2GY0Tlp/nko51XnnlmvH4X+Veb0 Md+DSHCLZ8P64YhkYTp8RFHOC450EHNCMjGjRPRqfGtGgxFX2XRCj2eMXRRWr6scFIWh7u IJAXoe0hfW08qC+aZCvgvGwD5RZHo6tZH/tqb66JC6kFyy8e74ppzz1afRVmDFpiyUFUt/ /mvNXuI480oXaxmw0VlUe7RIdVe57oTwVAS21ddx6Z/BHaThexjogXVZTxtNU0uL/m76Ch 2oIhrfZa5uhhwe/ZonKNMg08xXOIP2zUZfH/usxY6e3jbsH4vdTQ2HcRPeKdolXskAw9Va NQvUhc69hUCXCr8YOf16ADGFw== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id da555bdf (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); Sun, 6 Dec 2020 16:16:58 +0000 (UTC) BIMI-Selector: v=BIMI1; s=default; From: Tobias Geerinckx-Rice To: yasu Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> In-reply-to: Date: Sun, 06 Dec 2020 17:16:41 +0100 Message-ID: <87k0tux63a.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: 45069@debbugs.gnu.org, bug-guix@gnu.org, zimon.toutoune@gmail.com, pgarlick@tourbillion-technology.com, Guix Devel , pjotr.public12@thebird.nl X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable yasu =E5=86=99=E9=81=93=EF=BC=9A > Now, I don't use Debian at all (I use Guix System) and do you=20 > think > this is a Bug in Guix (in that this Debian specific word should=20 > never > even be mentioned in Guix?) It's not Debian-specific. It is a bug in Guix. It should try to create a namespace and properly report an error=20 iff that fails, not prematurely abort after farting about in=20 /proc. A separate unprivileged-user-namespace-supported? is broken by=20 design. Reverting commit 8bc5ca5 works around this but it wasn't=20 to blame. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCX80D6g0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15q5YBAKomCPQ0W3w+vvKllxbqpjx2LB8e+5L2XdEkqp4D iNstAQDpXVhnbDk6IFOh1ra13WzHsKiwtQTnAB3dsbbFNSkYDQ== =m1tb -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 06 11:59:59 2020 Received: (at submit) by debbugs.gnu.org; 6 Dec 2020 16:59:59 +0000 Received: from localhost ([127.0.0.1]:51080 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klxOB-00078k-8c for submit@debbugs.gnu.org; Sun, 06 Dec 2020 11:59:59 -0500 Received: from lists.gnu.org ([209.51.188.17]:48594) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klxO9-00078d-F9 for submit@debbugs.gnu.org; Sun, 06 Dec 2020 11:59:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:54934) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1klxO8-0006p8-VN; Sun, 06 Dec 2020 11:59:56 -0500 Received: from mail-wr1-x42e.google.com ([2a00:1450:4864:20::42e]:38285) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1klxO7-0002pP-7p; Sun, 06 Dec 2020 11:59:56 -0500 Received: by mail-wr1-x42e.google.com with SMTP id p8so10426535wrx.5; Sun, 06 Dec 2020 08:59:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-transfer-encoding; bh=+FiUJrUejF4hhc57kE4kK+MSsNvxbANVnMBg2o46wD4=; b=X9J+rcBwtJbl8ZpYYeT0C80rG0DSmLmkiyqYxga655QBZjIUQBAPV00n+YypuTv5kq JVi1IwLIpBGXDHX2BA3i5rIOIP5btx7ZAPGEZyhytf4iAgU2QMi5y8LWTFlezK8eBMVh VcioKjNoVQMwxSWdiNutow3b6ou+DWwhq43dTI1AkJvBbuaff+LI9XRiVogVv42upTrz yvSHNTn2MBXdgZ3Ha9SwYMl7wzK4KtIlsTEb9v8WXphezZqJIC/YA3B6QG89bhOaVIws KEb+qNiqgRCqBnbLmWraGDJ5kbbm3XqbyTvxWX38dv1BdmHX3WsUqN24ZfRNNyaiicks RwMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=+FiUJrUejF4hhc57kE4kK+MSsNvxbANVnMBg2o46wD4=; b=RTeTz/VnqmvqUBCStlL/lzMU36W8FFbXV+eH2J+8K44tUl6M70i3CwP9T218KKbFGr nFRc9SwY8rO+5blQSUboWSh7ym00GoXNL5E+wdBg82M74zRfOH3q62UO5PV6FiqlMc1+ B4te0E6JyDEUjn02sYL5kDO42IxyBR2Dxkf6KQIpRXlNt2xplmBxM97oRAIAmPI0F5ce TFwTXC2KTsVj3YfXUQlMjyizahOnHCypP2JBWqI2dq5sCoa0mFtrlOrw7wjewiXRSVkJ wvvqwg6JvEm9RaaffeN8ecd1VNiHeT/E9Dak8/TY4XopRKIlA/hiZhK/TUTKvc+cDZWH 4DBw== X-Gm-Message-State: AOAM532TjRyZRUuCvJ3cYfLNIIQbFmYJ3gpbQ2U3Ht1KdR99ut4Cujii +mGuKcqBvTaxxjv0eNdJmd5mYx+MRZQ= X-Google-Smtp-Source: ABdhPJwtKwH7DXKdDlbqlWpgEi67e5GdtkD9kGaagEgqkJeryNfgVTXPcfTGeraieFkhAfozhTXDnA== X-Received: by 2002:adf:ef4c:: with SMTP id c12mr15963787wrp.242.1607273993052; Sun, 06 Dec 2020 08:59:53 -0800 (PST) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id o203sm11394898wmb.0.2020.12.06.08.59.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 06 Dec 2020 08:59:52 -0800 (PST) From: zimoun To: yasu , bug-guix@gnu.org, pgarlick@tourbillion-technology.com, Pjotr Prins Subject: Re: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces In-Reply-To: References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> Date: Sun, 06 Dec 2020 17:56:56 +0100 Message-ID: <86eek2an53.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a00:1450:4864:20::42e; envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x42e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: Guix Devel X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi, Please try the recommendation. Have you tried it? please set /proc/sys/kernel/unprivileged_userns_clone to "1" As root, you just do: echo 1 > /proc/sys/kernel/unprivileged_userns_clone then =E2=80=9Cguix environment -C=E2=80=9D should work as expected. To do = the trick automatically with Sheperd, I do not know, but I am sure that the systemd equivalent=20 echo "kernel.unprivileged_userns_clone =3D 1" > /etc/sysctl.d/local.conf sysctl --system seems doable with Guix System. On my system, and I need explanations if it does not work similarly on yours, I simply do: --8<---------------cut here---------------start------------->8--- $ guix environment -C --ad-hoc hello -- hello=20 guix environment: error: cannot create container: unprivileged user cannot = create user namespaces guix environment: error: please set /proc/sys/kernel/unprivileged_userns_cl= one to "1" $ su - Password: # echo 1 > /proc/sys/kernel/unprivileged_userns_clone=20 # logout $ guix environment -C --ad-hoc hello -- hello=20 Hello, world! --8<---------------cut here---------------end--------------->8--- Hope that helps, simon From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 06 15:51:22 2020 Received: (at submit) by debbugs.gnu.org; 6 Dec 2020 20:51:22 +0000 Received: from localhost ([127.0.0.1]:51431 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1km106-0000Jr-CT for submit@debbugs.gnu.org; Sun, 06 Dec 2020 15:51:22 -0500 Received: from lists.gnu.org ([209.51.188.17]:42256) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1km104-0000Jj-Or for submit@debbugs.gnu.org; Sun, 06 Dec 2020 15:51:21 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34174) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1km0zz-0005AM-3r; Sun, 06 Dec 2020 15:51:18 -0500 Received: from mail1.g12.pair.com ([66.39.4.99]:38673) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1km0zu-0004B4-Od; Sun, 06 Dec 2020 15:51:14 -0500 Received: from mail1.g12.pair.com (localhost [127.0.0.1]) by mail1.g12.pair.com (Postfix) with ESMTP id 1535A73085; Sun, 6 Dec 2020 15:51:09 -0500 (EST) Received: from guix.local (w135107.ppp.asahi-net.or.jp [121.1.135.107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail1.g12.pair.com (Postfix) with ESMTPSA id B622F73094; Sun, 6 Dec 2020 15:51:07 -0500 (EST) Message-ID: <382923d762cf018ae9d75b3408db75abf296e543.camel@yasuaki.com> Subject: Re: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces From: yasu To: zimoun , bug-guix@gnu.org, pgarlick@tourbillion-technology.com, Pjotr Prins Date: Mon, 07 Dec 2020 05:51:05 +0900 In-Reply-To: <86eek2an53.fsf@gmail.com> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: none client-ip=66.39.4.99; envelope-from=yasu@yasuaki.com; helo=mail1.g12.pair.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: Guix Devel X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Zimoun, I tried as you suggested but it didn't work... root@guix ~# echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf -bash: /etc/sysctl.d/local.conf: No such file or directory root@guix ~# sysctl --system root@guix ~# logout ~$ guix environment -C guix environment: error: cannot create container: unprivileged user cannot create user namespaces guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1" Now, if this posting were to be belived, I think this term kernel.unprivileged_userns_clone is specific to Debian Linux, and does not exist outside of that circle. It disables a bit of "hardening" that Debian patches into their distribution kernel. If you're not running such a kernel, it will fail and not do anything, as such a setting doesn't even exist in the mainline Linux kernel. I wonder how this term came in to Guix in the first place? -Yasu On Sun, 2020-12-06 at 17:56 +0100, zimoun wrote: > Hi, > > Please try the recommendation. Have you tried it? > > please set /proc/sys/kernel/unprivileged_userns_clone to "1" > > As root, you just do: > > echo 1 > /proc/sys/kernel/unprivileged_userns_clone > > then “guix environment -C” should work as expected. To do the trick > automatically with Sheperd, I do not know, but I am sure that the > systemd equivalent > > echo "kernel.unprivileged_userns_clone = 1" > > /etc/sysctl.d/local.conf > sysctl --system > > seems doable with Guix System. > > > On my system, and I need explanations if it does not work similarly > on > yours, I simply do: > > --8<---------------cut here---------------start------------->8--- > $ guix environment -C --ad-hoc hello -- hello > guix environment: error: cannot create container: unprivileged user > cannot create user namespaces > guix environment: error: please set > /proc/sys/kernel/unprivileged_userns_clone to "1" > > $ su - > Password: > # echo 1 > /proc/sys/kernel/unprivileged_userns_clone > # logout > > $ guix environment -C --ad-hoc hello -- hello > Hello, world! > --8<---------------cut here---------------end--------------->8--- > > Hope that helps, > simon From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 06 15:55:12 2020 Received: (at 45069) by debbugs.gnu.org; 6 Dec 2020 20:55:12 +0000 Received: from localhost ([127.0.0.1]:51457 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1km13o-0000RX-5Q for submit@debbugs.gnu.org; Sun, 06 Dec 2020 15:55:12 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:45252) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1km13m-0000RJ-VC for 45069@debbugs.gnu.org; Sun, 06 Dec 2020 15:55:11 -0500 Received: by mail-lj1-f195.google.com with SMTP id q8so12797563ljc.12 for <45069@debbugs.gnu.org>; Sun, 06 Dec 2020 12:55:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=M2ZxuhXA1dI2A8DeDu2HmhgKp3EiV+6O8zbm4H7bkJk=; b=mfhfzMfrbcRtwQpuCznv4dKdTLAXqRGBiulmTdJK2d/QQiiUKvzBcEMGvSQ1UE0kHT GLFPOhKyYe1SDdRxvw2fAr1uI+f43OEC71IAqAw03Jwp8FRA9/To0x2FFFVTYkEOE1gp dykhhtVKOpB+onr6F6GZIY0Tzh8WShJoSYUx9P78LSQYLHbKZ1b+AUS7T0/8YmNHfGcp dzuyeBmypUdrdZ4mnVKbu2I8+KtTR1azJVgfNrP63be+HoJtrp24VHoTyzyZlUaGji7f 2o62tt1VgiDnwR2FGPOLy7g0CSD8koKl/SLzz4MIJVJ6PeOyh37VpyDyOf1+YgeqW8yR lXDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M2ZxuhXA1dI2A8DeDu2HmhgKp3EiV+6O8zbm4H7bkJk=; b=jAwutGRgOV+iZhSUXBt6RC0GlENTw/jAD0n6Y7DjIze2G1ZeGz82OF6FEGzdC2AsYy G/D2If+lGsHmlDlQ7FdWC9r2jQjq7eKr85OWSghwpCMGwU7gst8TEkiKTGM+KsbMgQJm cVaQB2zS2/X7bq5TDg4NlXQrZYt00wFWXMAgJPrfZUlL5jGhN10odVkztENXSLPhaEzx fQqlKaWKqRjtu8BhfEYd0Mem6tRPqaH+oFSe0KCwTGtgaY+ZLsJNHNTEp/Y05Vv644Ov 7+S6bEE/QtzajSsiKrtbUvSkZg1P8gn9Gzx42zzJl49jUdfaUPRSUXqsh68T22JqKr7f gyxQ== X-Gm-Message-State: AOAM532eYYRi0Y/2vdYtAAtLfZJ9IFShPBcfw54Gi9sJCaWE+RfB6ysQ FWfb4i3w1KL2BaSutd9PmiVy+A0BJHuI0UQu8lY= X-Google-Smtp-Source: ABdhPJwYB2uD+Y79eEPkXlmQD4ie+dbBhilTKFVprop1VK95lArPQb3KdHQ0W0P7+u7S4t+zYPfle3cWYSzXEJGSxZU= X-Received: by 2002:a05:651c:2dc:: with SMTP id f28mr1496659ljo.13.1607288104216; Sun, 06 Dec 2020 12:55:04 -0800 (PST) MIME-Version: 1.0 References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> In-Reply-To: <86eek2an53.fsf@gmail.com> From: Jesse Dowell Date: Sun, 6 Dec 2020 15:54:52 -0500 Message-ID: Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces To: zimoun Content-Type: multipart/alternative; boundary="00000000000080eac605b5d1eca8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 45069 Cc: yasu@yasuaki.com, Guix Devel , pjotr.public12@thebird.nl, 45069@debbugs.gnu.org, pgarlick@tourbillion-technology.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --00000000000080eac605b5d1eca8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi All, I believe the recommended suggestion is Debian specific is it not? My kernel supports user namespaces and doesn't expose that file at that location. The only way I can work around the issue is to downgrade guix to the commit on the master branch right before 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e guix pull --commit=3D0d5d1bdf911659f60601058e8e1678187b7ba664 --allow-downgrades Best, Jesse On Sun, Dec 6, 2020 at 12:03 PM zimoun wrote: > Hi, > > Please try the recommendation. Have you tried it? > > please set /proc/sys/kernel/unprivileged_userns_clone to "1" > > As root, you just do: > > echo 1 > /proc/sys/kernel/unprivileged_userns_clone > > then =E2=80=9Cguix environment -C=E2=80=9D should work as expected. To d= o the trick > automatically with Sheperd, I do not know, but I am sure that the > systemd equivalent > > echo "kernel.unprivileged_userns_clone =3D 1" > /etc/sysctl.d/local.con= f > sysctl --system > > seems doable with Guix System. > > > On my system, and I need explanations if it does not work similarly on > yours, I simply do: > > --8<---------------cut here---------------start------------->8--- > $ guix environment -C --ad-hoc hello -- hello > guix environment: error: cannot create container: unprivileged user canno= t > create user namespaces > guix environment: error: please set > /proc/sys/kernel/unprivileged_userns_clone to "1" > > $ su - > Password: > # echo 1 > /proc/sys/kernel/unprivileged_userns_clone > # logout > > $ guix environment -C --ad-hoc hello -- hello > Hello, world! > --8<---------------cut here---------------end--------------->8--- > > Hope that helps, > simon > > > > --00000000000080eac605b5d1eca8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi All,

I believe the recomm= ended suggestion is Debian specific is it not?

My = kernel supports user namespaces and doesn't expose that file at that lo= cation.

The only way I can work around the issue i= s to downgrade guix to the commit on the master branch right before=C2=A08b= c5ca5160db3d82bd5b6b2b7ed80c96f42bd33e

guix pull -= -commit=3D0d5d1bdf911659f60601058e8e1678187b7ba664 --allow-downgrades
=

Best,
Jesse

On Sun, Dec 6, 2020 at 12:03 PM zi= moun <zimon.toutoune@gmail.c= om> wrote:
X-Spam-Score: -1.0 (-) I confirm this is fixed. Thank GNU and Guix!! =F0=9F=98=84=F0=9F=98=84 > On Dec 7, 2020, at 06:03, help-debbugs@gnu.org wrote: >=20 > =EF=BB=BFYour bug report >=20 > #45066: BUG: Re: guix environment: error: cannot create container: unprivi= leged user cannot create user namespaces >=20 > which was filed against the guix package, has been closed. >=20 > The explanation is attached below, along with your original report. > If you require more details, please reply to 45069@debbugs.gnu.org. >=20 > --=20 > 45066: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D45066 > GNU Bug Tracking System > Contact help-debbugs@gnu.org with problems > > From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 06:58:08 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 11:58:08 +0000 Received: from localhost ([127.0.0.1]:52741 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmF9c-0002Nc-7t for submit@debbugs.gnu.org; Mon, 07 Dec 2020 06:58:08 -0500 Received: from relay11.mail.gandi.net ([217.70.178.231]:41789) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmF9a-0002N8-8a for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 06:58:07 -0500 Received: from bababa (lfbn-idf2-1-1094-122.w90-92.abo.wanadoo.fr [90.92.160.122]) (Authenticated sender: mail@ambrevar.xyz) by relay11.mail.gandi.net (Postfix) with ESMTPSA id 6C23210000C; Mon, 7 Dec 2020 11:57:59 +0000 (UTC) From: Pierre Neidhardt To: Jesse Dowell , zimoun Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces In-Reply-To: References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> Date: Mon, 07 Dec 2020 12:57:58 +0100 Message-ID: <87wnxtx1yx.fsf@ambrevar.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 1.1 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi! I can reproduce the issue since I 'recondigure'd my Guix System. I'm on cebfb29abb151ede95696181d2446c63504593d7. Guix' bug? Content analysis details: (1.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [217.70.178.231 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [217.70.178.231 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org, pgarlick@tourbillion-technology.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.1 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi! I can reproduce the issue since I 'recondigure'd my Guix System. I'm on cebfb29abb151ede95696181d2446c63504593d7. Guix' bug? Content analysis details: (1.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [217.70.178.231 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [217.70.178.231 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi! I can reproduce the issue since I 'recondigure'd my Guix System. I'm on cebfb29abb151ede95696181d2446c63504593d7. Guix' bug? =2D-=20 Pierre Neidhardt https://ambrevar.xyz/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFGBAEBCAAwFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl/OGMYSHG1haWxAYW1i cmV2YXIueHl6AAoJEJvc9Jeku8x/CTUIAJCmYc8qsCpKeaiiLqj16QbR494oN+Z4 L7x6vVsLmVLBvxYHp6R9iOdwz6L4iOa8APpymil9XbpGSAirUX4W3S4TIJqAFtyS eVuVDqxWjYa8GOHpUcskpYenRxby1N+wqqO6IDP+ra60AsSdNzwvPkUZC+J9CbXD 1UXvv79SM5Avp/HmOmzbKynCHSNES4luJt/4DfHoAbDO+oJuIQsdl3d9J9F4luUh N149hJhrg6+Q9ZvIpCpBwLJXWB4epr5Q68HPX8MYdFHE0ZjcBpoSSviZxJeddODf +GZRbTKr+n/6wSRlnmm5rrXOwWafg7DvT5Ah017jBGbGFNzlOup2Tb8= =VWtM -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 07:29:48 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 12:29:48 +0000 Received: from localhost ([127.0.0.1]:52802 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmFeF-0003CC-Om for submit@debbugs.gnu.org; Mon, 07 Dec 2020 07:29:47 -0500 Received: from mail-out-auth2.hosts.co.uk ([212.84.127.1]:12814) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmFeE-0003C4-38 for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 07:29:46 -0500 Received: from maikeh336.claranet.co.uk ([79.123.23.187] helo=pancake.local) by smtp.hosts.co.uk with esmtpsa (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim) (envelope-from ) id 1kmFeC-00079Q-4n; Mon, 07 Dec 2020 12:29:44 +0000 Message-ID: <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces From: Paul Garlick To: Pierre Neidhardt , Jesse Dowell , zimoun Date: Mon, 07 Dec 2020 12:29:42 +0000 In-Reply-To: <87wnxtx1yx.fsf@ambrevar.xyz> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Pierre, Can you try, as root on Guix System: $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone If you could report success or failure that would be helpful; the unprivileged-user-namespace-supported? test in gnu/build/linux- container.scm should be the same irrespective of the underlying distribution (Debian, CentOS, Guix System ...). Best regards, Paul. On Mon, 2020-12-07 at 12:57 +0100, Pierre Neidhardt wrote: > Hi! > > I can reproduce the issue since I 'recondigure'd my Guix System. > I'm on cebfb29abb151ede95696181d2446c63504593d7. > > Guix' bug? > > From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 07:41:43 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 12:41:43 +0000 Received: from localhost ([127.0.0.1]:52827 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmFpn-0005bG-5f for submit@debbugs.gnu.org; Mon, 07 Dec 2020 07:41:43 -0500 Received: from mail1.g12.pair.com ([66.39.4.99]:11039) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmFpk-0005b1-Rb for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 07:41:41 -0500 Received: from mail1.g12.pair.com (localhost [127.0.0.1]) by mail1.g12.pair.com (Postfix) with ESMTP id 19B8873077; Mon, 7 Dec 2020 07:41:35 -0500 (EST) Received: from [10.11.12.14] (w135107.ppp.asahi-net.or.jp [121.1.135.107]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail1.g12.pair.com (Postfix) with ESMTPSA id DEF0D73058; Mon, 7 Dec 2020 07:41:34 -0500 (EST) Content-Type: multipart/alternative; boundary=Apple-Mail-C51CEC77-DB62-4B83-A703-8AF303F29ED9 Content-Transfer-Encoding: 7bit From: Yasuaki Kudo Mime-Version: 1.0 (1.0) Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces Date: Mon, 7 Dec 2020 21:41:32 +0900 Message-Id: References: <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> In-Reply-To: <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> To: Paul Garlick X-Mailer: iPhone Mail (18B92) X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org, Pierre Neidhardt , Jesse Dowell , zimoun X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --Apple-Mail-C51CEC77-DB62-4B83-A703-8AF303F29ED9 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Just FYI (sorry to interject) , my original email was stripped of html eleme= nts? anyway, I was referring to this link https://security.stackexchange.co= m/questions/209529/what-does-enabling-kernel-unprivileged-userns-clone-do#co= mment442083_209533 -Yasu > On Dec 7, 2020, at 21:31, Paul Garlick wrote: >=20 > =EF=BB=BFHi Pierre, >=20 > Can you try, as root on Guix System: >=20 > $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone >=20 > If you could report success or failure that would be helpful; the > unprivileged-user-namespace-supported? test in gnu/build/linux- > container.scm should be the same irrespective of the underlying > distribution (Debian, CentOS, Guix System ...). >=20 > Best regards, >=20 > Paul. >=20 >> On Mon, 2020-12-07 at 12:57 +0100, Pierre Neidhardt wrote: >> Hi! >>=20 >> I can reproduce the issue since I 'recondigure'd my Guix System. >> I'm on cebfb29abb151ede95696181d2446c63504593d7. >>=20 >> Guix' bug? >>=20 >>=20 >=20 >=20 --Apple-Mail-C51CEC77-DB62-4B83-A703-8AF303F29ED9 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Just FYI (sorry to interje= ct) , my original email was stripped of html elements?  anyway, I was r= eferring to this link https://security.stackexchange.com/questions/209529/what-does= -enabling-kernel-unprivileged-userns-clone-do#comment442083_209533 = -Yasu

On Dec 7, 2020, a= t 21:31, Paul Garlick <pgarlick@tourbillion-technology.com> wrote:
=
=EF=BB=BF<= span>Hi Pierre,

Can you try, as root on Gui= x System:

$ echo 1 > /proc/sys/kernel/un= privileged_userns_clone

If you could report= success or failure that would be helpful; the
unprivileged-= user-namespace-supported? test in gnu/build/linux-
container= .scm should be the same irrespective of the underlying
distr= ibution (Debian, CentOS, Guix System ...).

= Best regards,

Paul.
=
On Mon, 2020-12-07 at 12:57 +0100, Pierre Neidhardt wrote:<= br>
Hi!

I c= an reproduce the issue since I 'recondigure'd my Guix System.
I'm on cebfb29abb151ede95696181d244= 6c63504593d7.
=
Guix' bug?



= --Apple-Mail-C51CEC77-DB62-4B83-A703-8AF303F29ED9-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 08:32:04 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 13:32:04 +0000 Received: from localhost ([127.0.0.1]:52890 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmGcW-0000VW-BG for submit@debbugs.gnu.org; Mon, 07 Dec 2020 08:32:04 -0500 Received: from mail-wm1-f52.google.com ([209.85.128.52]:53225) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmGcT-0000UR-0q for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 08:32:03 -0500 Received: by mail-wm1-f52.google.com with SMTP id a6so11477094wmc.2 for <45069@debbugs.gnu.org>; Mon, 07 Dec 2020 05:32:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version; bh=WpIo4C2zZ5JMxg2h7ojvqIPfCuKEZ2gBmAl1rvHF+ys=; b=S8/djVhvLxMAB0sojrKCQgOpM33HnN+BZCEWBDArzJCnG25Ypp8x8iJOE5KzwZttLA /MqCcbO+eifBQf7veKp3v/3SgEcc5uj0DugLSkJ9TRhdmtg07hsl4UrNIHEnvznHtNGM DJETu9nQbTiiS3eigcfbeKL85LkcRfmBDgPMjFxuPgGe0gVrznWVe+YlUxhOhgzoWS1D YfDN1f9opgxBdbgb6jIiRncrXzFprQoTqIRXVMhkorQWcTtPay9y9+CPflJjDm4t+uYD 7jq1cTz46LJMpU8cenoBBbExqtrtv/aQ+xPX8XsT6dYmat+wPVWmuwodUB6AmxH3wYhl Zjfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=WpIo4C2zZ5JMxg2h7ojvqIPfCuKEZ2gBmAl1rvHF+ys=; b=NNPWoFQfyK3d6j4xNdacJbprI0jyxFmtFk/m/513WxIuwDAEXT8v353p3hLDsh2MZa odIwsF1ATkWj5GTzYduZCOPKfOPYw3H8TOGXob6VHhL+R8qogS+fstIXCyAdeaXyfCii 88ns9oR6+Kn6+ATKkL7y3cOo1KlYgtsfQwHaIA6wUfz/Arv+N3GcLBjwH/2YbGs9OXVR bu7MQX2DgT7c/9HM5nTu7ftunn+aH6O22j7k7xLBGKR+N/hX3gmH5GUko9Wao9rmmjeM LtMPOTmlaLnyq9ynYKeZjq5bOsAUDR/DxhwSEuYXR13+0EKZaMqsBSU92/FDATilfbla FsUg== X-Gm-Message-State: AOAM530xYxF20adPq+0rUDP0XkMjPqhr/BGH79bQawmvx6uG31px3qE4 LtSE6i1yGvX9wLdyTu8d4ng= X-Google-Smtp-Source: ABdhPJwEhFdnM6scVzPIzo09FF0eNn2XXAga9QfWhk8rGnPiIHmZ6P4UZote1XcBwcHYuowXKcOTlA== X-Received: by 2002:a1c:8016:: with SMTP id b22mr9285696wmd.135.1607347914958; Mon, 07 Dec 2020 05:31:54 -0800 (PST) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id j7sm14355564wmb.40.2020.12.07.05.31.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 05:31:54 -0800 (PST) From: zimoun To: Pierre Neidhardt , Jesse Dowell Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces In-Reply-To: <87wnxtx1yx.fsf@ambrevar.xyz> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> Date: Mon, 07 Dec 2020 14:26:21 +0100 Message-ID: <86o8j57nnm.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Pierre, On Mon, 07 Dec 2020 at 12:57, Pierre Neidhardt wrote: > Guix' bug? Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (zimon.toutoune[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.52 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.52 listed in wl.mailspike.net] X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org, pgarlick@tourbillion-technology.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) Hi Pierre, On Mon, 07 Dec 2020 at 12:57, Pierre Neidhardt wrote: > Guix' bug? You get something as: $ guix environment -C guix guix environment: error: cannot create container: unprivileged user cannot create user namespaces guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1" right? Have you tried to do the recommendation? please set /proc/sys/kernel/unprivileged_userns_clone to "1" in other words, as root: # echo 1 > /proc/sys/kernel/unprivileged_userns_clone $ guix environment -C --ad-hoc hello -- hello and report. Thanks, simon From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 12:14:00 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 17:14:00 +0000 Received: from localhost ([127.0.0.1]:55360 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmK5H-0002dN-Sv for submit@debbugs.gnu.org; Mon, 07 Dec 2020 12:14:00 -0500 Received: from relay2-d.mail.gandi.net ([217.70.183.194]:65415) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmK5F-0002d9-Ba for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 12:13:58 -0500 X-Originating-IP: 90.92.160.122 Received: from bababa (lfbn-idf2-1-1094-122.w90-92.abo.wanadoo.fr [90.92.160.122]) (Authenticated sender: mail@ambrevar.xyz) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 069F04000A; Mon, 7 Dec 2020 17:13:49 +0000 (UTC) From: Pierre Neidhardt To: Paul Garlick , Jesse Dowell , zimoun Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces In-Reply-To: <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> Date: Mon, 07 Dec 2020 18:13:48 +0100 Message-ID: <87tusxwncj.fsf@ambrevar.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Paul, > Can you try, as root on Guix System: > > $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone # echo 1 > /proc/sys/kernel/unprivileged_userns_clone -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory Content analysis details: (1.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [217.70.183.194 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [217.70.183.194 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Paul, > Can you try, as root on Guix System: > > $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone # echo 1 > /proc/sys/kernel/unprivileged_userns_clone -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory Content analysis details: (1.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [217.70.183.194 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [217.70.183.194 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Paul, > Can you try, as root on Guix System: > > $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone # echo 1 > /proc/sys/kernel/unprivileged_userns_clone =2Dbash: /proc/sys/kernel/unprivileged_userns_clone: No such file or direct= ory =2D-=20 Pierre Neidhardt https://ambrevar.xyz/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFGBAEBCAAwFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl/OYswSHG1haWxAYW1i cmV2YXIueHl6AAoJEJvc9Jeku8x/CQ0IAJ/y6XI7PhhTlD8wVirpVMybv6HqFJnh CPLgMYiJxjt02o1+MIrFG1UZeu1eP56mmGkGNqXZui/zHCOZfc9GecblzNFSbBjy yR4jFp4ML4p+taFlaHkN8Do3qWMFGhKV1gClpvCuSe7s/uliqmxpmiNIen+mUGJf eTn7wZoJwlJ1MNt+6QW+oE5yaEwHzCnPer/Q/qvGvIkzMWZAM7zlvilRhdr6B7IF wb2O0K5TLzUGgBpgQvNyep0uQfGILPCbPV5uRdM0z8Ai2UvZnKdVyfyLv54HrtNY 8B9PM/T/PSZZBrVb97lbHiBrSaAnt7AK+IC61RRWipq06ywsww9aDKA= =Vxad -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 12:45:03 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 17:45:03 +0000 Received: from localhost ([127.0.0.1]:55444 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmKZL-0007ii-6K for submit@debbugs.gnu.org; Mon, 07 Dec 2020 12:45:03 -0500 Received: from mail-wm1-f48.google.com ([209.85.128.48]:54622) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmKZI-0007gQ-QU for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 12:45:02 -0500 Received: by mail-wm1-f48.google.com with SMTP id d3so17643wmb.4 for <45069@debbugs.gnu.org>; Mon, 07 Dec 2020 09:45:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version; bh=f/d3u1WuRFo9SYKW56sfQQM+adn3buv/hpTUikDYTO0=; b=r195UT+/NoJGy7Zku7NaabWGnj+6oaD/XtlcJjOpW+UQyjG8Vsx5pnwh1K1XYWYno6 OPMB0UeoHBLNVsGPLqjbsVoN45hg5NzWaa+IYcf09Um/Tuy33hHmCKB+XEIyh+Ek05YU Wp6ne6czPh2qN6/4pxrAwQNtl/og9EJDg7y/cBpeQ/nxwlCcZ9KxfKOk+3elqPElbF1k /3NuF8OyYdCfdkb1I3v09s96s7g11CkSMjwdjNfJQVmO+qHZnJoLV/CaliyMvAERkIA9 8CqrPyN6CNUCTyu2L2eA+qaSaAydt52pFrSfTQcMzrN/vGwdagwN5HHfN0Y6WQoVcxdd p2Kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=f/d3u1WuRFo9SYKW56sfQQM+adn3buv/hpTUikDYTO0=; b=W0NDa9iZr1TAsTO6l9E5hZNhl8lW0HPNMtVSwrcqMg8tHaAy4/D39jL0nhrg//W8GJ U9D9xi8BALgxLDPvVEa56Bw/4AKY0vnPpoawiRu967yQQ/thR+HNhpW9Pb9hUAatgiGn +MvtFUHWUaBPowYM0C9Gt1Mid5YWe4UqHN9sy3kUSNWCJt4pZsvkBOmq74xMZbkLVVOW tZv9xxEHWAovTPqXG2RF38SVNl+xeta5iagzBTafIFlev28hvDmT6rb9nkDH0Z5Hl202 fm9rzynk6v8TEl27opMVtz1fM/L60I1GFOuqY3mANY77oQKFILqvvIp953uQcNf07Elq h8QA== X-Gm-Message-State: AOAM531QIagq67QUywMVMwWwTXXSvk+5koUdAlwq0oec5MIaq21ZAwtK bpG13xYz0vjLq7TNR71ULxg= X-Google-Smtp-Source: ABdhPJzWvvI2ej7CDYry5pDGHOaEJOamNgfzEXOmLBttxBm22iXwf6cRxeQHqsrS0VF+BCON8DRN+A== X-Received: by 2002:a1c:f20e:: with SMTP id s14mr19400646wmc.126.1607363094825; Mon, 07 Dec 2020 09:44:54 -0800 (PST) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id z11sm16230238wmc.39.2020.12.07.09.44.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 09:44:54 -0800 (PST) From: zimoun To: Ludovic =?utf-8?Q?Court=C3=A8s?= , Marius Bakke Subject: bug#45069: Guix System: unprivileged user cannot create user namespaces? In-Reply-To: <87tusxwncj.fsf@ambrevar.xyz> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> <87tusxwncj.fsf@ambrevar.xyz> Date: Mon, 07 Dec 2020 18:35:28 +0100 Message-ID: <86ft4h5xjz.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt wrote: >> Can you try, as root on Guix System: >> >> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone > > # echo 1 > /proc/sys/kernel/unprivileged_userns_clone > -bash: /proc/sys/kernel/unprivileged_use [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (zimon.toutoune[at]gmail.com) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.48 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.48 listed in wl.mailspike.net] X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , Pierre Neidhardt , 45069@debbugs.gnu.org, Paul Garlick , Jesse Dowell X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) Hi, On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt wrote: >> Can you try, as root on Guix System: >> >> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone > > # echo 1 > /proc/sys/kernel/unprivileged_userns_clone > -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory In gnu/build/linux-container.scm, it reads: --8<---------------cut here---------------start------------->8--- (define (unprivileged-user-namespace-supported?) "Return #t if user namespaces can be created by unprivileged users." (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) (if (file-exists? userns-file) (eqv? #\1 (call-with-input-file userns-file read-char)) #t))) --8<---------------cut here---------------end--------------->8--- Does it mean that the Linux kernel on Guix System does not support namespaces by unprivileged users? Turning #t to #f should work on Guix System and it appears to me a severe bug if not. What do I miss? Please could someone fill my gap? :-) All the best, simon From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 12:56:01 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 17:56:01 +0000 Received: from localhost ([127.0.0.1]:55458 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmKjx-0001cZ-3N for submit@debbugs.gnu.org; Mon, 07 Dec 2020 12:56:01 -0500 Received: from cascadia.aikidev.net ([173.255.214.101]:47502) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmKjv-0001cM-IY for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 12:55:59 -0500 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:21:21:0:100b]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id 5B0A11AA41; Mon, 7 Dec 2020 09:55:53 -0800 (PST) From: Vagrant Cascadian To: zimoun , Ludovic =?utf-8?Q?Court=C3=A8s?= , Marius Bakke Subject: Re: bug#45069: Guix System: unprivileged user cannot create user namespaces? In-Reply-To: <86ft4h5xjz.fsf@gmail.com> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> <87tusxwncj.fsf@ambrevar.xyz> <86ft4h5xjz.fsf@gmail.com> Date: Mon, 07 Dec 2020 09:55:31 -0800 Message-ID: <87eek1sdpo.fsf@yucca> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 2020-12-07, zimoun wrote: > On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt wrote: > >>> Can you try, as root on Guix System: >>> >>> $ echo 1 > /proc/sys/kernel/unprivileged_use [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org, Paul Garlick , Jesse Dowell X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) --=-=-= Content-Type: text/plain On 2020-12-07, zimoun wrote: > On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt wrote: > >>> Can you try, as root on Guix System: >>> >>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone >> >> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone >> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory > > In gnu/build/linux-container.scm, it reads: > > --8<---------------cut here---------------start------------->8--- > (define (unprivileged-user-namespace-supported?) > "Return #t if user namespaces can be created by unprivileged users." > (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) > (if (file-exists? userns-file) > (eqv? #\1 (call-with-input-file userns-file read-char)) > #t))) > --8<---------------cut here---------------end--------------->8--- > > Does it mean that the Linux kernel on Guix System does not support > namespaces by unprivileged users? > Turning #t to #f should work on Guix System and it appears to me a > severe bug if not. What do I miss? Please could someone fill my gap? :-) The /proc/sys/kernel_unprivileged_userns_clone file is specific to Debian and Ubuntu packaged linux kernel; it is a patchset not applied upstream, as far as I am aware. I'm not sure if other distros support disabling and enabling this feature using this mechanism. https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCX85skwAKCRDcUY/If5cW qjKwAQCi56PPZBXpy8NH6ZJYqb7K6RxUH/SyLScMEStmiFeu5gD/ajGLuZN4JWc2 dbw9E2xb+tdc3MyBXewv9HrJTA8P5A8= =jFFd -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 14:51:00 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 19:51:00 +0000 Received: from localhost ([127.0.0.1]:55558 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmMXD-0006VX-TM for submit@debbugs.gnu.org; Mon, 07 Dec 2020 14:51:00 -0500 Received: from smtp.hosts.co.uk ([85.233.160.19]:19089) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmMXC-0006VJ-67 for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 14:50:58 -0500 Received: from maikeh336.claranet.co.uk ([79.123.23.187] helo=pancake.local) by smtp.hosts.co.uk with esmtpsa (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim) (envelope-from ) id 1kmMX6-0003em-A3; Mon, 07 Dec 2020 19:50:52 +0000 Message-ID: <44232f7aafdfd524857ae4abd76440e329fc5c98.camel@tourbillion-technology.com> Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces From: Paul Garlick To: Pierre Neidhardt , Jesse Dowell , zimoun Date: Mon, 07 Dec 2020 19:50:49 +0000 In-Reply-To: <87tusxwncj.fsf@ambrevar.xyz> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> <87tusxwncj.fsf@ambrevar.xyz> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Pierre, > # echo 1 > /proc/sys/kernel/unprivileged_userns_clone > -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or > directory Thanks, that gives us a clue. So all or part of the path '/proc/sys/kernel' is missing? Best regards, Paul. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 15:06:01 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 20:06:01 +0000 Received: from localhost ([127.0.0.1]:55574 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmMll-0006sc-BJ for submit@debbugs.gnu.org; Mon, 07 Dec 2020 15:06:01 -0500 Received: from mail-wm1-f48.google.com ([209.85.128.48]:38464) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmMli-0006sJ-VR for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 15:06:00 -0500 Received: by mail-wm1-f48.google.com with SMTP id g185so396308wmf.3 for <45069@debbugs.gnu.org>; Mon, 07 Dec 2020 12:05:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-transfer-encoding; bh=hYItKmjiBnND8+ZD3FM6Y/qtvTb8PaozbTg0ZckF4fA=; b=UQj81TFZqGMI95dRNAZwdEi6huEtHCbSVOK5eCmc147woksEI0j1jSHXlcQNKgNmbj G0KgCe5gAVM2eGf1vBD9ZXr+upK94ulD0At4meCtSAYrGoRCd6NperEJu/RNPq4/NDYh m9qJ7y4G10xoiYmUBm8ED4AuH5tV1ZCIIWa59Dp6W5UP6g86DONRDmC8uYyn24v0pBaH RL1dWTixPABs5d0bAkneoQPHEO2+G/jKRpo1pwGeU/toqGGhXQ2HEXgLhew6WMbQwDzQ vcy7SndMUTOGf0aSUGqbODZX+ZaQRxKQPpl115m3SKkS5WS5rQ5ckPWm5fav2CbVNC3+ poIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=hYItKmjiBnND8+ZD3FM6Y/qtvTb8PaozbTg0ZckF4fA=; b=ddEboMejlh1YQXe5/ow5UsF8NQbZ9hYdqbc2EMYBXaeZKc9srOOJsh9O9IBS3bO+Ud /mPTrjz08T/OONFY0SXIIFC2LOGQGRLAfsfl48VpWwoza0ydhV90iPHfHFCHBzDbkt7F z2pPgj0G2zwpg9jgq42X4CGd+WDCPh4MmDAjiwYaNmmBSCHks8Xh8+FGNW54mBU1H6p8 UAP/jvSCExi88KDYob34yJ+k9vqtTDhGLcTunO+Af9lHrdjCMiAAf5v66uBzfnIKPKpW VrhhqbV0kee/iX6KsnY1RPAV5TQi/a1JTslan8BygVwQ3HAWnBQY5Fg7Ryy7/HjdjqiG CGrw== X-Gm-Message-State: AOAM530UBjJjvkig3D2jr6Y0DUcrtsYR4i2T4bIqafb7y9mdcfwe0Pv7 wi5f0oRo3IBa+PZ/eV11dfc= X-Google-Smtp-Source: ABdhPJwArQXViyejTs6VEvwXkZiEl2SZpwu+wuOqHFwpdGsWVpkTr2gbWcGYBScVoMesm2kcAHX5hQ== X-Received: by 2002:a1c:4604:: with SMTP id t4mr489304wma.17.1607371553085; Mon, 07 Dec 2020 12:05:53 -0800 (PST) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id c1sm386163wml.8.2020.12.07.12.05.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 12:05:52 -0800 (PST) From: zimoun To: Vagrant Cascadian , Ludovic =?utf-8?Q?Court=C3=A8s?= , Marius Bakke Subject: Re: bug#45069: Guix System: unprivileged user cannot create user namespaces? In-Reply-To: <87eek1sdpo.fsf@yucca> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> <87tusxwncj.fsf@ambrevar.xyz> <86ft4h5xjz.fsf@gmail.com> <87eek1sdpo.fsf@yucca> Date: Mon, 07 Dec 2020 21:03:58 +0100 Message-ID: <86360h5qoh.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org, Paul Garlick , Jesse Dowell X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Vagrant, Sorry if I am naive, I am trying to understand and it appears that pieces are missing in my bag. :-) On Mon, 07 Dec 2020 at 09:55, Vagrant Cascadian wrote: > The /proc/sys/kernel_unprivileged_userns_clone file is specific to > Debian and Ubuntu packaged linux kernel; it is a patchset not applied > upstream, as far as I am aware. I'm not sure if other distros support > disabling and enabling this feature using this mechanism. Thanks. I still do not understand the message from Guix System: --8<---------------cut here---------------start------------->8--- ~/co/guix (master)$ guix environment -C guix guix environment: error: cannot create container: unprivileged user cannot = create user namespaces guix environment: error: please set /proc/sys/kernel/unprivileged_userns_cl= one to "1" --8<---------------cut here---------------end--------------->8--- (see ) Why does this appear if =C2=ABset /proc/sys/kernel/unprivileged_userns_clon= e to "1"=C2=BB=20 does not make sense on Guix System? Then Tobias answered: (see ) yasu =E5=86=99=E9=81=93=EF=BC=9A > Now, I don't use Debian at all (I use Guix System) and do you=20 > think > this is a Bug in Guix (in that this Debian specific word should=20 > never > even be mentioned in Guix?) It's not Debian-specific. It is a bug in Guix. It should try to create a namespace and properly report an error=20 iff that fails, not prematurely abort after farting about in=20 /proc. A separate unprivileged-user-namespace-supported? is broken by=20 design. Reverting commit 8bc5ca5 works around this but it wasn't=20 to blame. so I miss why does a similar patch as, > https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches= /debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch is not applied to Guix System? Is it because a technical or else reason behind? Or is it simply because no one takes the time to fix the problem? All the best, simon From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 15:35:47 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 20:35:47 +0000 Received: from localhost ([127.0.0.1]:55633 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmNEZ-0007ci-Aq for submit@debbugs.gnu.org; Mon, 07 Dec 2020 15:35:47 -0500 Received: from relay4-d.mail.gandi.net ([217.70.183.196]:45061) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmNEX-0007cS-I6 for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 15:35:46 -0500 X-Originating-IP: 90.92.160.122 Received: from bababa (lfbn-idf2-1-1094-122.w90-92.abo.wanadoo.fr [90.92.160.122]) (Authenticated sender: mail@ambrevar.xyz) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 15287E0003; Mon, 7 Dec 2020 20:35:37 +0000 (UTC) From: Pierre Neidhardt To: Paul Garlick , Jesse Dowell , zimoun Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces In-Reply-To: <44232f7aafdfd524857ae4abd76440e329fc5c98.camel@tourbillion-technology.com> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> <87tusxwncj.fsf@ambrevar.xyz> <44232f7aafdfd524857ae4abd76440e329fc5c98.camel@tourbillion-technology.com> Date: Mon, 07 Dec 2020 21:35:36 +0100 Message-ID: <87im9dwe07.fsf@ambrevar.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi again, Paul Garlick writes: > Thanks, that gives us a clue. So all or part of the path > '/proc/sys/kernel' is missing? Content analysis details: (1.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [217.70.183.196 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [217.70.183.196 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi again, Paul Garlick writes: > Thanks, that gives us a clue. So all or part of the path > '/proc/sys/kernel' is missing? Content analysis details: (1.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [217.70.183.196 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [217.70.183.196 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi again, Paul Garlick writes: > Thanks, that gives us a clue. So all or part of the path > '/proc/sys/kernel' is missing? Nope, my /proc/sys/kernel has 121 direct files and directories :/ =2D-=20 Pierre Neidhardt https://ambrevar.xyz/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFGBAEBCAAwFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl/OkhgSHG1haWxAYW1i cmV2YXIueHl6AAoJEJvc9Jeku8x/k/AH/02Lp6X42n2TD4ykfPzzbco4qLGuFyeN /oTyHy6qKoCeP6cPOHg4tWkIpu3Y/J5k3VwSBM1rhNHpTYvjRyzvSQYVYg3KlVq3 ho05Ixt0VgJSWkqF+4klasFTO5javqXVXepBGNWmjcKLDjBdF1WDuw7BVuznS/Z1 kW9Jl85zwtDy+3g7/1LaNOsme9D7SM1mK8uyXjdC3BvtSBF00u7vDk8nC7VT97pl RNxub9497E6sWe765EkpZeEwDqrnFuXESbn8aUhN1Dex+A2p5PK68QkJGJ2Rh2ZG Db+asge/FVdeFXhe5YDK6fB3gFA6Ly1DXg3TUbMN9RKlyU9tCSyY3aQ= =v9IZ -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 16:12:01 2020 Received: (at 45069) by debbugs.gnu.org; 7 Dec 2020 21:12:02 +0000 Received: from localhost ([127.0.0.1]:55659 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmNnd-0008VB-Jf for submit@debbugs.gnu.org; Mon, 07 Dec 2020 16:12:01 -0500 Received: from mail-wr1-f52.google.com ([209.85.221.52]:32991) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmNnb-0008Uw-Nk for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 16:12:00 -0500 Received: by mail-wr1-f52.google.com with SMTP id u12so14206143wrt.0 for <45069@debbugs.gnu.org>; Mon, 07 Dec 2020 13:11:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version; bh=qJraFcdlOPBUQTH0my93HvDbJrBMBbpKAAinZMQvaqg=; b=gjgNHDH2G4AP2qODOIhBESOmG+YUEfu+akSHo6RXzG3FQtRu3P1DppX7+ApVlSGX1M nDtn4NMYU25MDh4uMd4+W/s5QA09wL01Z/3fOGBBxGb8SbnibVbwW8+vM7mfAH/VoKpi Nw1sGUOVJR4+WX882AZrd6/WK3R9yj9yFBh8vyRBXXkf8bGhJnHjQ2KAIHAnnADjfGTf VV0Hy0HuNMRKYdz7vdd9sIUREYJc5d9qJgES9ftAA2DZIOx8UuP9X9Ddp3ZjjuUfRRDG WFu0zh5eMja3PVRP7h1F5dnyzw4qoHpl7FSF5pIRi1PxBjMy2zom0BS3Le1aOOn3wIUU x69Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=qJraFcdlOPBUQTH0my93HvDbJrBMBbpKAAinZMQvaqg=; b=X9si+1CBnMBrrFrMa/aTirvN6k/7VqIIQ4l2e9h0IDDw+3n8LNw/yiVSBDrcRIPJR5 9SnkW6pcu9YL8vZue2hqE8/QVD1SA7/i/H4KWAcEv+G2A0cdIKM9+Q3to//bBGkQ28aO uBrcJx9vxHtLAXyy0FFL/eW17N9iu0cx22uugcxdgRQfPaW19kjlmicx26bN/cwFjudH weJ4dNn44wk/dyuVsIhs6Ho855QA4pIcUeyY3sTQc93Td3anmmBDzzj40DeAmccMcbv5 3Or48cMBlivzqNF+WQsO3wDqF71lX+3K73Io/6aHeLJ4BxipEBg2cZp48QbqlBpVoQXI MFRw== X-Gm-Message-State: AOAM532lQfpAGrx5tq2CCnLfoiqYYY+PAHkUyr56WLRZzHzVgrDxORqW PYf9iZDcrZm2+ChaNqgv/naiXCYlsFU= X-Google-Smtp-Source: ABdhPJz5cD+SHyxtPx6B/jEXe8+KvuBLbcAElvYEsXM6tYoKm8QBN10DGMbzZjlTeMoo7dcxIXImnQ== X-Received: by 2002:a5d:4d12:: with SMTP id z18mr14182793wrt.190.1607375513512; Mon, 07 Dec 2020 13:11:53 -0800 (PST) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id 90sm16820859wrl.60.2020.12.07.13.11.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 13:11:53 -0800 (PST) From: zimoun To: Pierre Neidhardt , Paul Garlick , Jesse Dowell Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces In-Reply-To: <87im9dwe07.fsf@ambrevar.xyz> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> <87tusxwncj.fsf@ambrevar.xyz> <44232f7aafdfd524857ae4abd76440e329fc5c98.camel@tourbillion-technology.com> <87im9dwe07.fsf@ambrevar.xyz> Date: Mon, 07 Dec 2020 22:09:58 +0100 Message-ID: <86zh2p4921.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, On Mon, 07 Dec 2020 at 21:35, Pierre Neidhardt wrote: >> Thanks, that gives us a clue. So all or part of the path >> '/proc/sys/kernel' is missing? > > Nope, my /proc/sys/kernel has 121 direct files and directories :/ Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (zimon.toutoune[at]gmail.com) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.52 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.52 listed in list.dnswl.org] X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) Hi, On Mon, 07 Dec 2020 at 21:35, Pierre Neidhardt wrote: >> Thanks, that gives us a clue. So all or part of the path >> '/proc/sys/kernel' is missing? > > Nope, my /proc/sys/kernel has 121 direct files and directories :/ Well, it is expected. And now all is clear. Explanations starting there: Quickly said, the initial code was assuming Debian-like kernel patches as Vagrant reported and this is not in the linux-libre source code with a wrong Guix error message. One bug is still there. :-) All the best, simon From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 07 22:20:22 2020 Received: (at 45069) by debbugs.gnu.org; 8 Dec 2020 03:20:22 +0000 Received: from localhost ([127.0.0.1]:56134 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmTY6-0004nR-1m for submit@debbugs.gnu.org; Mon, 07 Dec 2020 22:20:22 -0500 Received: from imta-37.everyone.net ([216.200.145.37]:48884 helo=imta-38.everyone.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kmTY4-0004nG-4a for 45069@debbugs.gnu.org; Mon, 07 Dec 2020 22:20:21 -0500 Received: from pps.filterd (localhost.localdomain [127.0.0.1]) by imta-38.everyone.net (8.16.0.43/8.16.0.43) with SMTP id 0B839G0n002391; Mon, 7 Dec 2020 19:20:18 -0800 X-Eon-Originating-Account: XivdGZz5znCXX-kWuCVnot0OGs_OZELaZHjgjE1qIcA X-Eon-Dm: m0117124.ppops.net Received: by m0117124.mta.everyone.net (EON-AUTHRELAY2 - 5a81d273) id m0117124.5f8a0284.9f0d35; Mon, 7 Dec 2020 19:20:16 -0800 X-Eon-Sig: AQMHrIJfzvDw04uhBwIAAAAI,7e3c0baf5ea75113f5113b9fab91433c X-Eip: OakTsfDGRJ0ZnHoEjRDVDE5xNCas0EYVVCmT-B3itoc Date: Tue, 8 Dec 2020 04:20:05 +0100 From: Bengt Richter To: Vagrant Cascadian Subject: Re: bug#45069: Guix System: unprivileged user cannot create user namespaces? Message-ID: <20201208032005.GA14866@LionPure> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> <87tusxwncj.fsf@ambrevar.xyz> <86ft4h5xjz.fsf@gmail.com> <87eek1sdpo.fsf@yucca> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <87eek1sdpo.fsf@yucca> User-Agent: Mutt/1.10.1 (2018-07-13) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-07_19:2020-12-04, 2020-12-07 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 phishscore=0 bulkscore=0 impostorscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1034 mlxscore=0 suspectscore=0 priorityscore=1501 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012080019 X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: 45069 Cc: 45069@debbugs.gnu.org, zimoun , Ludovic =?utf-8?Q?Court=C3=A8s?= , Jesse Dowell , Paul Garlick , Marius Bakke , Guix Devel X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bengt Richter Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) Hi Vagrant, On +2020-12-07 09:55:31 -0800, Vagrant Cascadian wrote: > On 2020-12-07, zimoun wrote: > > On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt wrote: > > > >>> Can you try, as root on Guix System: > >>> > >>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone > >> > >> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone > >> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory > > > > In gnu/build/linux-container.scm, it reads: > > > > --8<---------------cut here---------------start------------->8--- > > (define (unprivileged-user-namespace-supported?) > > "Return #t if user namespaces can be created by unprivileged users." > > (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) > > (if (file-exists? userns-file) > > (eqv? #\1 (call-with-input-file userns-file read-char)) > > #t))) > > --8<---------------cut here---------------end--------------->8--- > > > > Does it mean that the Linux kernel on Guix System does not support > > namespaces by unprivileged users? > > > Turning #t to #f should work on Guix System and it appears to me a > > severe bug if not. What do I miss? Please could someone fill my gap? :-) > > The /proc/sys/kernel_unprivileged_userns_clone file is specific to > Debian and Ubuntu packaged linux kernel; it is a patchset not applied > upstream, as far as I am aware. I'm not sure if other distros support > disabling and enabling this feature using this mechanism. > > https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch > > live well, and as virtuously as you are able ... so that spies can't help but admire and reflect :) > vagrant Another data point FYI: On my pureos system, which is based on debian upstream: uname -a =-> Linux LionPure 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux and ls -l /proc/sys/kernel/unprivileged_userns_clone -rw-r--r-- 1 root root 0 Dec 8 03:03 /proc/sys/kernel/unprivileged_userns_clone and (noticing that the items appear to be short and ascii lines, hence thereupon head :) --8<---------------cut here---------------start------------->8--- od -a -t x1 /proc/sys/kernel/unprivileged_userns_clone 0000000 0 nl 30 0a 0000002 head /proc/sys/kernel/unprivileged_userns_clone 0 --8<---------------cut here---------------end--------------->8--- Not sure this tells you anything useful, but there is also: --8<---------------cut here---------------start------------->8--- head /proc/sys/user/* ==> /proc/sys/user/max_cgroup_namespaces <== 128163 ==> /proc/sys/user/max_inotify_instances <== 128 ==> /proc/sys/user/max_inotify_watches <== 65536 ==> /proc/sys/user/max_ipc_namespaces <== 128163 ==> /proc/sys/user/max_mnt_namespaces <== 128163 ==> /proc/sys/user/max_net_namespaces <== 128163 ==> /proc/sys/user/max_pid_namespaces <== 128163 ==> /proc/sys/user/max_user_namespaces <== 128163 ==> /proc/sys/user/max_uts_namespaces <== 128163 --8<---------------cut here---------------end--------------->8--- HTH some way :) -- Regards, Bengt Richter From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 04 04:12:11 2021 Received: (at 45069) by debbugs.gnu.org; 4 Jan 2021 09:12:11 +0000 Received: from localhost ([127.0.0.1]:52989 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kwLuN-0000WC-CQ for submit@debbugs.gnu.org; Mon, 04 Jan 2021 04:12:11 -0500 Received: from relay5-d.mail.gandi.net ([217.70.183.197]:51477) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kwLuM-0000Vd-GJ for 45069@debbugs.gnu.org; Mon, 04 Jan 2021 04:12:10 -0500 X-Originating-IP: 86.247.16.87 Received: from bababa (lfbn-idf2-1-709-87.w86-247.abo.wanadoo.fr [86.247.16.87]) (Authenticated sender: mail@ambrevar.xyz) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 3BDCD1C0012; Mon, 4 Jan 2021 09:12:02 +0000 (UTC) From: Pierre Neidhardt To: Paul Garlick , Jesse Dowell , zimoun Subject: Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces In-Reply-To: <87im9dwe07.fsf@ambrevar.xyz> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> <87tusxwncj.fsf@ambrevar.xyz> <44232f7aafdfd524857ae4abd76440e329fc5c98.camel@tourbillion-technology.com> <87im9dwe07.fsf@ambrevar.xyz> Date: Mon, 04 Jan 2021 10:11:57 +0100 Message-ID: <87mtxpm5gi.fsf@ambrevar.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This issue seems to be gone for me with kernel 5.10.x. I guess it was a kernel bug then. -- Pierre Neidhardt https://ambrevar.xyz/ Content analysis details: (1.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [217.70.183.197 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: ambrevar.xyz] 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 45069 Cc: Guix Devel , 45069@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This issue seems to be gone for me with kernel 5.10.x. I guess it was a kernel bug then. -- Pierre Neidhardt https://ambrevar.xyz/ Content analysis details: (1.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: ambrevar.xyz] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [217.70.183.197 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable This issue seems to be gone for me with kernel 5.10.x. I guess it was a kernel bug then. =2D-=20 Pierre Neidhardt https://ambrevar.xyz/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFGBAEBCAAwFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl/y290SHG1haWxAYW1i cmV2YXIueHl6AAoJEJvc9Jeku8x/82IH/RLoqc1zvm3hafYwW7urLqyKBm6Gb88z afBIZHWE3XEJ0YcP7bRiCd8v2xBe3ZjO7fLAnucBkaqcDeJMBhxwdkNhwumLVpAw 28IPwfHGCSp4edG1vhKAunh4kULitfWxtVFvan99w08xoAiUVN6qoOor5cedOKAh KkYfefnSylWsuC+WbT5SABQdL8/WFwER0CpEK/I7MjqJHMjncQZnlf5oSSvOGE37 4aWV2CK1iVYZDAWemjRrGD8ZTKaunTddZ0No6lRo2zMxCGEV0D2mumuEoy3OxtYJ xvs5CpHuzvfk9LKEo98QLdH7NayDiNTgdsuOYAEPpOSgcgG3qnk2Qk4= =xWlk -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 06 06:08:31 2021 Received: (at submit) by debbugs.gnu.org; 6 Jan 2021 11:08:31 +0000 Received: from localhost ([127.0.0.1]:43567 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kx6g2-0005tb-U8 for submit@debbugs.gnu.org; Wed, 06 Jan 2021 06:08:31 -0500 Received: from lists.gnu.org ([209.51.188.17]:36766) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kx6g1-0005tU-HX for submit@debbugs.gnu.org; Wed, 06 Jan 2021 06:08:29 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34256) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kx6g1-00061N-9j; Wed, 06 Jan 2021 06:08:29 -0500 Received: from mx1.riseup.net ([198.252.153.129]:47222) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kx6fz-0008RO-3y; Wed, 06 Jan 2021 06:08:28 -0500 Received: from fews1.riseup.net (unknown [10.0.1.83]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4D9mnB75ZCzFdt1; Wed, 6 Jan 2021 03:08:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1609931295; bh=GFLDJJlBW5Nu0OI/m2b9h6qYkRtzBJ+2AAnPrKrZ6rw=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=Ivasd7inHGIAlKBQttql5+pIqPYZ3cqV1AKzkwOGk/M2UtPpEb+lFqpNR5uGi4+Aa +hdX8fXn3JFWMPbapM5EdQ+7gjvaICIbPToNs58FkZ5MDQpocEUpOErTF2zSqepiU6 u4TgZ925O+L/j4Ct8WACqPa8otElsNo5sFpHLcAE= X-Riseup-User-ID: 97EA01BB89823DC1DFAC3AA2705F25C940852DDB6CCA3EB7F941995A0E5A63EC Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews1.riseup.net (Postfix) with ESMTPSA id 4D9mn00Cv3z5vnP; Wed, 6 Jan 2021 03:08:00 -0800 (PST) Date: Wed, 6 Jan 2021 11:49:56 +0100 From: raingloom To: yasu Subject: Re: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces Message-ID: <20210106114956.0d4027e8@riseup.net> In-Reply-To: <382923d762cf018ae9d75b3408db75abf296e543.camel@yasuaki.com> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <382923d762cf018ae9d75b3408db75abf296e543.camel@yasuaki.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=raingloom@riseup.net; helo=mx1.riseup.net X-Spam_score_int: -7 X-Spam_score: -0.8 X-Spam_bar: / X-Spam_report: (-0.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_TONAME_EQ_TOLOCAL_SHORT=1.999, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.6 (/) X-Debbugs-Envelope-To: submit Cc: Guix Devel , Pjotr Prins , bug-guix@gnu.org, pgarlick@tourbillion-technology.com, zimoun X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.4 (/) On Mon, 07 Dec 2020 05:51:05 +0900 yasu wrote: > Hi Zimoun, > > I tried as you suggested but it didn't work... > > > root@guix ~# echo "kernel.unprivileged_userns_clone = 1" > > /etc/sysctl.d/local.conf > -bash: /etc/sysctl.d/local.conf: No such file or directory This could mean you have to create the sysctl.d directory. Try running this: ``` # mkdir -p /etc/sysctl.d/ # echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf ``` From unknown Fri Jun 20 07:13:24 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 03 Feb 2021 12:24:08 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator