GNU bug report logs -
#61156
‘guix container exec’ does not actually change PID namespaces
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Sun, 29 Jan 2023 21:59:01 UTC
Severity: normal
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 61156 in the body.
You can then email your comments to 61156 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#61156; Package
guix.
(Sun, 29 Jan 2023 21:59:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sun, 29 Jan 2023 21:59:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Currently, when a Guix program runs in separate user, mount, and PID
namespaces (for example via (guix least-authority)), ‘guix container
exec’ fails badly:
guix container exec 10652 /gnu/store/720rj90bch716isd8z7lcwrnvz28ap4y-bash-static-5.1.8/bin/sh
guix container: error: process terminated with signal 11
or, similarly:
nsenter --preserve-credentials -U -m -t 10652 -m -U -p -F /gnu/store/720rj90bch716isd8z7lcwrnvz28ap4y-bash-static-5.1.8/bin/sh
Segmentation fault
Stracing reveals that the child process segfaults immediately after
attempting to read /proc/self/exe:
14111 readlink("/proc/self/exe", 0x7ffccefa29c0, 4096) = -1 ENOENT (No such file or directory)
14111 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xffffffffffffffff} ---
The segfault is due to <https://issues.guix.gnu.org/52671>.
But why isn’t /proc visible in the first place? It *is* definitely
mounted within that process’s namespace, as confirmed here:
$ ls -ld /proc/10652/root/proc
dr-xr-xr-x 326 root root 0 Jan 29 21:55 /proc/10652/root/proc/
The reason is that calling setns(2) on a PID namespace “changes only the
PID namespace that subsequently created child processes of the caller
will be placed in; it does not change the PID namespace of the caller
itself.”
This is why removing ‘-F’ in the ‘nsenter’ command line above solves the
problem.
Conclusion: ’container-excursion’ should fork so that the PID namespace
change takes effect.
Ludo’.
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Mon, 30 Jan 2023 22:53:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ludovic Courtès <ludo <at> gnu.org>:
bug acknowledged by developer.
(Mon, 30 Jan 2023 22:53:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 61156-done <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> skribis:
> The reason is that calling setns(2) on a PID namespace “changes only the
> PID namespace that subsequently created child processes of the caller
> will be placed in; it does not change the PID namespace of the caller
> itself.”
Fixed in 0ef8fe22ed8985c9656835fc25ab3463d55b6669.
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 28 Feb 2023 12:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 110 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.