GNU bug report logs - #61156
‘guix container exec’ does not actually change PID namespaces

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Sun, 29 Jan 2023 21:59:01 UTC

Severity: normal

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Subject: bug#61156: closed (Re: bug#61156: ‘guix
 container exec’ does not actually change PID
 namespaces)
Date: Mon, 30 Jan 2023 22:53:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#61156: ‘guix container exec’ does not actually change PID namespaces

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 61156 <at> debbugs.gnu.org.

-- 
61156: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=61156
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: 61156-done <at> debbugs.gnu.org
Subject: Re: bug#61156: ‘guix container exec’ does not actually change PID namespaces
Date: Mon, 30 Jan 2023 23:51:52 +0100

Ludovic Courtès <ludo <at> gnu.org> skribis:

> The reason is that calling setns(2) on a PID namespace “changes only the
> PID namespace that subsequently created child processes of the caller
> will be placed in; it does not change the PID namespace of the caller
> itself.”

Fixed in 0ef8fe22ed8985c9656835fc25ab3463d55b6669.

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: ‘guix container exec’ does
 not actually change PID namespaces
Date: Sun, 29 Jan 2023 22:58:54 +0100

Currently, when a Guix program runs in separate user, mount, and PID
namespaces (for example via (guix least-authority)), ‘guix container
exec’ fails badly:

  guix container exec 10652 /gnu/store/720rj90bch716isd8z7lcwrnvz28ap4y-bash-static-5.1.8/bin/sh
  guix container: error: process terminated with signal 11

or, similarly:

  nsenter --preserve-credentials -U -m  -t 10652 -m -U -p -F /gnu/store/720rj90bch716isd8z7lcwrnvz28ap4y-bash-static-5.1.8/bin/sh
  Segmentation fault

Stracing reveals that the child process segfaults immediately after
attempting to read /proc/self/exe:

  14111 readlink("/proc/self/exe", 0x7ffccefa29c0, 4096) = -1 ENOENT (No such file or directory)
  14111 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xffffffffffffffff} ---

The segfault is due to <https://issues.guix.gnu.org/52671>.

But why isn’t /proc visible in the first place?  It *is* definitely
mounted within that process’s namespace, as confirmed here:

  $ ls -ld /proc/10652/root/proc
  dr-xr-xr-x 326 root root 0 Jan 29 21:55 /proc/10652/root/proc/

The reason is that calling setns(2) on a PID namespace “changes only the
PID namespace that subsequently created child processes of the caller
will be placed in; it does not change the PID namespace of the caller
itself.”

This is why removing ‘-F’ in the ‘nsenter’ command line above solves the
problem.

Conclusion: ’container-excursion’ should fork so that the PID namespace
change takes effect.

Ludo’.
This bug report was last modified 2 years and 112 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.