GNU bug report logs - #61690
Failure to mount /sys in nested ‘guix shell’ container

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Tue, 21 Feb 2023 22:46:01 UTC

Severity: important

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: 61690 <at> debbugs.gnu.org
Cc: Konrad Hinsen <konrad.hinsen <at> cnrs.fr>
Subject: bug#61690: Failure to mount /sys in nested ‘guix shell’ container
Date: Tue, 21 Feb 2023 23:45:20 +0100

Hi!

As reported by Konrad¹, nested ‘guix shell -C’ fails:

--8<---------------cut here---------------start------------->8---
$ guix shell -CN guix \
      --expose=/var/guix/daemon-socket/socket \
      --expose=/gnu/store \
      -- guix shell -C coreutils -- ls /
guix shell: error: mount: mount "none" on "/tmp/guix-directory.xO3FIx/sys": Operation not permitted
--8<---------------cut here---------------end--------------->8---

Strace shows this:

--8<---------------cut here---------------start------------->8---
17541 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 7
[…]
17551 mount("none", "/tmp/guix-directory.d6rKy1", "tmpfs", 0, NULL) = 0
17551 mkdir("/tmp", 0777)               = -1 EEXIST (File exists)
17551 mkdir("/tmp/guix-directory.d6rKy1", 0777) = -1 EEXIST (File exists)
17551 mkdir("/tmp/guix-directory.d6rKy1/proc", 0777) = 0
17551 mount("none", "/tmp/guix-directory.d6rKy1/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0
17551 mkdir("/tmp", 0777)               = -1 EEXIST (File exists)
17551 mkdir("/tmp/guix-directory.d6rKy1", 0777) = -1 EEXIST (File exists)
17551 mkdir("/tmp/guix-directory.d6rKy1/sys", 0777) = 0
17551 mount("none", "/tmp/guix-directory.d6rKy1/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not permitted)
--8<---------------cut here---------------end--------------->8---

It does work if the nested ‘guix shell’ uses ‘-CN’ instead of ‘-C’,
thanks to this bit in (gnu build linux-container)

        (mount-file-systems root mounts
                            #:mount-/proc? (memq 'pid namespaces)
                            #:mount-/sys?  (memq 'net
                                                 namespaces))  ;<---

The reason for this bug seems to be given here:

  https://github.com/nestybox/sysbox/issues/67#issuecomment-726285026

It’s not clear whether there’s anything we can do, other than
recommending ‘-CN’ as well in the nested container.

Thoughts?

Ludo’.

¹ https://lists.gnu.org/archive/html/guix-devel/2023-02/msg00027.html
This bug report was last modified 157 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.