GNU bug report logs - #77296
Unprivileged guix-daemon doesn't work on Ubuntu 24.04

Previous Next

To reply to this bug, email your comments to 77296 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: bug-guix <at> gnu.org
Cc: ludo <at> gnu.org
Subject: guix fails tests on aarch64 after rootless daemon patches
Date: Wed, 26 Mar 2025 22:32:16 +0200

[Message part 1 (text/plain, inline)]

I bumped the guix package locally and tried to build it on several
architectures. x86_64 and i686 passed, aarch64 failed.  The rest are
still building.

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[guix-1.4.0-35.a9239a7.drv.gz (application/x-gunzip, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 77296 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 77296 <at> debbugs.gnu.org
Subject: Re: bug#77296: guix fails tests on aarch64 after rootless daemon
 patches
Date: Mon, 31 Mar 2025 10:34:32 +0200

Hi Efraim,

Efraim Flashner <efraim <at> flashner.co.il> skribis:

> I bumped the guix package locally and tried to build it on several
> architectures. x86_64 and i686 passed, aarch64 failed.  The rest are
> still building.

The issue is:

--8<---------------cut here---------------start------------->8---
guix build: error: while setting up the build environment: cannot set loopback interface flags: Operation not permitted

[...]

command "make" "check" failed with status 2
build process 6 exited with status 256
builder for `/gnu/store/8vpl8gv7nmvlpghk9vmx4xs5z3c8dw8j-guix-1.4.0-35.a9239a7.drv' failed with exit code 1
@ build-failed /gnu/store/8vpl8gv7nmvlpghk9vmx4xs5z3c8dw8j-guix-1.4.0-35.a9239a7.drv - 1 builder for `/gnu/store/8vpl8gv7nmvlpghk9vmx4xs5z3c8dw8j-guix-1.4.0-35.a9239a7.drv' failed with exit code 1
--8<---------------cut here---------------end--------------->8---

… coming from this bit in ‘build.cc’:

        if (!fixedOutput) {
            /* Initialise the loopback interface. */
            AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP));
            if (fd == -1) throw SysError("cannot open IP socket");

            struct ifreq ifr;
            strcpy(ifr.ifr_name, "lo");
            ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING;
            if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1)
                throw SysError("cannot set loopback interface flags");

            fd.close();
        }

I don’t see why this would be architecture-dependent but I’ll
investigate.

Thanks,
Ludo’.

Message #11 received at 77296 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 77296 <at> debbugs.gnu.org
Subject: Re: bug#77296: guix fails tests on aarch64 after rootless daemon
 patches
Date: Mon, 31 Mar 2025 15:05:18 +0200

Ludovic Courtès <ludo <at> gnu.org> skribis:

> builder for `/gnu/store/8vpl8gv7nmvlpghk9vmx4xs5z3c8dw8j-guix-1.4.0-35.a9239a7.drv' failed with exit code 1

I successfully built this derivation on overdrive1.guix.gnu.org
(substitute available from ci.guix.gnu.org soon).

Does this command succeed (as non-root) on the machine you used:

  unshare -mrnf ifconfig lo up

?

Thanks,
Ludo’.

Message #16 received at 77296 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 77296 <at> debbugs.gnu.org
Subject: Re: bug#77296: guix fails tests on aarch64 after rootless daemon
 patches
Date: Mon, 31 Mar 2025 16:14:21 +0300

[Message part 1 (text/plain, inline)]

On Mon, Mar 31, 2025 at 03:05:18PM +0200, Ludovic Courtès wrote:
> Ludovic Courtès <ludo <at> gnu.org> skribis:
> 
> > builder for `/gnu/store/8vpl8gv7nmvlpghk9vmx4xs5z3c8dw8j-guix-1.4.0-35.a9239a7.drv' failed with exit code 1
> 
> I successfully built this derivation on overdrive1.guix.gnu.org
> (substitute available from ci.guix.gnu.org soon).
> 
> Does this command succeed (as non-root) on the machine you used:
> 
>   unshare -mrnf ifconfig lo up
> 
> ?
> 

(ins)ubuntu <at> ubuntu:~$ unshare -mrnf ifconfig lo up
unshare: write failed /proc/self/uid_map: Operation not permitted
(ins)ubuntu <at> ubuntu:~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
(ins)ubuntu <at> ubuntu:~$ uname -a
Linux ubuntu 6.8.0-1020-raspi #24-Ubuntu SMP PREEMPT_DYNAMIC Sun Feb 23 08:39:32 UTC 2025 aarch64 aarch64 aarch64 GNU/Linux

It's an RPi5 running ubuntu 24.04 with what looks like a special
raspberry-pi kernel built by ubuntu.

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 77296 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 77296 <at> debbugs.gnu.org
Subject: Re: bug#77296: guix fails tests on aarch64 after rootless daemon
 patches
Date: Mon, 31 Mar 2025 16:19:53 +0300

[Message part 1 (text/plain, inline)]

On Mon, Mar 31, 2025 at 03:05:18PM +0200, Ludovic Courtès wrote:
> Ludovic Courtès <ludo <at> gnu.org> skribis:
> 
> > builder for `/gnu/store/8vpl8gv7nmvlpghk9vmx4xs5z3c8dw8j-guix-1.4.0-35.a9239a7.drv' failed with exit code 1
> 
> I successfully built this derivation on overdrive1.guix.gnu.org
> (substitute available from ci.guix.gnu.org soon).
> 
> Does this command succeed (as non-root) on the machine you used:
> 
>   unshare -mrnf ifconfig lo up
> 
> ?

(ins)efraim <at> g4:~$ unshare -mrnf ifconfig lo up
unshare: failed to execute ifconfig: No such file or directory
(ins)efraim <at> g4:~$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux trixie/sid"
NAME="Debian GNU/Linux"
VERSION_CODENAME=trixie
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
(ins)efraim <at> g4:~$ uname -a
Linux g4 6.12.12-powerpc #1 Debian 6.12.12-1 (2025-02-02) ppc GNU/Linux

Same "No such file or directory" on my visionfive2 (riscv64) running
ubuntu 23.04.

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 77296 <at> debbugs.gnu.org (full text, mbox):

From: tobtoht <tob <at> featherwallet.org>
To: "77296 <at> debbugs.gnu.org" <77296 <at> debbugs.gnu.org>
Subject: Re: bug#77296: guix fails tests on aarch64 after rootless daemon
 patches
Date: Sat, 05 Apr 2025 11:29:12 +0000

I have the same issue after installing the unprivileged daemon on a fresh
Ubuntu Server 24.04 installation (x86_64).

I followed the instructions here to install Guix (under "Trying it"):
https://hpc.guix.info/blog/2025/03/build-daemon-drops-its-privileges/

I then ran: `guix shell --container --pure bash` and got:

`guix shell: error: while setting up the build environment: cannot set loopback interface flags: Operation not permitted`.

Message #25 received at 77296 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: Ludovic Courtès <ludo <at> gnu.org>, 77296 <at> debbugs.gnu.org
Subject: Re: bug#77296: guix fails tests on aarch64 after rootless daemon
 patches
Date: Fri, 06 Jun 2025 19:06:35 +0200

Hi,

Efraim Flashner <efraim <at> flashner.co.il> writes:

> (ins)ubuntu <at> ubuntu:~$ unshare -mrnf ifconfig lo up
> unshare: write failed /proc/self/uid_map: Operation not permitted
> (ins)ubuntu <at> ubuntu:~$ cat /etc/os-release
> PRETTY_NAME="Ubuntu 24.04.2 LTS"

It may have to do with Ubuntu’s restrictions on unprivileged user
namespaces:

  https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts:
  https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace-restriction/58007
  https://seclists.org/oss-sec/2025/q1/253

The solution appears to be to disable those restrictions with something like:

  sysctl kernel.apparmor_restrict_unprivileged_userns off

… or to provide a suitable AppArmor profile, as discussed for ‘guix
shell -C’:

  https://issues.guix.gnu.org/71226

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.