GNU bug report logs - #31977
clone tests fail on CentOS 7

Previous Next

Package: guix;

Reported by: Paul Garlick <pgarlick <at> tourbillion-technology.com>

Date: Tue, 26 Jun 2018 14:18:02 UTC

Severity: normal

To reply to this bug, email your comments to 31977 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#31977; Package guix. (Tue, 26 Jun 2018 14:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Garlick <pgarlick <at> tourbillion-technology.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Tue, 26 Jun 2018 14:18:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Paul Garlick <pgarlick <at> tourbillion-technology.com>
To: bug-guix <at> gnu.org
Subject: clone tests fail on CentOS 7
Date: Tue, 26 Jun 2018 15:16:35 +0100
[Message part 1 (text/plain, inline)]
Hi Guix,

Running 'make check' in the guix source tree on a CentOS 7 system
results in 15 FAILS:

tests/containers.log: 9 FAILS
tests/syscalls.log: 3 FAILS
tests/guix-environment-container.log: 1 FAIL
tests/guix-pack.log: 1 FAIL
tests/pack.log: 1 FAIL

Referring to bug#24108, the cause may be that the clone-related tests
are being executed instead of being skipped. 

The output of 'uname -srv' is:

Linux 3.10.0-862.3.3.el7.x86_64 #1 SMP Fri Jun 15 04:15:27 UTC 2018

Files:
a)  '/proc/self/ns/user' exists
b) '/proc/sys/kernel/unprivileged_userns_clone' does not exist.

On CentOS 7 I believe user namespaces are supported but disabled by
default.  The output of 'cat /proc/sys/user/max_user_namespaces' is
'0'.

Perhaps the 'perform-container-tests?' logic should include an extra
check for the default, disabled case to ensure that the tests are
skipped.

Attached are the log files, except 'guix-pack.log' (~100MB) and
'pack.log' (~7MB).

Best regards,

Paul.

[containers.log (text/x-log, attachment)]
[guix-environment-container.log (text/x-log, attachment)]
[syscalls.log (text/x-log, attachment)]

Information forwarded to bug-guix <at> gnu.org:
bug#31977; Package guix. (Tue, 01 Dec 2020 18:14:02 GMT) Full text and rfc822 format available.

Message #8 received at 31977 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: Paul Garlick <pgarlick <at> tourbillion-technology.com>
Cc: 31977 <at> debbugs.gnu.org
Subject: Re: bug#31977: clone tests fail on CentOS 7
Date: Tue, 01 Dec 2020 19:12:35 +0100
Hi Paul,

This old bug #31977 is about an issue on your CentOS 7 machine.  Is it
still relevant?

   <http://issues.guix.gnu.org/issue/31977>

On Tue, 26 Jun 2018 at 15:16, Paul Garlick <pgarlick <at> tourbillion-technology.com> wrote:

> Running 'make check' in the guix source tree on a CentOS 7 system
> results in 15 FAILS:
>
> tests/containers.log: 9 FAILS
> tests/syscalls.log: 3 FAILS
> tests/guix-environment-container.log: 1 FAIL
> tests/guix-pack.log: 1 FAIL
> tests/pack.log: 1 FAIL
>
> Referring to bug#24108, the cause may be that the clone-related tests
> are being executed instead of being skipped.

Note that bug#24108 had been closed couple of months ago:

--8<---------------cut here---------------start------------->8---
From: Ludovic Courtès <ludo <at> gnu.org>
Subject: control message for bug #24108
To: control <at> debbugs.gnu.org, 24108 <at> debbugs.gnu.org
Date: Thu, 09 Jul 2020 15:58:27 +0200 (20 weeks, 5 days, 4 hours ago)

tags 24108 notabug
close 24108
quit
--8<---------------cut here---------------end--------------->8---


> The output of 'uname -srv' is:
>
> Linux 3.10.0-862.3.3.el7.x86_64 #1 SMP Fri Jun 15 04:15:27 UTC 2018
>
> Files:
> a) '/proc/self/ns/user' exists
> b) '/proc/sys/kernel/unprivileged_userns_clone' does not exist.
>
> On CentOS 7 I believe user namespaces are supported but disabled by
> default. The output of 'cat /proc/sys/user/max_user_namespaces' is
> '0'.
>
> Perhaps the 'perform-container-tests?' logic should include an extra
> check for the default, disabled case to ensure that the tests are
> skipped.
>
> Attached are the log files, except 'guix-pack.log' (~100MB) and
> 'pack.log' (~7MB).
>
> Best regards,
>
> Paul.


Feel free to close it or report more information about the current
status.


Thanks,
simon




Information forwarded to bug-guix <at> gnu.org:
bug#31977; Package guix. (Wed, 02 Dec 2020 18:09:01 GMT) Full text and rfc822 format available.

Message #11 received at 31977 <at> debbugs.gnu.org (full text, mbox):

From: Paul Garlick <pgarlick <at> tourbillion-technology.com>
To: zimoun <zimon.toutoune <at> gmail.com>
Cc: 31977 <at> debbugs.gnu.org
Subject: Re: bug#31977: clone tests fail on CentOS 7
Date: Wed, 02 Dec 2020 18:08:18 +0000
Hi Simon,

On Tue, 2020-12-01 at 19:12 +0100, zimoun wrote:
> This old bug #31977 is about an issue on your CentOS 7 machine.  Is
> it still relevant?

Yes, this bug still exists.

However, I have just tested a fix:

--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -44,7 +44,7 @@
   (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
     (if (file-exists? userns-file)
         (eqv? #\1 (call-with-input-file userns-file read-char))
-        #t)))
+        #f)))
 
 (define (setgroups-supported?)
   "Return #t if the setgroups proc file, introduced in Linux-libre
3.19,

This ensures that tests are skipped if user namespaces are not enabled
for unprivileged users.

Best regards,

Paul.





Information forwarded to bug-guix <at> gnu.org:
bug#31977; Package guix. (Thu, 03 Dec 2020 16:35:02 GMT) Full text and rfc822 format available.

Message #14 received at 31977 <at> debbugs.gnu.org (full text, mbox):

From: Paul Garlick <pgarlick <at> tourbillion-technology.com>
To: zimoun <zimon.toutoune <at> gmail.com>
Cc: 31977 <at> debbugs.gnu.org
Subject: Re: bug#31977: clone tests fail on CentOS 7
Date: Thu, 03 Dec 2020 16:34:17 +0000
Hi Simon,

I have pushed the fix as 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e.

Best regards,

Paul.





bug closed, send any further explanations to 31977 <at> debbugs.gnu.org and Paul Garlick <pgarlick <at> tourbillion-technology.com> Request was from Paul Garlick <pgarlick <at> tourbillion-technology.com> to control <at> debbugs.gnu.org. (Thu, 03 Dec 2020 16:42:02 GMT) Full text and rfc822 format available.

Did not alter fixed versions and reopened. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 07 Dec 2020 00:53:01 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#31977; Package guix. (Mon, 07 Dec 2020 01:04:02 GMT) Full text and rfc822 format available.

Message #21 received at 31977 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: Paul Garlick <pgarlick <at> tourbillion-technology.com>
Cc: 31977 <at> debbugs.gnu.org, Marius Bakke <marius <at> gnu.org>
Subject: Re: bug#31977: clone tests fail on CentOS 7
Date: Mon, 07 Dec 2020 01:54:19 +0100
Hi Paul,

On Thu, 03 Dec 2020 at 16:34, Paul Garlick <pgarlick <at> tourbillion-technology.com> wrote:

> I have pushed the fix as 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e.

Apparently people are complaining [1,2].  Well, I do not understand what it
breaks but Marius reverted the commit (see #45066) so I am reopening the
issue.

   <http://issues.guix.gnu.org/issue/45066>


All the best,
simon

1: <https://yhetil.org/guix/e5c86d238ca5174b745b8ea6cb0cb6ad6b20aa5e.camel <at> yasuaki.com>
2:
<https://yhetil.org/guix/PSXP216MB02147543A84779F3F6A8509EA0CF0 <at> PSXP216MB0214.KORP216.PROD.OUTLOOK.COM>






Information forwarded to bug-guix <at> gnu.org:
bug#31977; Package guix. (Sat, 19 Dec 2020 09:37:01 GMT) Full text and rfc822 format available.

Message #24 received at 31977 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: Paul Garlick <pgarlick <at> tourbillion-technology.com>
Cc: 31977 <at> debbugs.gnu.org, Marius Bakke <marius <at> gnu.org>
Subject: Re: bug#31977: clone tests fail on CentOS 7
Date: Sat, 19 Dec 2020 10:26:50 +0100
Hi Paul,

Since the fix 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e breaks
linux-libre kernel on Guix System, because of [1], quote:

        Well, it is expected.  And now all is clear.  Explanations starting
        there:

           <http://logs.guix.gnu.org/guix/2020-12-07.log#211011>

        Quickly said, the initial code was assuming Debian-like kernel patches
        as Vagrant reported and this is not in the linux-libre source code with
        a wrong Guix error message.

        One bug is still there. :-)

1: <https://yhetil.org/guix/86zh2p4921.fsf <at> gmail.com>


If I understand well your message:

        Files:
        a) '/proc/self/ns/user' exists
        b) '/proc/sys/kernel/unprivileged_userns_clone' does not exist.

from your initial report, it is the same problem as linux-libre:
somehow, the assumption of '/proc/sys/kernel/unprivileged_userns_clone'
is Debian-like and not shared.

So, it could be nice to have a good story for that. :-)


All the best,
simon




Information forwarded to bug-guix <at> gnu.org:
bug#31977; Package guix. (Mon, 21 Dec 2020 15:30:01 GMT) Full text and rfc822 format available.

Message #27 received at 31977 <at> debbugs.gnu.org (full text, mbox):

From: Paul Garlick <pgarlick <at> tourbillion-technology.com>
To: zimoun <zimon.toutoune <at> gmail.com>
Cc: 31977 <at> debbugs.gnu.org, Marius Bakke <marius <at> gnu.org>
Subject: Re: bug#31977: clone tests fail on CentOS 7
Date: Mon, 21 Dec 2020 15:29:27 +0000
Hi Simon,

> If I understand well your message:
> 
>         Files:
>         a) '/proc/self/ns/user' exists
>         b) '/proc/sys/kernel/unprivileged_userns_clone' does not exist.

Yes, this is the case on CentOS.  

So testing for the existence of the unprivileged_userns_clone file is
an insufficent test for unprivileged user namespaces.  We have learnt
that trying to create the file as a dummy file does not work, since the
/proc/sys/kernel directory is read-only even for root.

So the current 'unprivileged-user-namespace-supported?' function in
gnu/build/linux-container.scm really only works for Debian-derived
systems.  Other systems, that co not create the
unprivileged_userns_clone file, differ in their default configurations.
CentOS, for example, disables the feature.  However, Guix System
enables it.

It has been suggested that the feature itself should be tested, instead
of relying on the /proc filesystem.  This could well be a better idea
and I gather from the thread that this idea is being worked on.  I can
test on CentOS when a new patch is available.

Best regards,

Paul. 





Information forwarded to bug-guix <at> gnu.org:
bug#31977; Package guix. (Sat, 08 Oct 2022 15:17:04 GMT) Full text and rfc822 format available.

Message #30 received at 31977 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: Paul Garlick <pgarlick <at> tourbillion-technology.com>
Cc: 31977 <at> debbugs.gnu.org, Marius Bakke <marius <at> gnu.org>
Subject: Re: bug#31977: clone tests fail on CentOS 7
Date: Sat, 08 Oct 2022 16:30:58 +0200
Hi Paul,

It is about this old bug#31977 [1].  Well, I have lost the status about
this and since I am using Debian with unprivileged_userns_clone, I am
not annoyed enough. ;-)

1: <http://issues.guix.gnu.org/issue/31977>


On Mon, 21 Dec 2020 at 15:29, Paul Garlick <pgarlick <at> tourbillion-technology.com> wrote:

> It has been suggested that the feature itself should be tested, instead
> of relying on the /proc filesystem.  This could well be a better idea
> and I gather from the thread that this idea is being worked on.  I can
> test on CentOS when a new patch is available.

Is it still an issue for you?


Cheers,
simon




Information forwarded to bug-guix <at> gnu.org:
bug#31977; Package guix. (Thu, 03 Nov 2022 10:05:01 GMT) Full text and rfc822 format available.

Message #33 received at 31977 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: Paul Garlick <pgarlick <at> tourbillion-technology.com>
Cc: 31977 <at> debbugs.gnu.org, Marius Bakke <marius <at> gnu.org>
Subject: Re: bug#31977: clone tests fail on CentOS 7
Date: Thu, 03 Nov 2022 10:47:47 +0100
Hi Paul,

On Sat, 08 Oct 2022 at 16:30, zimoun <zimon.toutoune <at> gmail.com> wrote:
> On Mon, 21 Dec 2020 at 15:29, Paul Garlick <pgarlick <at> tourbillion-technology.com> wrote:

> It is about this old bug#31977 [1].  Well, I have lost the status about
> this and since I am using Debian with unprivileged_userns_clone, I am
> not annoyed enough. ;-)
>
> 1: <http://issues.guix.gnu.org/issue/31977>
>
>
>
>> It has been suggested that the feature itself should be tested, instead
>> of relying on the /proc filesystem.  This could well be a better idea
>> and I gather from the thread that this idea is being worked on.  I can
>> test on CentOS when a new patch is available.
>
> Is it still an issue for you?

Friendly ping. :-)


Cheers,
simon




This bug report was last modified 1 year and 147 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.