Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix PID namespace support check #7802

Merged
merged 4 commits into from
Feb 10, 2023
Merged

Fix PID namespace support check #7802

merged 4 commits into from
Feb 10, 2023
+88 −70

Conversation

edolstra
Copy link
Member

Motivation

Fixes #7783 by actually checking whether /proc can be remounted in a mount+PID namespace.

Includes some refactoring to add clone() support to startProcess().

Context

Checklist for maintainers

Maintainers: tick if completed or explain if not relevant

  • agreed on idea
  • agreed on implementation strategy
  • tests, as appropriate
    • functional tests - tests/**.sh
    • unit tests - src/*/tests
    • integration tests - tests/nixos/*
  • documentation in the manual
  • code and comments are self-explanatory
  • commit message explains why the change was made
  • new feature or incompatible change: updated release notes

Sorry, something went wrong.

@edolstra
Simplify the PID namespace check: just try to mount /proc

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
f094ba7 
Fixes NixOS#7783.
@edolstra
LocalDerivationGoal::startBuilder(): Use startProcess() to clone

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
3e6e34c
@roberth
Copy link
Member

roberth commented Feb 10, 2023

Did you try to write a NixOS test for this?

@edolstra
Fix macOS build

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
c49b747
@edolstra
Add regression test

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
a21405a
@edolstra
Copy link
Member Author

Yeah I've repurposed the remote-build test for this.

@edolstra edolstra merged commit 67451d8 into NixOS:master Feb 10, 2023
@edolstra edolstra deleted the fix-7783 branch February 10, 2023 19:41
@edolstra edolstra mentioned this pull request Feb 10, 2023
Closed
7 tasks
@useranon350
Copy link

useranon350 commented May 30, 2024
edited
Loading

This seems to cause issues when following https://nixos.wiki/wiki/Installing_from_Linux. I am getting "error: this system does not support the kernel namespaces that are required for sandboxing; use '--no-sandbox' to disable sandboxing" when running NIX_PATH="nixpkgs=channel:nixos-23.11" nixos-install from within a chroot or unshare -R session. I can use pid namespaces outside of a chroot. I have confirmed that unshare -fp --keep-caps --mount-proc=proc works, and allows further ``mount -t proc none proc``` calls.

EDIT: Running unshare -pfm --propagation unchanged bash followed by mount -t proc none proc from within the chroot also seems to work fine. Maybe it's actually because user namespaces aren't allowed within chroots? (i.e. unshare -r fails)

@useranon350
Copy link

I was able to solve the problem by using the pivot_root method with an additional step of unshare -m --propagation unchanged and mount --bind . . prior to starting the pivot. chroot and unshare -R both caused spurious issues with remounting /proc and legitimate issues with mount namespaces, although I think the latter were a result of my / not being a mountpoint. (Specifically, they wouldn't allow setting the mount propagation to rprivate on the new /.)

I think this could be resolved with a documentation update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thufschmitt thufschmitt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

this system does not support the kernel namespaces that are required for sandboxing
3 participants
@edolstra @roberth @useranon350