1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1070436: autopkgtest-virt-schroot: error when using 'unshare --net'

    From Richard Lewis@21:1/5 to All on Sun May 5 12:40:01 2024
    Package: autopkgtest
    Version: 5.28
    Severity: normal
    X-Debbugs-Cc: richard.lewis.debian@googlemail.com

    Dear Maintainer,

    If i try and run tests that use 'unshare --net' with a
    schroot backend they fail inside autopkgtest even though
    this works in the schroot being used.

    This works fine in a 'plain schroot' (I expect i allowed
    the calling user to run the schroot as root in the schroot
    in /etc/schroot):

    $ schroot --chroot chroot:unstable-amd64-sbuild --directory / --user root -- unshare --net --map-root-user ls
    bin boot build dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

    But if i have an autopkgtest with eg a debian/tests/control with

    Test-Command: unshare --map-root-user --net ./debian/tests/foo
    Depends: @
    Features: test-name=foo
    Restrictions: needs-root

    then even adding '--user root' doesnt work:

    $ /usr/bin/autopkgtest package.changes --user root -- schroot unstable-amd64-sbuild

    i get errors like

    unshare: unshare failed: Operation not permitted

    Same if i put the unshare call inside the test
    What am I doing wrong?




    -- System Information:
    Debian Release: 12.5
    APT prefers stable-updates
    APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
    Architecture: amd64 (x86_64)

    Kernel: Linux 6.1.0-17-amd64 (SMP w/1 CPU thread; PREEMPT)
    Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages autopkgtest depends on:
    ii apt-utils 2.6.1
    ii libdpkg-perl 1.21.22
    ii procps 2:4.0.2-3
    ii python3 3.11.2-1+b1
    ii python3-debian 0.1.49

    Versions of packages autopkgtest recommends:
    ii autodep8 0.28
    ii fakeroot 1.31-1.2

    Versions of packages autopkgtest suggests:
    pn docker.io <none>
    pn fakemachine <none>
    ii lxc 1:5.0.2-1+deb12u2
    pn lxd <none>
    pn ovmf <none>
    pn ovmf-ia32 <none>
    pn podman <none>
    ii python3-distro-info 1.5+deb12u1
    pn qemu-efi-aarch64 <none>
    pn qemu-efi-arm <none>
    pn qemu-system <none>
    ii qemu-utils 1:7.2+dfsg-7+deb12u5
    ii schroot 1.6.13-3+b2
    ii util-linux 2.38.1-5+deb12u1
    pn vmdb2 <none>
    pn zerofree <none>

    -- no debconf information

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jochen Sprickerhof@21:1/5 to All on Sun May 5 20:20:01 2024
    Hi Richard,

    * Richard Lewis <richard.lewis.debian@googlemail.com> [2024-05-05 11:32]:
    If i try and run tests that use 'unshare --net' with a
    schroot backend they fail inside autopkgtest even though
    this works in the schroot being used.

    This works fine in a 'plain schroot' (I expect i allowed
    the calling user to run the schroot as root in the schroot
    in /etc/schroot):

    $ schroot --chroot chroot:unstable-amd64-sbuild --directory / --user root -- unshare --net --map-root-user ls
    bin boot build dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

    I can't reproduce this. Testing in a fresh debvm:

    $ debvm-create --size=2G --release=stable -- \
    --include=sbuild,schroot,debootstrap,autopkgtest \
    --hook-dir=/usr/share/mmdebstrap/hooks/useradd
    $ debvm-run
    # echo "inside debvm"
    # sbuild-createchroot unstable /srv/chroot/unstable-amd64-sbuild \
    http://deb.debian.org/debian
    # sbuild-adduser user
    # su - user
    $ schroot --chroot chroot:unstable-amd64-sbuild --directory / --user root -- unshare --net --map-root-user ls
    unshare: unshare failed: Operation not permitted

    Do you have any idea why it works for you?

    But if i have an autopkgtest with eg a debian/tests/control with

    Test-Command: unshare --map-root-user --net ./debian/tests/foo
    Depends: @
    Features: test-name=foo
    Restrictions: needs-root

    This looks odd. If you only want to unshare the network, as stated in
    the bug title, you neither need --map-root-user nor needs-root. Indeed dropping both makes it work for me. Can you give some background what
    you actually want to do here?

    then even adding '--user root' doesnt work:

    $ /usr/bin/autopkgtest package.changes --user root -- schroot unstable-amd64-sbuild

    I guess this is due to autopkgtest-virt-schroot starts an schroot
    session but I can't verify without reproducing your example without a
    session.

    i get errors like

    unshare: unshare failed: Operation not permitted

    This maps to unshare(2) returning EPERM. From the manpage:

    | CLONE_NEWUSER was specified in flags and the caller is in a chroot
    | environment (i.e., the caller's root directory does not match the root
    | directory of the mount namespace in which it resides).

    I think this is what happens here.

    Over all I think using unshare --map-root-user in
    autopkgtest-virt-schroot is not supported and I don't think there is a
    way around that except using a different autopkgtest backend.

    Cheers Jochen

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEc7KZy9TurdzAF+h6W//cwljmlDMFAmY3y4IACgkQW//cwljm lDMtPw/+OTfQbs5JHtDpSnFcq719ZOQNnpZ/SK10esmH+XSX6W4pMbKRhfciJDq+ AbiNmviN0MD5RFU6bB/d5hbAI+jzsUXg4nh/q8az54itBYhbmfs9100WPxYVY7V+ GgOFHY/G8zO14uAuhj9FY54RBUah/AZSCpzRIEfTZtXGe0a46bvVCqI5iemEWN4K jyMa9t3nTnsFciqF5V9IQxKnY9Cy3iJGeyLNM+vu8RMImOlZ7V/ptG5Aj+MyvU6R eweizLeUo2eGJMdxH6Y0cRk/3yb2kwzp0pQ3V9EFjg81iSv5AncBVDDVPoRWYHjc IffQFu1sLoTA0SPijHiGoaJB3vqtlfIL15IKgOlCiN9mWOkHbfmkUH3aBie3rogW 2yNTMAV+z5UCBNuOiZDaT66GYAVrwCbuOsNLHtgeI7iheY4OzFR1k1eYf7wrB5h0 lhNm6JeT0+cLTRUinRSzgJjDOVCK8mU+MG3b5wUkpeSCaqRaBVdVmapOnCgk9lS+ xrwe2bAr/yjWnXg+Rw9DKPdufmXUG/a++njDgi1EmCy5smNqXvGRPtm39mVxtdo4 GCgnsmIPWoyhc6QXnQfwRh/9XOwHc9P2emh41fhaX36UorTBEVX4FBsBKO7UA4c4 qIK1L34K44aE7qgUe6zWp0HNXo0GIridTFMnNdAUU+cVb1+ZAaA=
    =0Erc
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Lewis@21:1/5 to jspricke@debian.org on Sun May 5 21:10:01 2024
    control: close 1070436
    thanks

    On Sun, 5 May 2024, 19:10 Jochen Sprickerhof, <jspricke@debian.org> wrote:

    Hi Richard,

    * Richard Lewis <richard.lewis.debian@googlemail.com> [2024-05-05 11:32]:
    If i try and run tests that use 'unshare --net' with a
    schroot backend they fail inside autopkgtest even though
    this works in the schroot being used.

    This works fine in a 'plain schroot' (I expect i allowed
    the calling user to run the schroot as root in the schroot
    in /etc/schroot):

    $ schroot --chroot chroot:unstable-amd64-sbuild --directory / --user
    root -- unshare --net --map-root-user ls
    bin boot build dev etc home lib lib64 media mnt opt proc
    root run sbin srv sys tmp usr var

    I can't reproduce this. Testing in a fresh debvm:

    $ debvm-create --size=2G --release=stable -- \
    --include=sbuild,schroot,debootstrap,autopkgtest \
    --hook-dir=/usr/share/mmdebstrap/hooks/useradd
    $ debvm-run
    # echo "inside debvm"
    # sbuild-createchroot unstable /srv/chroot/unstable-amd64-sbuild \
    http://deb.debian.org/debian
    # sbuild-adduser user
    # su - user
    $ schroot --chroot chroot:unstable-amd64-sbuild --directory / --user root
    -- unshare --net --map-root-user ls
    unshare: unshare failed: Operation not permitted

    Do you have any idea why it works for you?


    im so sorry - this was just a complete user error by me.

    the issue is the --map-root-user, i thought absolutely sure i was using
    that with plain schroot, but it turns out i was completely misreading what
    i was running, and apparently copied the command and output from separate places.


    as you say, if i omit map-root-user then it works with both schroot and autopkgtest. and if i include map-root-user then both fail.


    Over all I think using unshare --map-root-user in

    autopkgtest-virt-schroot is not supported and I don't think there is a
    way around that except using a different autopkgtest backend.


    thanks - this is fair enough.

    thanks for the response. and sorry for the noise

    <div dir="auto"><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">control: close 1070436</div><div dir="ltr" class="gmail_attr">thanks</div><div dir="ltr" class="gmail_attr"><br></div><div dir="ltr" class="gmail_attr">On Sun, 5 May 2024, 19:
    10 Jochen Sprickerhof, &lt;<a href="mailto:jspricke@debian.org">jspricke@debian.org</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Richard,<br>

    * Richard Lewis &lt;<a href="mailto:richard.lewis.debian@googlemail.com" target="_blank" rel="noreferrer">richard.lewis.debian@googlemail.com</a>&gt; [2024-05-05 11:32]:<br>
    &gt;If i try and run tests that use &#39;unshare --net&#39; with a<br> &gt;schroot backend they fail inside autopkgtest even though<br>
    &gt;this works in the schroot being used.<br>
    &gt;<br>
    &gt;This works fine in a &#39;plain schroot&#39; (I expect i allowed<br> &gt;the calling user to run the schroot as root in the schroot<br>
    &gt;in /etc/schroot):<br>
    &gt;<br>
    &gt; $ schroot --chroot chroot:unstable-amd64-sbuild --directory / --user root -- unshare --net --map-root-user ls<br>
    &gt; bin  boot  build  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var<br>

    I can&#39;t reproduce this. Testing in a fresh debvm:<br>

    $ debvm-create --size=2G --release=stable -- \<br>
         --include=sbuild,schroot,debootstrap,autopkgtest \<br>
         --hook-dir=/usr/share/mmdebstrap/hooks/useradd<br>
    $ debvm-run<br>
    # echo &quot;inside debvm&quot;<br>
    # sbuild-createchroot unstable /srv/chroot/unstable-amd64-sbuild \<br>
         <a href="http://deb.debian.org/debian" rel="noreferrer noreferrer" target="_blank">http://deb.debian.org/debian</a><br>
    # sbuild-adduser user<br>
    # su - user<br>
    $ schroot --chroot chroot:unstable-amd64-sbuild --directory / --user root -- unshare --net --map-root-user ls<br>
    unshare: unshare failed: Operation not permitted<br>

    Do you have any idea why it works for you?<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">im so sorry - this was just a complete user error by me. </div><div dir="auto"><br></div><div dir="auto"> the issue is the --map-root-user,
    i thought absolutely sure i was using that with plain schroot, but it turns out i was completely misreading what i was running, and apparently copied the command and output from separate places. </div><div dir="auto"><br></div><div dir="auto"><br></div><
    div dir="auto">as you say, if i omit map-root-user then it works with both schroot and autopkgtest. and if i include map-root-user then both fail. </div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><
    blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Over all I think using unshare --map-root-user in<br></blockquote></div></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote"
    style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> autopkgtest-virt-schroot is not supported and I don&#39;t think there is a <br> way around that except using a different autopkgtest backend.</blockquote></div></div><div dir="auto"><br></div><div dir="auto">thanks - this is fair enough. </div><div dir="auto"> </div><div dir="auto">thanks for the response. and sorry for the noise</
    <div dir="auto"><br></div><div dir="auto"></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)