Really relocatable binaries crash with Permission denied

DoneSubmitted by pelzflorian (Florian Pelz).
Details
3 participants
  • Giovanni Biscuolo
  • Ludovic Courtès
  • pelzflorian (Florian Pelz)
Owner
unassigned
Severity
normal
P
P
pelzflorian (Florian Pelz) wrote on 10 May 2019 00:01
(address . bug-guix@gnu.org)
20190509220136.tli7um2heocifrpq@pelzflorian.localdomain
The manual gives the following example of guix pack -RR:
guix pack -RR -S /mybin=bin bash tar xf pack.tar.gz ./mybin/sh
This fails on my university’s server for students which uses Linuxcontainer “VMs” with Ubuntu and has no user namespace support and Guixis not installed. This single line is all output:
$ ./mybin/shsh: run.c:162: bind_mount: Unexpected error: Permission denied.
Note that
PROOT_NO_SECCOMP=1 ~/gnu/store/iyd2ikxadcp89j5919pwja6swnx00493-proot-static-5.1.0/bin/proot -w $(pwd | sed 's/${HOME}//') -r ${HOME} -b /proc /mybin/sh
works just fine (inspired byhttps://guix-hpc.bordeaux.inria.fr/blog/2017/10/using-guix-without-being-root/).
For testing purposes, I compile the wrappergnu/packages/aux-files/run-in-namespace.c:
sed -i 's|@STORE_DIRECTORY@|/gnu/store|g' run-in-namespace.csed -i 's|@WRAPPED_PROGRAM@|/mybin/sh|g' run-in-namespace.cgcc -std=gnu99 -static -O0 -g -Wall run-in-namespace.cscp run-in-namespace.c a.out … # upload it to the university serverssh …gdb a.out[…](gdb) break mainBreakpoint 1 at 0x401ea1: file run-in-namespace.c, line 260.(gdb) runStarting program: /home/f_pelz12/a.out
Breakpoint 1, main (argc=1, argv=0x7fffffffe818) at run-in-namespace.c:260260 size = readlink ("/proc/self/exe", self, sizeof self - 1);(gdb) next261 assert (size > 0);(gdb) 265 size_t index = strlen (self)(gdb) 268 char *store = strdup (self);(gdb) 269 store[index] = '\0';(gdb) 277 if (strcmp (store, "/gnu/store") != 0(gdb) 278 && lstat ("/mybin/sh", &statbuf) != 0)(gdb) 283 char *new_root = mkdtemp (strdup ("/tmp/guix-exec-XXXXXX"));(gdb) 284 char *new_store = concat (new_root, "/gnu/store");(gdb) 285 char *cwd = get_current_dir_name ();(gdb) 292 pid_t child = syscall (SYS_clone, SIGCHLD | CLONE_NEWNS | CLONE_NEWUSER,(gdb) [Detaching after fork from child process 12748]294 switch (child)(gdb) a.out: run-in-namespace.c:162: bind_mount: Unexpected error: Permission denied.
337 disallow_setgroups (child);(gdb) a.out: run-in-namespace.c:205: disallow_setgroups: Unexpected error: Permission denied.
Program received signal SIGABRT, Aborted.0x000000000040796f in raise ()
I do not know how to break into the detached child’s bind_mount call,so I am unable to give details on this bind_mount error (I do not knowif the bind_mount really is the cause of the crash; it is futileanyway and the binary should just try proot after all and not crashbefore). A breakpoint from `break bind_mount` is ignored. Can I getmore information out of this somehow?
For completeness:$ uname -aLinux tux6 4.15.18-14-pve #1 SMP PVE 4.15.18-38 (Tue, 30 Apr 2019 10:51:33 +0200) x86_64 x86_64 x86_64 GNU/Linux
Regards,Florian
P
P
pelzflorian (Florian Pelz) wrote on 10 May 2019 07:54
(address . 35662@debbugs.gnu.org)
20190510055441.whvcyxs4grbrnpys@pelzflorian.localdomain
On Fri, May 10, 2019 at 12:01:36AM +0200, pelzflorian (Florian Pelz) wrote:
Toggle quote (4 lines)> sed -i 's|@STORE_DIRECTORY@|/gnu/store|g' run-in-namespace.c> sed -i 's|@WRAPPED_PROGRAM@|/mybin/sh|g' run-in-namespace.c> gcc -std=gnu99 -static -O0 -g -Wall run-in-namespace.c
I think it should have been
sed -i 's|@STORE_DIRECTORY@|/gnu/store|g' run-in-namespace.csed -i 's|@WRAPPED_PROGRAM@|/gnu/store/qn1ax1fkj16x280m1rv7mcimfmn9l2pf-bash-4.4.23/bin/sh|g' run-in-namespace.cecho '#define PROOT_PROGRAM "iyd2ikxadcp89j5919pwja6swnx00493-proot-static-5.1.0/bin/proot"' > newcat run-in-namespace.c >> newmv new run-in-namespace.cgcc -std=gnu99 -static -O0 -g -Wall run-in-namespace.c
but it does not make a difference to the gdb output except the line
Toggle quote (2 lines)> 278 && lstat ("/mybin/sh", &statbuf) != 0)
Regards,Florian
L
L
Ludovic Courtès wrote on 10 May 2019 23:50
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)(address . 35662@debbugs.gnu.org)
87o94ax9lw.fsf@gnu.org
Hello,
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
Toggle quote (13 lines)> The manual gives the following example of guix pack -RR:>> guix pack -RR -S /mybin=bin bash> tar xf pack.tar.gz> ./mybin/sh>> This fails on my university’s server for students which uses Linux> container “VMs” with Ubuntu and has no user namespace support and Guix> is not installed. This single line is all output:>> $ ./mybin/sh> sh: run.c:162: bind_mount: Unexpected error: Permission denied.
That suggests the wrapper chose the user namespace method (not PRoot),but that didn’t quite work.
Could you post the output of:
strace ./mybin/sh
?
TIA!
Ludo’.
P
P
pelzflorian (Florian Pelz) wrote on 11 May 2019 07:05
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 35662@debbugs.gnu.org)
20190511050518.ozmvhsov6meg6g5f@pelzflorian.localdomain
On Fri, May 10, 2019 at 11:50:19PM +0200, Ludovic Courtès wrote:
Toggle quote (10 lines)> That suggests the wrapper chose the user namespace method (not PRoot),> but that didn’t quite work.> > Could you post the output of:> > strace ./mybin/sh> > ?>
[f_pelz12@tux6 ~]$ strace ./mybin/sh execve("./mybin/sh", ["./mybin/sh"], 0x7fffcdf87290 /* 39 vars */) = 0brk(NULL) = 0x2301000brk(0x23021c0) = 0x23021c0arch_prctl(ARCH_SET_FS, 0x2301880) = 0uname({sysname="Linux", nodename="tux6", ...}) = 0readlink("/proc/self/exe", "/home/f_pelz12/gnu/store/wl2l59l"..., 4096) = 77brk(0x23231c0) = 0x23231c0brk(0x2324000) = 0x2324000readlink("/proc/self/exe", "/home/f_pelz12/gnu/store/wl2l59l"..., 4095) = 77lstat("/gnu/store/qn1ax1fkj16x280m1rv7mcimfmn9l2pf-bash-4.4.23/bin/sh", 0x7ffd9741c980) = -1 ENOENT (No such file or directory)gettimeofday({tv_sec=1557550876, tv_usec=116037}, NULL) = 0getpid() = 28923mkdir("/tmp/guix-exec-ABt7cT", 0700) = 0stat(".", {st_mode=S_IFDIR|0700, st_size=113, ...}) = 0stat("/home/f_pelz12", {st_mode=S_IFDIR|0700, st_size=113, ...}) = 0clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = 28924openat(AT_FDCWD, "/proc/28924/setgroups", O_WRONLY) = 3write(3, "deny\0", 5) = 5close(3) = 0getuid() = 24038openat(AT_FDCWD, "/proc/28924/uid_map", O_WRONLY) = 3write(3, "24038 24038 1\n", 14) = 14close(3) = 0getgid() = 10004openat(AT_FDCWD, "/proc/28924/gid_map", O_WRONLY) = 3write(3, "10004 10004 1\n", 14) = 14close(3) = 0wait4(28924, sh: run.c:162: bind_mount: Unexpected error: Permission denied.[{WIFSIGNALED(s) && WTERMSIG(s) == SIGABRT}], 0, NULL) = 28924--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=28924, si_uid=24038, si_status=SIGABRT, si_utime=0, si_stime=0} ---chdir("/") = 0openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3fstat(3, {st_mode=S_IFDIR|0700, st_size=25, ...}) = 0getdents64(3, /* 25 entries */, 131072) = 632unlink("/tmp/guix-exec-ABt7cT/home") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/home", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4e71c68000getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0munmap(0x7f4e71c68000, 135168) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/home") = 0unlink("/tmp/guix-exec-ABt7cT/tmp") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/tmp", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0brk(0x2363000) = 0x2363000getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/tmp") = 0unlink("/tmp/guix-exec-ABt7cT/mnt") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/mnt", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/mnt") = 0unlink("/tmp/guix-exec-ABt7cT/sys") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/sys", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/sys") = 0unlink("/tmp/guix-exec-ABt7cT/libx32") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/libx32", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/libx32") = 0unlink("/tmp/guix-exec-ABt7cT/opt") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/opt", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/opt") = 0unlink("/tmp/guix-exec-ABt7cT/srv") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/srv", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/srv") = 0unlink("/tmp/guix-exec-ABt7cT/dev") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/dev", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/dev") = 0unlink("/tmp/guix-exec-ABt7cT/var") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/var", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/var") = 0unlink("/tmp/guix-exec-ABt7cT/sbin") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/sbin", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/sbin") = 0unlink("/tmp/guix-exec-ABt7cT/lib64") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/lib64", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/lib64") = 0unlink("/tmp/guix-exec-ABt7cT/lib32") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/lib32", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/lib32") = 0unlink("/tmp/guix-exec-ABt7cT/media") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/media", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/media") = 0unlink("/tmp/guix-exec-ABt7cT/usr") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/usr", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/usr") = 0unlink("/tmp/guix-exec-ABt7cT/bin") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/bin", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/bin") = 0unlink("/tmp/guix-exec-ABt7cT/boot") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/boot", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/boot") = 0unlink("/tmp/guix-exec-ABt7cT/etc") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/etc", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/etc") = 0unlink("/tmp/guix-exec-ABt7cT/run") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/run", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/run") = 0unlink("/tmp/guix-exec-ABt7cT/core") = 0unlink("/tmp/guix-exec-ABt7cT/snap") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/snap", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/snap") = 0unlink("/tmp/guix-exec-ABt7cT/lib") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/lib", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/lib") = 0unlink("/tmp/guix-exec-ABt7cT/proc") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/proc", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/proc") = 0unlink("/tmp/guix-exec-ABt7cT/root") = -1 EISDIR (Is a directory)openat(AT_FDCWD, "/tmp/guix-exec-ABt7cT/root", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 0getdents64(4, /* 2 entries */, 131072) = 48getdents64(4, /* 0 entries */, 131072) = 0close(4) = 0rmdir("/tmp/guix-exec-ABt7cT/root") = 0getdents64(3, /* 0 entries */, 131072) = 0close(3) = 0rmdir("/tmp/guix-exec-ABt7cT") = 0exit_group(6) = ?+++ exited with 6 +++
Thank you for looking into it!
Regards,Florian
L
L
Ludovic Courtès wrote on 13 May 2019 09:49
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)(address . 35662@debbugs.gnu.org)
87ftpivlnv.fsf@gnu.org
Hi Florian,
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
Toggle quote (10 lines)> On Fri, May 10, 2019 at 11:50:19PM +0200, Ludovic Courtès wrote:>> That suggests the wrapper chose the user namespace method (not PRoot),>> but that didn’t quite work.>> >> Could you post the output of:>> >> strace ./mybin/sh>> >> ?
My bad, this should be:
strace -f -o log ./mybin/sh
and then post the ‘log’ file (we need ‘-f’ because the problem happensin the child process.)
Thanks in advance,Ludo’.
P
P
pelzflorian (Florian Pelz) wrote on 13 May 2019 12:34
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 35662@debbugs.gnu.org)
20190513103440.xkri3uk2oxtk4rn6@pelzflorian.localdomain
On Mon, May 13, 2019 at 09:49:40AM +0200, Ludovic Courtès wrote:
Toggle quote (24 lines)> Hi Florian,> > "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:> > > On Fri, May 10, 2019 at 11:50:19PM +0200, Ludovic Courtès wrote:> >> That suggests the wrapper chose the user namespace method (not PRoot),> >> but that didn’t quite work.> >> > >> Could you post the output of:> >> > >> strace ./mybin/sh> >> > >> ?> > My bad, this should be:> > strace -f -o log ./mybin/sh> > and then post the ‘log’ file (we need ‘-f’ because the problem happens> in the child process.)> > Thanks in advance,> Ludo’.
Oh I did not know there is -f.
[f_pelz12@tux6 ~]$ strace -f -o log ./mybin/shsh: run.c:162: bind_mount: Unexpected error: Permission denied.
The log file is attached.
When I do not use -o log, the unexpected error is here:
[pid 36622] mount("//sys", "/tmp/guix-exec-85li6j/sys", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)[pid 36622] openat(AT_FDCWD, "/tmp/guix-exec-85li6j/core", O_WRONLY|O_CREAT, 056306) = 4[pid 36622] close(4) = 0[pid 36622] mount("//core", "/tmp/guix-exec-85li6j/core", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)[pid 36622] write(2, "sh: run.c:162: bind_mount: Unexp"..., 64sh: run.c:162: bind_mount: Unexpected error: Permission denied.) = 64[pid 36622] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b024f4000[pid 36622] rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0[pid 36622] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0[pid 36622] getpid() = 36622[pid 36622] gettid() = 36622[pid 36622] tgkill(36622, 36622, SIGABRT) = 0[pid 36622] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0[pid 36622] --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=36622, si_uid=24038} ---[pid 36622] +++ killed by SIGABRT +++

Regards,Florian
32476 execve("./mybin/sh", ["./mybin/sh"], 0x7ffddaa0d868 /* 39 vars */) = 032476 brk(NULL) = 0x222000032476 brk(0x22211c0) = 0x22211c032476 arch_prctl(ARCH_SET_FS, 0x2220880) = 032476 uname({sysname="Linux", nodename="tux6", ...}) = 032476 readlink("/proc/self/exe", "/home/f_pelz12/gnu/store/wl2l59l"..., 4096) = 7732476 brk(0x22421c0) = 0x22421c032476 brk(0x2243000) = 0x224300032476 readlink("/proc/self/exe", "/home/f_pelz12/gnu/store/wl2l59l"..., 4095) = 7732476 lstat("/gnu/store/qn1ax1fkj16x280m1rv7mcimfmn9l2pf-bash-4.4.23/bin/sh", 0x7ffd70f35830) = -1 ENOENT (No such file or directory)32476 gettimeofday({tv_sec=1557741656, tv_usec=607561}, NULL) = 032476 getpid() = 3247632476 mkdir("/tmp/guix-exec-eqHoYA", 0700) = 032476 stat(".", {st_mode=S_IFDIR|0700, st_size=114, ...}) = 032476 stat("/home/f_pelz12", {st_mode=S_IFDIR|0700, st_size=114, ...}) = 032476 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = 3247732476 openat(AT_FDCWD, "/proc/32477/setgroups", O_WRONLY) = 332477 openat(AT_FDCWD, "/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY <unfinished ...>32476 write(3, "deny\0", 5 <unfinished ...>32477 <... openat resumed> ) = 332476 <... write resumed> ) = 532477 fstat(3, <unfinished ...>32476 close(3) = 032477 <... fstat resumed> {st_mode=S_IFDIR|0755, st_size=25, ...}) = 032476 getuid() = 2403832477 getdents64(3 <unfinished ...>32476 openat(AT_FDCWD, "/proc/32477/uid_map", O_WRONLY) = 332476 write(3, "24038 24038 1\n", 14) = 1432477 <... getdents64 resumed> , /* 25 entries */, 32768) = 63232476 close(3) = 032477 mkdir("/tmp/guix-exec-eqHoYA/lib", 0700 <unfinished ...>32476 getgid() = 1000432476 openat(AT_FDCWD, "/proc/32477/gid_map", O_WRONLY) = 332476 write(3, "10004 10004 1\n", 14) = 1432476 close(3) = 032476 wait4(32477, <unfinished ...>32477 <... mkdir resumed> ) = 032477 mount("//lib", "/tmp/guix-exec-eqHoYA/lib", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/home", 0700) = 032477 mount("//home", "/tmp/guix-exec-eqHoYA/home", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/libx32", 0700) = 032477 mount("//libx32", "/tmp/guix-exec-eqHoYA/libx32", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/etc", 0700) = 032477 mount("//etc", "/tmp/guix-exec-eqHoYA/etc", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/run", 0700) = 032477 mount("//run", "/tmp/guix-exec-eqHoYA/run", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/sbin", 0700) = 032477 mount("//sbin", "/tmp/guix-exec-eqHoYA/sbin", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/media", 0700) = 032477 mount("//media", "/tmp/guix-exec-eqHoYA/media", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/lib32", 0700) = 032477 mount("//lib32", "/tmp/guix-exec-eqHoYA/lib32", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/lib64", 0700) = 032477 mount("//lib64", "/tmp/guix-exec-eqHoYA/lib64", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/bin", 0700) = 032477 mount("//bin", "/tmp/guix-exec-eqHoYA/bin", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/usr", 0700) = 032477 mount("//usr", "/tmp/guix-exec-eqHoYA/usr", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/boot", 0700) = 032477 mount("//boot", "/tmp/guix-exec-eqHoYA/boot", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/dev", 0700) = 032477 mount("//dev", "/tmp/guix-exec-eqHoYA/dev", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/var", 0700) = 032477 mount("//var", "/tmp/guix-exec-eqHoYA/var", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/root", 0700) = 032477 mount("//root", "/tmp/guix-exec-eqHoYA/root", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/proc", 0700) = 032477 mount("//proc", "/tmp/guix-exec-eqHoYA/proc", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/opt", 0700) = 032477 mount("//opt", "/tmp/guix-exec-eqHoYA/opt", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/srv", 0700) = 032477 mount("//srv", "/tmp/guix-exec-eqHoYA/srv", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/snap", 0700) = 032477 mount("//snap", "/tmp/guix-exec-eqHoYA/snap", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/mnt", 0700) = 032477 mount("//mnt", "/tmp/guix-exec-eqHoYA/mnt", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/tmp", 0700) = 032477 mount("//tmp", "/tmp/guix-exec-eqHoYA/tmp", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 mkdir("/tmp/guix-exec-eqHoYA/sys", 0700) = 032477 mount("//sys", "/tmp/guix-exec-eqHoYA/sys", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/core", O_WRONLY|O_CREAT, 0116306) = 432477 close(4) = 032477 mount("//core", "/tmp/guix-exec-eqHoYA/core", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)32477 write(2, "sh: run.c:162: bind_mount: Unexp"..., 64) = 6432477 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff846f5e00032477 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 032477 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 032477 getpid() = 3247732477 gettid() = 3247732477 tgkill(32477, 32477, SIGABRT) = 032477 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 032477 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=32477, si_uid=24038} ---32477 +++ killed by SIGABRT +++32476 <... wait4 resumed> [{WIFSIGNALED(s) && WTERMSIG(s) == SIGABRT}], 0, NULL) = 3247732476 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=32477, si_uid=24038, si_status=SIGABRT, si_utime=0, si_stime=0} ---32476 chdir("/") = 032476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 332476 fstat(3, {st_mode=S_IFDIR|0700, st_size=25, ...}) = 032476 getdents64(3, /* 25 entries */, 131072) = 63232476 unlink("/tmp/guix-exec-eqHoYA/lib32") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/lib32", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff846f3e00032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 munmap(0x7ff846f3e000, 135168) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/lib32") = 032476 unlink("/tmp/guix-exec-eqHoYA/media") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/media", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 brk(0x2282000) = 0x228200032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/media") = 032476 unlink("/tmp/guix-exec-eqHoYA/etc") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/etc", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/etc") = 032476 unlink("/tmp/guix-exec-eqHoYA/run") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/run", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/run") = 032476 unlink("/tmp/guix-exec-eqHoYA/lib64") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/lib64", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/lib64") = 032476 unlink("/tmp/guix-exec-eqHoYA/boot") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/boot", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/boot") = 032476 unlink("/tmp/guix-exec-eqHoYA/bin") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/bin", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/bin") = 032476 unlink("/tmp/guix-exec-eqHoYA/usr") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/usr", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/usr") = 032476 unlink("/tmp/guix-exec-eqHoYA/lib") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/lib", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/lib") = 032476 unlink("/tmp/guix-exec-eqHoYA/snap") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/snap", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/snap") = 032476 unlink("/tmp/guix-exec-eqHoYA/core") = 032476 unlink("/tmp/guix-exec-eqHoYA/proc") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/proc", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/proc") = 032476 unlink("/tmp/guix-exec-eqHoYA/root") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/root", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/root") = 032476 unlink("/tmp/guix-exec-eqHoYA/srv") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/srv", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/srv") = 032476 unlink("/tmp/guix-exec-eqHoYA/home") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/home", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/home") = 032476 unlink("/tmp/guix-exec-eqHoYA/opt") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/opt", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/opt") = 032476 unlink("/tmp/guix-exec-eqHoYA/sys") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/sys", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/sys") = 032476 unlink("/tmp/guix-exec-eqHoYA/tmp") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/tmp", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/tmp") = 032476 unlink("/tmp/guix-exec-eqHoYA/mnt") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/mnt", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/mnt") = 032476 unlink("/tmp/guix-exec-eqHoYA/sbin") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/sbin", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/sbin") = 032476 unlink("/tmp/guix-exec-eqHoYA/libx32") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/libx32", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/libx32") = 032476 unlink("/tmp/guix-exec-eqHoYA/var") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/var", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/var") = 032476 unlink("/tmp/guix-exec-eqHoYA/dev") = -1 EISDIR (Is a directory)32476 openat(AT_FDCWD, "/tmp/guix-exec-eqHoYA/dev", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 432476 fstat(4, {st_mode=S_IFDIR|0700, st_size=2, ...}) = 032476 getdents64(4, /* 2 entries */, 131072) = 4832476 getdents64(4, /* 0 entries */, 131072) = 032476 close(4) = 032476 rmdir("/tmp/guix-exec-eqHoYA/dev") = 032476 getdents64(3, /* 0 entries */, 131072) = 032476 close(3) = 032476 rmdir("/tmp/guix-exec-eqHoYA") = 032476 exit_group(6) = ?32476 +++ exited with 6 +++
L
L
Ludovic Courtès wrote on 13 May 2019 15:54
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)(address . 35662@debbugs.gnu.org)
87r292qx30.fsf@gnu.org
Hi Florian,
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
Toggle quote (2 lines)> 32476 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = 32477
[...]
Toggle quote (4 lines)> 32477 mount("//lib", "/tmp/guix-exec-eqHoYA/lib", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)> 32477 mkdir("/tmp/guix-exec-eqHoYA/home", 0700) = 0> 32477 mount("//home", "/tmp/guix-exec-eqHoYA/home", 0x47e0c5, MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied)
This is weird. On a machine without Guix and with “proper” usernamespace support, I see:
Toggle snippet (10 lines)4519 clone(child_stack=0, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = 4520
[...]
4520 mkdir("/tmp/guix-exec-4lVNRO/tmp", 0700) = 04520 mount("//tmp", "/tmp/guix-exec-4lVNRO/tmp", 0x47e0cc, MS_RDONLY|MS_BIND|MS_REC, NULL) = 04520 mkdir("/tmp/guix-exec-4lVNRO/boot", 0700) = 04520 mount("//boot", "/tmp/guix-exec-4lVNRO/boot", 0x47e0cc, MS_RDONLY|MS_BIND|MS_REC, NULL) = 0
That is, all bind-mount operations in the child process, which lives ina separate namespace, succeed.
Can you show the mount options of you root file system?
mount | grep 'on / '
What’s the exit code of this command:
guile -c '((@@ (guix scripts environment) assert-container-features))'
?
Thanks for helping out!
Ludo’.
P
P
pelzflorian (Florian Pelz) wrote on 13 May 2019 17:17
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 35662@debbugs.gnu.org)
20190513151736.ffbuofr3vmyqaoov@pelzflorian.localdomain
On Mon, May 13, 2019 at 03:54:11PM +0200, Ludovic Courtès wrote:
Toggle quote (5 lines)> Can you show the mount options of you root file system?> > mount | grep 'on / '>
[f_pelz12@tux6 ~]$ mount | grep 'on / 'rpool/data/subvol-161199-disk-0 on / type zfs (rw,noatime,xattr,posixacl)

Toggle quote (7 lines)> What’s the exit code of this command:> > guile -c '((@@ (guix scripts environment) assert-container-features))'> > ?>
Guix is not installed. Using a Guix git repository in ~/guix:
[f_pelz12@tux6 guix]$ guile -c '((@@ (guix scripts environment) assert-container-features))'[…];;; In procedure scm_lreadr: guix/packages.scm:534:11: Unknown # object: #\~ERROR: In procedure primitive-load-path:In procedure scm_lreadr: guix/packages.scm:534:11: Unknown # object: #\~

The line in question is:
#~(begin (use-modules (ice-9 ftw)
I do not see how to make it recognize gexps.
If I wanted to compile Guix myself, the configure script reportsvarious missing dependencies (guile-gnutls is among them). I couldask the admin tomorrow if they could set up guix on a test “virtualmachine”/container.
I will instead now try this from gnu/build/linux-container.scm:
scheme@(guile-user)> (define (user-namespace-supported?) "Return #t if user namespaces are supported on this system." (file-exists? "/proc/self/ns/user"))
(define (unprivileged-user-namespace-supported?) "Return #t if user namespaces can be created by unprivileged users." (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) (if (file-exists? userns-file) (eqv? #\1 (call-with-input-file userns-file read-char)) #t)))
(define (setgroups-supported?) "Return #t if the setgroups proc file, introduced in Linux-libre 3.19,exists." (file-exists? "/proc/self/setgroups"))
scheme@(guile-user)> (user-namespace-supported?)$1 = #tscheme@(guile-user)> (unprivileged-user-namespace-supported?)$2 = #tscheme@(guile-user)> (setgroups-supported?)$3 = #t
Regards,Florian
L
L
Ludovic Courtès wrote on 13 May 2019 22:39
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)(address . 35662@debbugs.gnu.org)
87tvdyozra.fsf@gnu.org
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
Toggle quote (9 lines)> On Mon, May 13, 2019 at 03:54:11PM +0200, Ludovic Courtès wrote:>> Can you show the mount options of you root file system?>> >> mount | grep 'on / '>> >> [f_pelz12@tux6 ~]$ mount | grep 'on / '> rpool/data/subvol-161199-disk-0 on / type zfs (rw,noatime,xattr,posixacl)
I suspect ZFS-on-Linux (right?) is doing something unusual here:mount(2) specifies the following reasons for EACCESS, and I don’t seeanything that would apply:
Toggle snippet (20 lines)EACCES A component of a path was not searchable. (See also path_resolution(7).)
EACCES Mounting a read-only filesystem was attempted without giving the MS_RDONLY flag.
The file system may be read-only for various reasons, including: it resides on a read-only optical disk; it is resides on a device with a physical switch that has been set to mark the device read- only; the filesystem implementation was compiled with read-only support; or errors were detected when initially mounting the filesystem, so that it was marked read-only and can't be remounted as read-write (until the errors are fixed).
Some filesystems instead return the error EROFS on an attempt to mount a read-only filesystem.
EACCES The block device source is located on a filesystem mounted with the MS_NODEV option.
What do the following commands do on this system?
Toggle snippet (4 lines)$ mkdir -p /tmp/test/lib$ unshare -mrf mount /lib /tmp/test/lib -o bind,readonly
Thanks,Ludo’.
P
P
pelzflorian (Florian Pelz) wrote on 13 May 2019 22:45
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 35662@debbugs.gnu.org)
20190513204524.ozcnp6faamrbfkcv@pelzflorian.localdomain
On Mon, May 13, 2019 at 10:39:21PM +0200, Ludovic Court�s wrote:
Toggle quote (2 lines)> I suspect ZFS-on-Linux (right?) is doing something unusual here:
I suppose it is ZFS on Linux; it is Linux, I can ask the admins if itcould be something else.


Toggle quote (8 lines)> What do the following commands do on this system?> > --8<---------------cut here---------------start------------->8---> $ mkdir -p /tmp/test/lib> $ unshare -mrf mount /lib /tmp/test/lib -o bind,readonly> --8<---------------cut here---------------end--------------->8--->
[f_pelz12@tux6 ~]$ mkdir -p /tmp/test/lib[f_pelz12@tux6 ~]$ unshare -mrf mount /lib /tmp/test/lib -o bind,readonlyunshare: cannot change root filesystem propagation: Permission denied
Thank *you*, Ludo! A working guix pack would be helpful for me.
Regards,Florian
P
P
pelzflorian (Florian Pelz) wrote on 14 May 2019 10:05
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 35662@debbugs.gnu.org)
20190514080525.xspgsob6payn2ioa@pelzflorian.localdomain
On Mon, May 13, 2019 at 10:45:24PM +0200, pelzflorian (Florian Pelz) wrote:
Toggle quote (7 lines)> On Mon, May 13, 2019 at 10:39:21PM +0200, Ludovic Courtès wrote:> > I suspect ZFS-on-Linux (right?) is doing something unusual here:> > I suppose it is ZFS on Linux; it is Linux, I can ask the admins if it> could be something else.>
The admins have confirmed that they use “Proxmox on ZFS” (judging fromhttps://pve.proxmox.com/wiki/ZFS_on_Linux it is ZFS on Linux) andthey have confirmed that they have disabled user namespaces in theirProxmox settings.
Regards,Florian
L
L
Ludovic Courtès wrote on 14 May 2019 22:43
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)(address . 35662@debbugs.gnu.org)
87h89wydf7.fsf@gnu.org
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
Toggle quote (13 lines)> On Mon, May 13, 2019 at 10:45:24PM +0200, pelzflorian (Florian Pelz) wrote:>> On Mon, May 13, 2019 at 10:39:21PM +0200, Ludovic Courtès wrote:>> > I suspect ZFS-on-Linux (right?) is doing something unusual here:>> >> I suppose it is ZFS on Linux; it is Linux, I can ask the admins if it>> could be something else.>> >> The admins have confirmed that they use “Proxmox on ZFS” (judging from> <https://pve.proxmox.com/wiki/ZFS_on_Linux> it is ZFS on Linux) and> they have confirmed that they have disabled user namespaces in their> Proxmox settings.
User namespaces are orthogonal to file systems, but anyway it looks likeZFS is refusing to let us do these things.
I don’t have any great option to offer. You could perhaps modifyrun-in-namespace.c so that it doesn’t even try user namespaces andinstead goes directly to the PRoot option?
However working around this behavior of ZFS it not completely trivialand I’m not sure we should put much energy to paper over non-standardfile system behavior.
Thoughts?
Ludo’.
P
P
pelzflorian (Florian Pelz) wrote on 14 May 2019 23:04
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 35662@debbugs.gnu.org)
20190514210453.2p7x3ibpgohwaxot@pelzflorian.localdomain
On Tue, May 14, 2019 at 10:43:56PM +0200, Ludovic Courtès wrote:
Toggle quote (19 lines)> "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:> > > On Mon, May 13, 2019 at 10:45:24PM +0200, pelzflorian (Florian Pelz) wrote:> >> On Mon, May 13, 2019 at 10:39:21PM +0200, Ludovic Courtès wrote:> >> > I suspect ZFS-on-Linux (right?) is doing something unusual here:> >> > >> I suppose it is ZFS on Linux; it is Linux, I can ask the admins if it> >> could be something else.> >> > >> > The admins have confirmed that they use “Proxmox on ZFS” (judging from> > <https://pve.proxmox.com/wiki/ZFS_on_Linux> it is ZFS on Linux) and> > they have confirmed that they have disabled user namespaces in their> > Proxmox settings.> > User namespaces are orthogonal to file systems, but anyway it looks like> ZFS is refusing to let us do these things.>
Do I understand correctly that user namespaces are not really disabled(?) but fail on ZFS? This seems strange, but a Web search for “zfsuser namespaces” shows other people having trouble with thiscombination. The admins told me they had to disable user namespacesbecause it caused some kind of trouble.
Toggle quote (11 lines)> I don’t have any great option to offer. You could perhaps modify> run-in-namespace.c so that it doesn’t even try user namespaces and> instead goes directly to the PRoot option?>> However working around this behavior of ZFS it not completely trivial> and I’m not sure we should put much energy to paper over non-standard> file system behavior.> > Thoughts?>
If ZFS makes user namespaces fail, then could run-un-namespace.c fallback to PRoot when detecting ZFS, somehow?
Regards,Florian
G
G
Giovanni Biscuolo wrote on 15 May 2019 17:20
(address . 35662@debbugs.gnu.org)
87pnojd9s6.fsf@roquette.mug.biscuolo.net
Hello Ludovic and Florian,
I cannot help here, just some thoughts
as you probably already know, Florian, ZFS is not supported in Linux forvarious reasons, above all for a controversial licensing problem [1]
so using zfsonlinux (the ZFS Linux unofficial kernel module) isbasically calling for problems
Ludovic Courtès <ludo@gnu.org> writes:
Toggle quote (2 lines)> "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
[...]
Toggle quote (3 lines)>> The admins have confirmed that they use “Proxmox on ZFS” (judging from>> <https://pve.proxmox.com/wiki/ZFS_on_Linux> it is ZFS on Linux)
it's not clearly stated there, I guess it'shttps://github.com/zfsonlinux/zfs
Toggle quote (4 lines)>> and>> they have confirmed that they have disabled user namespaces in their>> Proxmox settings.
I do not understand what this means: if namespaces are disabled **inkernel** that whould be detected and guix relocatable binaries shoulduse PRoot by default: am I wrong?
If "disabled user namespace in Promox settings" means it have somethingto do with ZFS filesystem settings, well: it's unorthodox at least :-)
Toggle quote (3 lines)> User namespaces are orthogonal to file systems, but anyway it looks like> ZFS is refusing to let us do these things.
I don't know if this have something to do with this bug, but:
ZFS is confused by user namespaces (uid/gid mapping) when used with acltype=posixaclhttps://github.com/zfsonlinux/zfs/issues/4177
Florian: it should be solved but AFAIU it depends on thekernel/zfsonlinux combination
Toggle quote (4 lines)> I don’t have any great option to offer. You could perhaps modify> run-in-namespace.c so that it doesn’t even try user namespaces and> instead goes directly to the PRoot option?
Ludovic (and others): is it possible to add an option to "guix pack -RR"(-RRF?!?) to force the use of PRoot for resulting relocated binaries?
Toggle quote (4 lines)> However working around this behavior of ZFS it not completely trivial> and I’m not sure we should put much energy to paper over non-standard> file system behavior.
I agree, this seems a zfsonlinux bug: Florian please can you report itupstream to zfsonlinux?
[...]
HTH! Gio'

[1] https://www.fsf.org/licensing/zfs-and-linux https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/
-- Giovanni Biscuolo
Xelera IT Infrastructures
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAlzcLjsACgkQ030Op87MORKDGQ//R7qR24I2QNzA3ZTusVarDD1+SXrMOaUIFynFqEx+c+PVEAs+YtMGbgsYhgGaNQu8SgboRIV5F/oMv3d5hauwYTPCSJx9vigoG+xTxzXtbggzFRKMOStHqVTf9tMc4GoWzoEOzH/6GoPbvpwgkkViCqjO/yvWf2mh+eyGPHxzpAWfy2l6Ql+PP5Izl5vsLkBTk1QvfwxJ6y0EVfEzdk0d/yJuAQnHlGYvBVYxhbF2oRXMqAEhMeXOG3FUpONsRzMB8/gn/HbQaxQWu56nrnz2Ps7lSOOrDaipJTXiRbe+aJcPAvgQV90t6hEMdbuQ2P+B1jO4UjMFdyOU8lsqi9d4DvPFD5iS9b59K2DpLZRlZLFLp1DieubVh3e6WSXcTPz4f3cy09SjXOu99gWchBJsc37XttPMFEicbHToSzU8nN4Alr1CWyCE+E009CV/VFRBA2YrsMFw0cV/1CkIJigl+ijfhKoJjasfzxhSNF/xi42v4Sx9EO0kzY6dilkjgDPm7ZUb0KoqjGqgOf9BgfKXol78CqNrhV0xNzxNXEYrvLXwAch7ZLp98riWg83Eciok2tE57yNpgggqQonb074mOiGuZD3CWpZF9aviiux7oBFUY+Sc9UmftrL0KLvvdlQf2h8B5xwI5osJ3C3Uf3wra0teAECZJquLzW0Tp1dYv0E==4A1m-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 15 May 2019 18:15
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)(address . 35662@debbugs.gnu.org)
87d0kju220.fsf@gnu.org
Hi,
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
Toggle quote (3 lines)> Do I understand correctly that user namespaces are not really disabled> (?) but fail on ZFS?
Correct. Specifically, read-only bind mounts of (and to?) files thatreside on ZFS fail with EACCESS, which is normally “impossible.”
It would be great if you could ask the admins specifically what they didin relation to user namespaces.
Toggle quote (14 lines)>> I don’t have any great option to offer. You could perhaps modify>> run-in-namespace.c so that it doesn’t even try user namespaces and>> instead goes directly to the PRoot option?>>>> However working around this behavior of ZFS it not completely trivial>> and I’m not sure we should put much energy to paper over non-standard>> file system behavior.>> >> Thoughts?>>>> If ZFS makes user namespaces fail, then could run-un-namespace.c fall> back to PRoot when detecting ZFS, somehow?
It’s code, so everything is possible :-), but like I wrote it’s a bit ofwork, and it’s something that cannot happen (AFAIK) with file systemsthat are part of Linux.
Thanks,Ludo’.
P
P
pelzflorian (Florian Pelz) wrote on 16 May 2019 13:02
(name . Giovanni Biscuolo)(address . g@xelera.eu)
20190516110257.f3ftexzyk2c5akw5@pelzflorian.localdomain
On Wed, May 15, 2019 at 05:20:25PM +0200, Giovanni Biscuolo wrote:
Toggle quote (8 lines)> Hello Ludovic and Florian,> > I cannot help here, just some thoughts> > as you probably already know, Florian, ZFS is not supported in Linux for> various reasons, above all for a controversial licensing problem [1]>
I had forgotten. I remember now that I heard about this.

From a Guix point of view, I believe this maybe should be aWONT-FIX/NOT-OUR-BUG. I will try and set up current ZFS 0.7.13 andtest if guix pack -RR works there in a week.
Feel free to skip this unless you are interested:
I asked the admins again. They are using Proxmox 5.4. They say theyhave disabled user namespaces by commenting the corresponding line inthe Proxmox config file (but I am unsure if this just disables LinuxContainer use of user namespaces or something). They use the ZFS fromProxmox. I looked and found confirmation that this Proxmox usescurrent ZFS 0.7.13 at:
https://pve.proxmox.com/wiki/Roadmap
http://download.proxmox.com/debian/pve/dists/stretch/pve-no-subscription/binary-amd64/

Toggle quote (4 lines)> I agree, this seems a zfsonlinux bug: Florian please can you report it> upstream to zfsonlinux?>
I will try to reproduce on a private PC in a week, then I can report.
Regards,Florian
L
L
Ludovic Courtès wrote on 16 May 2019 13:10
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)
875zqairj8.fsf@gnu.org
Hello,
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
Toggle quote (3 lines)> From a Guix point of view, I believe this maybe should be a> WONT-FIX/NOT-OUR-BUG.
Sounds good to me. :-)
Thanks,Ludo’.
L
L
Ludovic Courtès wrote on 16 May 2019 13:10
control message for bug #35662
(address . control@debbugs.gnu.org)
874l5uiri8.fsf@gnu.org
tags 35662 wontfixclose 35662
?
Your comment

This issue is archived.

To comment on this conversation send email to 35662@debbugs.gnu.org