(address . bug-guix@gnu.org)
I’m observing this:
Toggle snippet (8 lines)
$ guix environment --ad-hoc coreutils -C
guix environment: error: mount: mount "/gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16" on "/tmp/guix-directory.Nagh8Y//gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16": Operation not permitted
$ uname -rv
4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28)
$ cat /proc/sys/kernel/unprivileged_userns_clone
1
Excerpt of the strace log:
Toggle snippet (18 lines)
7605 mkdir("/tmp/guix-directory.EtXAVT/dev/mqueue", 0777) = 0
7605 mount("mqueue", "/tmp/guix-directory.EtXAVT//dev/mqueue", "mqueue", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0
7605 stat("/home/lcourtes", {st_mode=S_IFDIR|0710, st_size=4096, ...}) = 0
7605 mkdir("/tmp", 0777) = -1 EEXIST (File exists)
7605 mkdir("/tmp/guix-directory.EtXAVT", 0777) = -1 EEXIST (File exists)
7605 mkdir("/tmp/guix-directory.EtXAVT/home", 0777) = 0
7605 mkdir("/tmp/guix-directory.EtXAVT/home/lcourtes", 0777) = 0
7605 mount("/home/lcourtes", "/tmp/guix-directory.EtXAVT//home/lcourtes", 0xeea390, MS_BIND, NULL) = 0
7605 stat("/gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
7605 mkdir("/tmp", 0777) = -1 EEXIST (File exists)
7605 mkdir("/tmp/guix-directory.EtXAVT", 0777) = -1 EEXIST (File exists)
7605 mkdir("/tmp/guix-directory.EtXAVT/gnu", 0777) = 0
7605 mkdir("/tmp/guix-directory.EtXAVT/gnu/store", 0777) = 0
7605 mkdir("/tmp/guix-directory.EtXAVT/gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16", 0777) = 0
7605 mount("/gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16", "/tmp/guix-directory.EtXAVT//gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16", 0xeea3b0, MS_RDONLY|MS_BIND, NULL) = 0
7605 mount("/gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16", "/tmp/guix-directory.EtXAVT//gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16", 0xeea3d0, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
The read-only remount comes from ‘mount-file-system’ in (gnu build
file-systems):
;; For read-only bind mounts, an extra remount is needed, as per
;; http://lwn.net/Articles/281157/, which still applies to Linux
;; 4.0.
(when (and (= MS_BIND (logand flags MS_BIND))
(= MS_RDONLY (logand flags MS_RDONLY)))
(let ((flags (logior MS_BIND MS_REMOUNT MS_RDONLY)))
(mount source mount-point type flags #f)))
This recipe has been working well “forever”, although it’s probably
unnecessary with recent kernels (the LWN article is from 2008).
The problem may have to do with the fact that /gnu/store is an NFS
mount. Indeed, similar commands fail on $HOME (also an NFS mount):
Toggle snippet (7 lines)
$ mkdir t m
$ unshare -mrf
# mount --bind ./t ./m
# mount --bind -r -o remount ./t ./m
mount: /home/lcourtes/m: permission denied.
… but they succeed on /tmp (not an NFS mount):
Toggle snippet (7 lines)
$ mkdir /tmp/t
$ mkdir /tmp/m
$ unshare -mrf
# mount --bind /tmp/{t,m}
# mount --bind -r -o remount /tmp/{t,m}
To be continued…
Ludo’.