'guix pack -R' breaks bubblewrap

  • Done
  • quality assurance status badge
Details
2 participants
  • André A. Gomes
  • Ludovic Courtès
Owner
unassigned
Submitted by
André A. Gomes
Severity
normal
A
A
André A. Gomes wrote on 12 Jun 2023 14:59
guix pack regression
(address . bug-guix@gnu.org)
871qig3kgi.fsf@gmail.com
Hello Guix,

I've produced a guix pack with the same command that I've always used
(which includes passing the -RR flag), but I now get the following
message:

Toggle snippet (3 lines)
bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.

Any ideas? Thanks.


Guix version:

Toggle snippet (6 lines)
guix f36b8a9
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: f36b8a9763087d2b9d3705595fbc34b054297ab8

--
André A. Gomes
"You cannot even find the ruins..."
L
L
Ludovic Courtès wrote on 15 Jun 2023 17:57
(name . André A. Gomes)(address . andremegafone@gmail.com)(address . 64014@debbugs.gnu.org)
87o7lgvhuo.fsf@gnu.org
Hi,

André A. Gomes <andremegafone@gmail.com> skribis:

Toggle quote (6 lines)
> I've produced a guix pack with the same command that I've always used
> (which includes passing the -RR flag), but I now get the following
> message:
>
> bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.

This message is apparently from bubblewrap, not from Guix.

I suppose you might get this is you do ‘guix pack -R bubblewrap’ and
then try to run ‘bwrap’ from that pack: the ‘bwrap’ executable already
runs in a separate user namespace and might be unable to create one (?).

HTH,
Ludo’.
A
A
André A. Gomes wrote on 15 Jun 2023 18:10
Re: bug#64014: guix pack regression
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 64014@debbugs.gnu.org)
87v8fo3dv4.fsf@gmail.com
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (4 lines)
> I suppose you might get this is you do ‘guix pack -R bubblewrap’ and
> then try to run ‘bwrap’ from that pack: the ‘bwrap’ executable already
> runs in a separate user namespace and might be unable to create one (?).

Hi Ludovic,

Thanks for the answer. You've helped me to figure it out. The guix
pack I've created has webkitgtk in it, which in turn uses bubblewrap.

However, I didn't have this issue in the past. It could be that
webkitgtk changed something in their logic perhaps. I'd have to look
deeper.

Another strategy would be to try to reproduce your recipe in an older
Guix version to see what happens (guix pack -R bubblewrap followed by
bwrap).


--
André A. Gomes
"You cannot even find the ruins..."
L
L
Ludovic Courtès wrote on 17 Jun 2023 16:08
Re: bug#64014: guix pack regression
(name . André A. Gomes)(address . andremegafone@gmail.com)(address . 64014@debbugs.gnu.org)
87mt0yqizr.fsf@gnu.org
Hi,

André A. Gomes <andremegafone@gmail.com> skribis:

Toggle quote (6 lines)
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> I suppose you might get this is you do ‘guix pack -R bubblewrap’ and
>> then try to run ‘bwrap’ from that pack: the ‘bwrap’ executable already
>> runs in a separate user namespace and might be unable to create one (?).

[...]

Toggle quote (4 lines)
> Another strategy would be to try to reproduce your recipe in an older
> Guix version to see what happens (guix pack -R bubblewrap followed by
> bwrap).

Yes, that’d be great. If you still have that older pack that didn’t
have the problem, you could also run it under ‘strace -f -o
/tmp/log.strace’ to see what happens before the failure.

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote on 17 Jun 2023 16:08
control message for bug #64014
(address . control@debbugs.gnu.org)
87legiqizk.fsf@gnu.org
tags 64014 + moreinfo
quit
L
L
Ludovic Courtès wrote on 17 Jun 2023 16:08
(address . control@debbugs.gnu.org)
87jzw2qiyt.fsf@gnu.org
retitle 64014 'guix pack -R' breaks bubblewrap
quit
A
A
André A. Gomes wrote on 30 Jun 2023 16:56
Re: bug#64014: guix pack regression
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 64014@debbugs.gnu.org)
874jmpatil.fsf@gmail.com
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (4 lines)
> Yes, that’d be great. If you still have that older pack that didn’t
> have the problem, you could also run it under ‘strace -f -o
> /tmp/log.strace’ to see what happens before the failure.

Ludovic, I didn't reach any meaningful conclusion. Please close this
issue. Thanks.


--
André A. Gomes
"You cannot even find the ruins..."
L
L
Ludovic Courtès wrote on 10 Jul 2023 23:30
(name . André A. Gomes)(address . andremegafone@gmail.com)(address . 64014-done@debbugs.gnu.org)
87mt0378v4.fsf@gnu.org
André A. Gomes <andremegafone@gmail.com> skribis:

Toggle quote (9 lines)
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Yes, that’d be great. If you still have that older pack that didn’t
>> have the problem, you could also run it under ‘strace -f -o
>> /tmp/log.strace’ to see what happens before the failure.
>
> Ludovic, I didn't reach any meaningful conclusion. Please close this
> issue. Thanks.

Done!
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 64014@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 64014
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch