On Thu, 2024-09-12 at 18:29 +0100, Jose Quaresma via
lists.openembedded.org wrote:
>
>
> Ross Burton via lists.openembedded.org
> <ross.burton=arm....@lists.openembedded.org> escreveu (quinta,
> 12/09/2024 à(s) 17:57):
> > If user namespaces are not available (typically because AppArmor is
> > blocking them), alert the user.
> >
> > We consider network isolation sufficiently important that this is a
> > fatal
> > error, and the user will need to configure AppArmor to allow
> > bitbake to
> > create a user namespace.
> >
> > [ YOCTO #15592 ]
> >
> > Signed-off-by: Ross Burton <ross.bur...@arm.com>
> > ---
> > meta/classes-global/sanity.bbclass | 24 ++++++++++++++++++++++++
> > 1 file changed, 24 insertions(+)
> >
> > diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-
> > global/sanity.bbclass
> > index 1d242f0f0a0..72dab0fea2b 100644
> > --- a/meta/classes-global/sanity.bbclass
> > +++ b/meta/classes-global/sanity.bbclass
> > @@ -475,6 +475,29 @@ def check_wsl(d):
> > bb.warn("You are running bitbake under WSLv2, this
> > works properly but you should optimize your VHDX file eventually to
> > avoid running out of storage space")
> > return None
> >
> > +def check_userns():
> > + """
> > + Check that user namespaces are functional, as they're used for
> > network isolation.
> > + """
> > +
> > + # There is a known failure case with AppAmrmor where the
> > unshare() call
> > + # succeeds (at which point the uid is nobody) but writing to
> > the uid_map
> > + # fails (so the uid isn't reset back to the user's uid). We
> > can detect this.
> > + parentuid = os.getuid()
> > + pid = os.fork()
> > + if not pid:
> > + try:
> > + bb.utils.disable_network()
> > + except:
> > + pass
> > + os._exit(parentuid != os.getuid())
> > +
> > + ret = os.waitpid(pid, 0)[1]
> > + if ret:
> > + bb.fatal("User namespaces are not usable by BitBake,
> > possibly due to AppArmor.\n"
> > + "See
> > https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions
> > for more information.")
> >
>
>
> The error message could be better imo.
> It will also happen inside a docker container that runs without the
> NET_ADMIN capability, which is the default.
> https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities
Did you actually observe that?
If the unshare() fails, the uids will still match and I don't think the
error message will trigger but I could be wrong.
What we want to detect is where the unshare() works but the uid mapping
then fails which is the annoying apparmor corner case.
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#204463):
https://lists.openembedded.org/g/openembedded-core/message/204463
Mute This Topic: https://lists.openembedded.org/mt/108416977/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
