Re: [PATCH] environment: container: Do not remount network files as read-only.

Sat, 26 Mar 2016 11:44:16 -0700 

"Thompson, David" <dthomps...@worcester.edu> skribis:

> On Fri, Mar 18, 2016 at 4:51 PM, Ludovic Courtès <l...@gnu.org> wrote:
>> "Thompson, David" <dthomps...@worcester.edu> skribis:
>>
>>> I noticed that 'guix environment --container --network' didn't work on
>>> an Ubuntu machine I was on, and the culprit was remounting things like
>>> /etc/resolv.conf read-only after the initial bind mount.
>>
>> [...]
>>
>>>                                              (file-system-mapping
>>>                                               (source file)
>>>                                               (target file)
>>> -                                             (writable? #f))))
>>> +                                             ;; An unpriviliged user might 
>>> not
>>> +                                             ;; be able to remount
>>> +                                             ;; /etc/resolv.conf as 
>>> read-only,
>>> +                                             ;; so we say that it is 
>>> writable
>>> +                                             ;; here, even though in 
>>> practice
>>> +                                             ;; it is not.
>>> +                                             (writable? #t))))
>>>                                       %network-configuration-files)
>>
>> Not sure I understand: why would bind-mounting /etc/resolv.conf
>> read-only fail?
>
> I haven't figured out the exact reason yet, but here's a strace
> snippet as proof:
>
> [pid 11334] mount("/etc/resolv.conf",
> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23da000,
> MS_RDONLY|MS_BIND, NULL) = 0
> [pid 11334] mount("/etc/resolv.conf",
> "/tmp/guix-directory.Rc4nc6//etc/resolv.conf", 0x23e4080,
> MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not
> permitted)
>
> Another Ubuntu user was able to reproduce this as well.

Looking at the resolvconf man page that Drew mentioned, it seems that
/etc/resolv.conf is a symlink when resolvconf is in used, right?

If yes, does this make a difference:


diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm
index 58ccf59..a329eeb 100644
--- a/gnu/build/file-systems.scm
+++ b/gnu/build/file-systems.scm
@@ -378,7 +378,7 @@ corresponds to the symbols listed in FLAGS."
 
 (define (regular-file? file-name)
   "Return #t if FILE-NAME is a regular file."
-  (eq? (stat:type (stat file-name)) 'regular))
+  (memq (stat:type (stat file-name)) '(regular symlink)))
 
 (define* (mount-file-system spec #:key (root "/root"))
   "Mount the file system described by SPEC under ROOT.  SPEC must have the

It may be that the result after this is that you get /etc/resolv.conf in
the container, but it’s a dangling symlink.  But isn’t it the case
already with the patch you propose?

Thanks for finding all these curiosities.  :-)

Ludo’.

Reply via email to