Works as expected, the build failed :).
openembedded-core/build$ bitbake -k zlib-native
ERROR: User namespaces are not usable by BitBake, possibly due to AppArmor.
See
https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions
for more information.
The only issue might be that these checks are executed only once, so
if you have existing TMPDIR (where it was failing) then it will
continue failing with:
ERROR: PermissionError: [Errno 1] Operation not permitted
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/martin/work/bitbake/bin/bitbake-worker", line 278, in child
bb.utils.disable_network(uid, gid)
File "/home/martin/work/bitbake/lib/bb/utils.py", line 1696, in
disable_network
with open("/proc/self/uid_map", "w") as f:
PermissionError: [Errno 1] Operation not permitted
until TMPDIR is removed and sanity re-executed.
On Thu, Sep 12, 2024 at 6:59 PM Ross Burton via lists.openembedded.org
<ross.burton=arm....@lists.openembedded.org> wrote:
>
> Note that in its final form this isn’t had any testing on an Ubuntu machine,
> so testing would be appreciated if anyone has an Ubuntu 24.x machine (not a
> container, need their kernel) with apparmor enabled.
>
> Thanks,
> Ross
>
> > On 12 Sep 2024, at 17:57, Ross Burton via lists.openembedded.org
> > <ross.burton=arm....@lists.openembedded.org> wrote:
> >
> > If user namespaces are not available (typically because AppArmor is
> > blocking them), alert the user.
> >
> > We consider network isolation sufficiently important that this is a fatal
> > error, and the user will need to configure AppArmor to allow bitbake to
> > create a user namespace.
> >
> > [ YOCTO #15592 ]
> >
> > Signed-off-by: Ross Burton <ross.bur...@arm.com>
> > ---
> > meta/classes-global/sanity.bbclass | 24 ++++++++++++++++++++++++
> > 1 file changed, 24 insertions(+)
> >
> > diff --git a/meta/classes-global/sanity.bbclass
> > b/meta/classes-global/sanity.bbclass
> > index 1d242f0f0a0..72dab0fea2b 100644
> > --- a/meta/classes-global/sanity.bbclass
> > +++ b/meta/classes-global/sanity.bbclass
> > @@ -475,6 +475,29 @@ def check_wsl(d):
> > bb.warn("You are running bitbake under WSLv2, this works
> > properly but you should optimize your VHDX file eventually to avoid running
> > out of storage space")
> > return None
> >
> > +def check_userns():
> > + """
> > + Check that user namespaces are functional, as they're used for network
> > isolation.
> > + """
> > +
> > + # There is a known failure case with AppAmrmor where the unshare() call
> > + # succeeds (at which point the uid is nobody) but writing to the
> > uid_map
> > + # fails (so the uid isn't reset back to the user's uid). We can detect
> > this.
> > + parentuid = os.getuid()
> > + pid = os.fork()
> > + if not pid:
> > + try:
> > + bb.utils.disable_network()
> > + except:
> > + pass
> > + os._exit(parentuid != os.getuid())
> > +
> > + ret = os.waitpid(pid, 0)[1]
> > + if ret:
> > + bb.fatal("User namespaces are not usable by BitBake, possibly due
> > to AppArmor.\n"
> > + "See
> > https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions
> > for more information.")
> > +
> > +
> > # Require at least gcc version 8.0
> > #
> > # This can be fixed on CentOS-7 with devtoolset-6+
> > @@ -641,6 +664,7 @@ def check_sanity_version_change(status, d):
> > status.addresult(check_git_version(d))
> > status.addresult(check_perl_modules(d))
> > status.addresult(check_wsl(d))
> > + status.addresult(check_userns())
> >
> > missing = ""
> >
> > --
> > 2.34.1
> >
> >
> >
> >
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#204452):
https://lists.openembedded.org/g/openembedded-core/message/204452
Mute This Topic: https://lists.openembedded.org/mt/108416977/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
