By which do you mean the build failed gracefully, whereas previously it would have exploded?
Ross > On 12 Sep 2024, at 18:22, Martin Jansa <martin.ja...@gmail.com> wrote: > > Works as expected, the build failed :). > > openembedded-core/build$ bitbake -k zlib-native > ERROR: User namespaces are not usable by BitBake, possibly due to AppArmor. > See > https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions > for more information. > > The only issue might be that these checks are executed only once, so > if you have existing TMPDIR (where it was failing) then it will > continue failing with: > > ERROR: PermissionError: [Errno 1] Operation not permitted > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "/home/martin/work/bitbake/bin/bitbake-worker", line 278, in child > bb.utils.disable_network(uid, gid) > File "/home/martin/work/bitbake/lib/bb/utils.py", line 1696, in > disable_network > with open("/proc/self/uid_map", "w") as f: > PermissionError: [Errno 1] Operation not permitted > > until TMPDIR is removed and sanity re-executed. > > On Thu, Sep 12, 2024 at 6:59 PM Ross Burton via lists.openembedded.org > <ross.burton=arm....@lists.openembedded.org> wrote: >> >> Note that in its final form this isn’t had any testing on an Ubuntu machine, >> so testing would be appreciated if anyone has an Ubuntu 24.x machine (not a >> container, need their kernel) with apparmor enabled. >> >> Thanks, >> Ross >> >>> On 12 Sep 2024, at 17:57, Ross Burton via lists.openembedded.org >>> <ross.burton=arm....@lists.openembedded.org> wrote: >>> >>> If user namespaces are not available (typically because AppArmor is >>> blocking them), alert the user. >>> >>> We consider network isolation sufficiently important that this is a fatal >>> error, and the user will need to configure AppArmor to allow bitbake to >>> create a user namespace. >>> >>> [ YOCTO #15592 ] >>> >>> Signed-off-by: Ross Burton <ross.bur...@arm.com> >>> --- >>> meta/classes-global/sanity.bbclass | 24 ++++++++++++++++++++++++ >>> 1 file changed, 24 insertions(+) >>> >>> diff --git a/meta/classes-global/sanity.bbclass >>> b/meta/classes-global/sanity.bbclass >>> index 1d242f0f0a0..72dab0fea2b 100644 >>> --- a/meta/classes-global/sanity.bbclass >>> +++ b/meta/classes-global/sanity.bbclass >>> @@ -475,6 +475,29 @@ def check_wsl(d): >>> bb.warn("You are running bitbake under WSLv2, this works >>> properly but you should optimize your VHDX file eventually to avoid running >>> out of storage space") >>> return None >>> >>> +def check_userns(): >>> + """ >>> + Check that user namespaces are functional, as they're used for network >>> isolation. >>> + """ >>> + >>> + # There is a known failure case with AppAmrmor where the unshare() call >>> + # succeeds (at which point the uid is nobody) but writing to the >>> uid_map >>> + # fails (so the uid isn't reset back to the user's uid). We can detect >>> this. >>> + parentuid = os.getuid() >>> + pid = os.fork() >>> + if not pid: >>> + try: >>> + bb.utils.disable_network() >>> + except: >>> + pass >>> + os._exit(parentuid != os.getuid()) >>> + >>> + ret = os.waitpid(pid, 0)[1] >>> + if ret: >>> + bb.fatal("User namespaces are not usable by BitBake, possibly due >>> to AppArmor.\n" >>> + "See >>> https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions >>> for more information.") >>> + >>> + >>> # Require at least gcc version 8.0 >>> # >>> # This can be fixed on CentOS-7 with devtoolset-6+ >>> @@ -641,6 +664,7 @@ def check_sanity_version_change(status, d): >>> status.addresult(check_git_version(d)) >>> status.addresult(check_perl_modules(d)) >>> status.addresult(check_wsl(d)) >>> + status.addresult(check_userns()) >>> >>> missing = "" >>> >>> -- >>> 2.34.1 >>> >>> >>> >>> >> >> >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204453): https://lists.openembedded.org/g/openembedded-core/message/204453 Mute This Topic: https://lists.openembedded.org/mt/108416977/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
