On Thu, Sep 12, 2024 at 7:28 PM Ross Burton <ross.bur...@arm.com> wrote: > > By which do you mean the build failed gracefully, whereas previously it would > have exploded?
Without existing TMPDIR it failed with just the error from sanity check (as expected). With existing TMPDIR (where sanity check was already executed before your change) or without your change applied it fails with many PermissionError exceptions. I forgot to mention that I did another zlib-native build after echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns and that didn't fail sanity check nor in build (as expected). > > On 12 Sep 2024, at 18:22, Martin Jansa <martin.ja...@gmail.com> wrote: > > > > Works as expected, the build failed :). > > > > openembedded-core/build$ bitbake -k zlib-native > > ERROR: User namespaces are not usable by BitBake, possibly due to AppArmor. > > See > > https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions > > for more information. > > > > The only issue might be that these checks are executed only once, so > > if you have existing TMPDIR (where it was failing) then it will > > continue failing with: > > > > ERROR: PermissionError: [Errno 1] Operation not permitted > > > > During handling of the above exception, another exception occurred: > > > > Traceback (most recent call last): > > File "/home/martin/work/bitbake/bin/bitbake-worker", line 278, in child > > bb.utils.disable_network(uid, gid) > > File "/home/martin/work/bitbake/lib/bb/utils.py", line 1696, in > > disable_network > > with open("/proc/self/uid_map", "w") as f: > > PermissionError: [Errno 1] Operation not permitted > > > > until TMPDIR is removed and sanity re-executed. > > > > On Thu, Sep 12, 2024 at 6:59 PM Ross Burton via lists.openembedded.org > > <ross.burton=arm....@lists.openembedded.org> wrote: > >> > >> Note that in its final form this isn’t had any testing on an Ubuntu > >> machine, so testing would be appreciated if anyone has an Ubuntu 24.x > >> machine (not a container, need their kernel) with apparmor enabled. > >> > >> Thanks, > >> Ross > >> > >>> On 12 Sep 2024, at 17:57, Ross Burton via lists.openembedded.org > >>> <ross.burton=arm....@lists.openembedded.org> wrote: > >>> > >>> If user namespaces are not available (typically because AppArmor is > >>> blocking them), alert the user. > >>> > >>> We consider network isolation sufficiently important that this is a fatal > >>> error, and the user will need to configure AppArmor to allow bitbake to > >>> create a user namespace. > >>> > >>> [ YOCTO #15592 ] > >>> > >>> Signed-off-by: Ross Burton <ross.bur...@arm.com> > >>> --- > >>> meta/classes-global/sanity.bbclass | 24 ++++++++++++++++++++++++ > >>> 1 file changed, 24 insertions(+) > >>> > >>> diff --git a/meta/classes-global/sanity.bbclass > >>> b/meta/classes-global/sanity.bbclass > >>> index 1d242f0f0a0..72dab0fea2b 100644 > >>> --- a/meta/classes-global/sanity.bbclass > >>> +++ b/meta/classes-global/sanity.bbclass > >>> @@ -475,6 +475,29 @@ def check_wsl(d): > >>> bb.warn("You are running bitbake under WSLv2, this works > >>> properly but you should optimize your VHDX file eventually to avoid > >>> running out of storage space") > >>> return None > >>> > >>> +def check_userns(): > >>> + """ > >>> + Check that user namespaces are functional, as they're used for > >>> network isolation. > >>> + """ > >>> + > >>> + # There is a known failure case with AppAmrmor where the unshare() > >>> call > >>> + # succeeds (at which point the uid is nobody) but writing to the > >>> uid_map > >>> + # fails (so the uid isn't reset back to the user's uid). We can > >>> detect this. > >>> + parentuid = os.getuid() > >>> + pid = os.fork() > >>> + if not pid: > >>> + try: > >>> + bb.utils.disable_network() > >>> + except: > >>> + pass > >>> + os._exit(parentuid != os.getuid()) > >>> + > >>> + ret = os.waitpid(pid, 0)[1] > >>> + if ret: > >>> + bb.fatal("User namespaces are not usable by BitBake, possibly > >>> due to AppArmor.\n" > >>> + "See > >>> https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions > >>> for more information.") > >>> + > >>> + > >>> # Require at least gcc version 8.0 > >>> # > >>> # This can be fixed on CentOS-7 with devtoolset-6+ > >>> @@ -641,6 +664,7 @@ def check_sanity_version_change(status, d): > >>> status.addresult(check_git_version(d)) > >>> status.addresult(check_perl_modules(d)) > >>> status.addresult(check_wsl(d)) > >>> + status.addresult(check_userns()) > >>> > >>> missing = "" > >>> > >>> -- > >>> 2.34.1 > >>> > >>> > >>> > >>> > >> > >> > >> > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204458): https://lists.openembedded.org/g/openembedded-core/message/204458 Mute This Topic: https://lists.openembedded.org/mt/108416977/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
