bug#43321: programs depending on libcap 2.31 are crashing (including ntpd, chrony, and potentially others)
Hello, I am experiencing issues with ntpd crashing after a recent `guix pull` and `guix system reconfigure`. Messages like the following can be found in /var/log/messages --8<---cut here---start->8--- Sep 9 10:04:06 localhost ntpd[10104]: Listen normally on 10 wlp2s0 [fda3:bae9:8e85:0:1421:58a2:ada:1923]:123 Sep 9 10:04:06 localhost vmunix: [13620.607643] traps: ntpd[10104] general protection fault ip:7fc1baa34207 sp:7ffd6b331f80 error:0 in libcap.so.2.31[7fc1baa33000+3000] Sep 9 10:04:06 localhost ntpd[10104]: Listen normally on 11 wlp2s0 [2601:582:300:88a:58f1:d50e:9b9a:37d7]:123 Sep 9 10:04:06 localhost ntpd[10104]: Listen normally on 12 wlp2s0 [fe80::487a:7283:64fd:9e25%6]:123 Sep 9 10:04:06 localhost ntpd[10104]: Listen normally on 13 tun0 [fe80::7672:ef25:4507:33e7%7]:123 Sep 9 10:04:06 localhost ntpd[10104]: Listening on routing socket on fd #30 for interface updates Sep 9 10:04:06 localhost ntpd[10104]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized Sep 9 10:04:06 localhost ntpd[10104]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized Sep 9 10:04:06 localhost shepherd[1]: Service ntpd has been disabled. Sep 9 10:04:06 localhost shepherd[1]: (Respawning too fast.) --8<---cut here---end--->8--- At first I thought this was ntpd specific so I tried switching to chronyd and experienced the same problem. --8<---cut here---start->8--- Sep 9 14:41:56 localhost shepherd[1]: Service chronyd has been started. Sep 9 14:41:56 localhost chronyd[26478]: chronyd version 3.5.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER -SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG) Sep 9 14:41:56 localhost vmunix: [30290.527369] traps: chronyd[26478] general protection fault ip:7f1653729207 sp:7fffc9161900 error:0 in libcap.so.2.31[7f1653728000+3000] Sep 9 14:41:56 localhost shepherd[1]: Respawning chronyd. --8<---cut here---end--->8--- I was able to fix the issue by rebuilding chronyd with the libcap/next package. To give more context - I'm using guix master and am using the latest 5.8 kernel. I'm wondering if it might be something related to recent kernel upgrades but I haven't tried reverting to a previous kernel. Is there a plan to go ahead and perform the switch described in the source code for gnu/packages/linux.scm? --8<---cut here---start->8--- ;; libcap 2.31 causes problems for 'fakeroot', so provide this newer variant. ;; To be merged with libcap on the next rebuild cycle. (define-public libcap/next (package (inherit libcap) (version "2.34") (source (origin (method url-fetch) (uri (string-append "mirror://kernel.org/linux/libs/security/linux-privs/" "libcap2/libcap-" version ".tar.xz")) (sha256 (base32 "048n1gy2p48vl9hkrr9wymfxxcpwj2aslz2bv79nhl4m2lhd9kdf")) --8<---cut here---end--->8--- Best, Jesse
bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces
Hi All, I believe the recommended suggestion is Debian specific is it not? My kernel supports user namespaces and doesn't expose that file at that location. The only way I can work around the issue is to downgrade guix to the commit on the master branch right before 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e guix pull --commit=0d5d1bdf911659f60601058e8e1678187b7ba664 --allow-downgrades Best, Jesse On Sun, Dec 6, 2020 at 12:03 PM zimoun wrote: > Hi, > > Please try the recommendation. Have you tried it? > > please set /proc/sys/kernel/unprivileged_userns_clone to "1" > > As root, you just do: > > echo 1 > /proc/sys/kernel/unprivileged_userns_clone > > then “guix environment -C” should work as expected. To do the trick > automatically with Sheperd, I do not know, but I am sure that the > systemd equivalent > > echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf > sysctl --system > > seems doable with Guix System. > > > On my system, and I need explanations if it does not work similarly on > yours, I simply do: > > --8<---cut here---start->8--- > $ guix environment -C --ad-hoc hello -- hello > guix environment: error: cannot create container: unprivileged user cannot > create user namespaces > guix environment: error: please set > /proc/sys/kernel/unprivileged_userns_clone to "1" > > $ su - > Password: > # echo 1 > /proc/sys/kernel/unprivileged_userns_clone > # logout > > $ guix environment -C --ad-hoc hello -- hello > Hello, world! > --8<---cut here---end--->8--- > > Hope that helps, > simon > > > >
bug#41546: Shepherd network activation failures on armhf
Hello, I recently experienced a problem with the latest master branch code on an armhf device. I was able to track down and fix the issue but it required changes to guix/build/syscalls.scm. My system previously booted correctly but after a recent 'guix pull' and 'guix system reconfigure' my device would fail to activate all networking related services on boot including loopback. The error message on failure in the terminal when trying to 'herd start networking' was unhelpful but manual management of the network interfaces could be completed successfully so it seemed to be an issue specific to the way Shepherd was activating the loopback interface. I was able to track my issue down to recently introduced code in guix/build/syscalls.scm related to the GNU Hurd. The following patch fixes the problem for me. The core of the issue is that the new Hurd related checks use string-suffix? rather than string-contains like the code elsewhere in the module. Whan string-suffix? is used it doesn't match my system %host-type which is "arm-unknown-linux-gnueabihf" and the -socket-address!/hurd branch is taken rather than -socket-address!/linux. I don't know if this is only a problem on my unsupported device. I'm running guix system on a Raspberry Pi 4b. Here's the patch that fixes the issue for me. - diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm index 8070c5546f..6be322d68f 100644 --- a/guix/build/syscalls.scm +++ b/guix/build/syscalls.scm @@ -1404,7 +1404,7 @@ bytevector BV at INDEX." (error "unsupported socket address" sockaddr) (define write-socket-address! - (if (string-suffix? "linux-gnu" %host-type) + (if (string-contains %host-type "linux-gnu") write-socket-address!/linux write-socket-address!/hurd)) @@ -1436,7 +1436,7 @@ bytevector BV at INDEX." (vector family) (define read-socket-address - (if (string-suffix? "linux-gnu" %host-type) + (if (string-contains %host-type "linux-gnu") read-socket-address/linux read-socket-address/hurd)) --- Best Regards, Jesse
