Re: [OE-core] [PATCH] sanity: check for working user namespaces

2024-09-13 Thread Jose Quaresma
Richard Purdie escreveu (quinta, 12/09/2024 à(s) 21:37): > On Thu, 2024-09-12 at 18:29 +0100, Jose Quaresma via > lists.openembedded.org wrote: > > > > > > Ross Burton via lists.openembedded.org > > escreveu (quinta, > > 12/09/2024 à(s) 17:57): > > > If user namespaces are not available (typical

Re: [OE-core] [PATCH] sanity: check for working user namespaces

2024-09-12 Thread Richard Purdie
On Thu, 2024-09-12 at 18:29 +0100, Jose Quaresma via lists.openembedded.org wrote: > > > Ross Burton via lists.openembedded.org > escreveu (quinta, > 12/09/2024 à(s) 17:57): > > If user namespaces are not available (typically because AppArmor is > > blocking them), alert the user. > > > > We co

Re: [OE-core] [PATCH] sanity: check for working user namespaces

2024-09-12 Thread Jose Quaresma
Ross Burton escreveu (quinta, 12/09/2024 à(s) 18:32): > > > > On 12 Sep 2024, at 18:29, Jose Quaresma wrote: > > The error message could be better imo. > > It will also happen inside a docker container that runs without the > NET_ADMIN capability, which is the default. > > > https://docs.docker.

Re: [OE-core] [PATCH] sanity: check for working user namespaces

2024-09-12 Thread Martin Jansa
On Thu, Sep 12, 2024 at 7:28 PM Ross Burton wrote: > > By which do you mean the build failed gracefully, whereas previously it would > have exploded? Without existing TMPDIR it failed with just the error from sanity check (as expected). With existing TMPDIR (where sanity check was already execu

Re: [OE-core] [PATCH] sanity: check for working user namespaces

2024-09-12 Thread Ross Burton
> On 12 Sep 2024, at 18:29, Jose Quaresma wrote: > The error message could be better imo. > It will also happen inside a docker container that runs without the NET_ADMIN > capability, which is the default. > https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities

Re: [OE-core] [PATCH] sanity: check for working user namespaces

2024-09-12 Thread Jose Quaresma
Ross Burton via lists.openembedded.org escreveu (quinta, 12/09/2024 à(s) 17:57): > If user namespaces are not available (typically because AppArmor is > blocking them), alert the user. > > We consider network isolation sufficiently important that this is a fatal > error, and the user will need to

Re: [OE-core] [PATCH] sanity: check for working user namespaces

2024-09-12 Thread Ross Burton
By which do you mean the build failed gracefully, whereas previously it would have exploded? Ross > On 12 Sep 2024, at 18:22, Martin Jansa wrote: > > Works as expected, the build failed :). > > openembedded-core/build$ bitbake -k zlib-native > ERROR: User namespaces are not usable by BitBake,

Re: [OE-core] [PATCH] sanity: check for working user namespaces

2024-09-12 Thread Martin Jansa
Works as expected, the build failed :). openembedded-core/build$ bitbake -k zlib-native ERROR: User namespaces are not usable by BitBake, possibly due to AppArmor. See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for mor

Re: [OE-core] [PATCH] sanity: check for working user namespaces

2024-09-12 Thread Ross Burton
Note that in its final form this isn’t had any testing on an Ubuntu machine, so testing would be appreciated if anyone has an Ubuntu 24.x machine (not a container, need their kernel) with apparmor enabled. Thanks, Ross > On 12 Sep 2024, at 17:57, Ross Burton via lists.openembedded.org > wrote

[OE-core] [PATCH] sanity: check for working user namespaces

2024-09-12 Thread Ross Burton
If user namespaces are not available (typically because AppArmor is blocking them), alert the user. We consider network isolation sufficiently important that this is a fatal error, and the user will need to configure AppArmor to allow bitbake to create a user namespace. [ YOCTO #15592 ] Signed-o