Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sandbox fails on debian 10 #161

Closed
rohrschacht opened this issue Nov 23, 2019 · 11 comments
Closed

sandbox fails on debian 10 #161

rohrschacht opened this issue Nov 23, 2019 · 11 comments
Labels
bug Something isn't working

Comments

@rohrschacht
Copy link
Contributor

I compiled podman and slirp4netns from scratch on my debian buster server. When trying to run any container, podman fails with the error:

ERRO[0002] slirp4netns failed: "
sent tapfd=7 for tap0
WARNING: Support for sandboxing is experimental
received tapfd=7
cannot mount tmpfs on /tmp
create_sandbox failed
do_slirp is exiting
do_slirp failed
parent failed
WARNING: Support for sandboxing is experimental
Starting slirp
* MTU:             65520
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* Recommended IP:  10.0.2.100
"

After that, podman exits with error 126.

I can reproduce this error reliably by following the Usage example from the Readme and adding the --enable-sandbox flag at the end of the slirp4netns command. It gives the same output and exits with error 1.
However, I was not able to reproduce it on a fresh debian buster vm, in which I have also compiled podman and slirp4netns from scratch. I retried compiling on my server to no avail. I also tried with the v0.4.1 and v0.4.2 tags from the repo. It is only happening on my server, which seems to suggest it has something to do with my setup.

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster
$ uname -a
Linux europa 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
$ slirp4netns --version
slirp4netns version 0.4.2+dev
commit: 7145c996bd65f5bb6c4b076484279d237b5d1666

I already traced down the error to this mount statement in sandbox.c.
When disabling that code block by commenting it like in this commit, everything works fine. I can run the example and podman also works without error.

Since I don't know how the sandbox works, I don't know why this remount is needed. Would it be ill-advised to run slirp4netns without it?
If so, do you have any suggestions on why that remount fails on my server?
@AkihiroSuda
Copy link
Member

cc @giuseppe

@giuseppe
Copy link
Collaborator

I compiled podman and slirp4netns from scratch on my debian buster server.

I was also not able to reproduce the error on a fresh installed Debian Buster machine.

Could you run slirp4netns under strace, like:

strace -f -e mount slirp4netns ....

and share the output?

It might be that /tmp is not mounted. Can you also share the output for cat /proc/self/mountinfo?

@rohrschacht
Copy link
Contributor Author

Thanks for taking a look!
The output of strace -f -e mount slirp4netns --configure --mtu=65520 --disable-host-loopback $(cat /tmp/pid) tap0 --enable-sandbox is:

WARNING: Support for sandboxing is experimental
strace: Process 24678 attached
sent tapfd=5 for tap0
[pid 24678] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=24678, si_uid=1001, si_status=0, si_utime=0, si_stime=0} ---
received tapfd=5
Starting slirp
* MTU:             65520
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* Recommended IP:  10.0.2.100
mount("", "/", 0x55dfc0f2ee07, MS_PRIVATE, NULL) = 0
mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, "size=1k") = 0
mount("", "/etc", 0x55dfc0f2ee07, MS_REC|MS_SLAVE, NULL) = -1 EINVAL (Invalid argument)
mount("/etc", "/tmp/etc", 0x55dfc0f2ee07, MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_BIND|MS_REC|MS_SLAVE, NULL) = 0
mount("", "/tmp/etc", 0x55dfc0f2ee07, MS_REC|MS_SLAVE, NULL) = 0
mount("/etc", "/tmp/etc", 0x55dfc0f2ee07, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
mount("", "/run", 0x55dfc0f2ee07, MS_REC|MS_SLAVE, NULL) = 0
mount("/run", "/tmp/run", 0x55dfc0f2ee07, MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_BIND|MS_REC|MS_SLAVE, NULL) = 0
mount("", "/tmp/run", 0x55dfc0f2ee07, MS_REC|MS_SLAVE, NULL) = 0
mount("/run", "/tmp/run", 0x55dfc0f2ee07, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
mount("tmpfs", "/", 0x55dfc0f2e2e7, MS_RDONLY|MS_REMOUNT, "size=0k") = -1 EPERM (Operation not permitted)
cannot mount tmpfs on /tmp
create_sandbox failed
do_slirp is exiting
do_slirp failed
parent failed
+++ exited with 1 +++

It might be that /tmp is not mounted. Can you also share the output for cat /proc/self/mountinfo?

I have tried with both a tmpfs mounted on /tmp and without that. Currently I have a tmpfs mounted on /tmp.

output of 
cat /proc/self/mountinfo
 
16 21 0:16 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw
17 21 0:4 / /proc rw,relatime shared:14 - proc proc rw
18 21 0:6 / /dev rw,nosuid,relatime shared:2 - devtmpfs udev rw,size=16303480k,nr_inodes=4075870,mode=755
19 18 0:17 / /dev/pts rw,nosuid,noexec,relatime shared:3 - devpts devpts rw,gid=5,mode=620,ptmxmode=000
20 21 0:18 / /run rw,nosuid,noexec,relatime shared:5 - tmpfs tmpfs rw,size=3263392k,mode=755
21 0 9:2 / / rw,relatime shared:1 - ext4 /dev/md2 rw,data=ordered
22 16 0:15 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:8 - securityfs securityfs rw
23 18 0:19 / /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw
24 20 0:20 / /run/lock rw,nosuid,nodev,noexec,relatime shared:6 - tmpfs tmpfs rw,size=5120k
25 16 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:9 - tmpfs tmpfs ro,mode=755
26 25 0:22 / /sys/fs/cgroup/unified rw,nosuid,nodev,noexec,relatime shared:10 - cgroup2 cgroup2 rw
27 25 0:23 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,xattr,name=systemd
28 16 0:24 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:12 - pstore pstore rw
29 16 0:25 / /sys/fs/bpf rw,nosuid,nodev,noexec,relatime shared:13 - bpf bpf rw
30 25 0:26 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:15 - cgroup cgroup rw,cpu,cpuacct
31 25 0:27 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:16 - cgroup cgroup rw,blkio
32 25 0:28 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,net_cls,net_prio
33 25 0:29 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,perf_event
34 25 0:30 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:19 - cgroup cgroup rw,cpuset
35 25 0:31 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:20 - cgroup cgroup rw,devices
36 25 0:32 / /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:21 - cgroup cgroup rw,pids
37 25 0:33 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:22 - cgroup cgroup rw,freezer
38 25 0:34 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:23 - cgroup cgroup rw,memory
39 17 0:35 / /proc/sys/fs/binfmt_misc rw,relatime shared:24 - autofs systemd-1 rw,fd=33,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=15518
40 18 0:14 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw
41 16 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs rw
42 18 0:36 / /dev/hugepages rw,relatime shared:27 - hugetlbfs hugetlbfs rw
98 21 9:1 / /boot rw,relatime shared:55 - ext3 /dev/md1 rw,data=ordered
304 21 0:40 / /var/lib/docker/overlay2/4748af673f6451044a7dc7cc88af33c55058a1c8b6f3ac6a77dd7d99729a76c5/merged rw,relatime shared:177 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/SEWR3RWBQZQ57SC6EFTXSFZ4FW:/var/lib/docker/overlay2/l/52MP3AHG7EGAGJ6YIEP25OTUAQ:/var/lib/docker/overlay2/l/LHU3XHMQWMPSZBVHVXVNFMIBP4:/var/lib/docker/overlay2/l/KTHLA5AWBGMKVZ7U6R7FRLFAOP:/var/lib/docker/overlay2/l/TQ4LFIUNAPT2FYLKEVOAGWNJAE:/var/lib/docker/overlay2/l/GMH5IMW4OVSUJDO46WLJPD6VOS:/var/lib/docker/overlay2/l/ST5IH57EX5CN3DNLIX3YVWDSZA:/var/lib/docker/overlay2/l/XYKTNEQUOMQB7DITWAXFFQY3ZQ:/var/lib/docker/overlay2/l/GFG7YFD54A7DDDIDP66AAB365W:/var/lib/docker/overlay2/l/AQ56QUDJKOLXGXOAA674TZUUBV:/var/lib/docker/overlay2/l/D4F22BO6AHZNNGM533P2ONTODV:/var/lib/docker/overlay2/l/AWP54P2BEW7GVGH52SSCZWMEBB:/var/lib/docker/overlay2/l/VUN2Q7LYFSQIMVIRRIEEFGL62P:/var/lib/docker/overlay2/l/3T4OIJCM4WZXX7UB2Q547TRDLE:/var/lib/docker/overlay2/l/7CLBM23ZHJ5RJFXUVM2OWH6CVT:/var/lib/docker/overlay2/l/4SRN2LFZ7LMJUD5P2HTJJQ2OGA:/var/lib/docker/overlay2/l/2S6LDEMYJFJDKIKVXY4SGJMCDG:/var/lib/docker/overlay2/l/WVY7SMJPH2SA6ZUYQOD4ZPD7LK:/var/lib/docker/overlay2/l/TGSOIF3RFEDXS64WG5TMKPQJIN:/var/lib/docker/overlay2/l/XO7Z7AF4W4YQQXSVJHW7ONMX73:/var/lib/docker/overlay2/l/634X2HWXZ7WSX3NQGR7QYNZPN2:/var/lib/docker/overlay2/l/RF6AHHZYCJCC6TJZICBB6TJSWG,upperdir=/var/lib/docker/overlay2/4748af673f6451044a7dc7cc88af33c55058a1c8b6f3ac6a77dd7d99729a76c5/diff,workdir=/var/lib/docker/overlay2/4748af673f6451044a7dc7cc88af33c55058a1c8b6f3ac6a77dd7d99729a76c5/work
352 21 0:41 / /var/lib/docker/overlay2/9aabf1593630ae1e44e55c3ec75a187f9a7fb1e4883b8e5a1d845195d9121300/merged rw,relatime shared:182 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/3CO54SGSMWC77Z3TIP7OOBKV3T:/var/lib/docker/overlay2/l/GPZHCG7YZI25CQWPUXA3CLNR6W:/var/lib/docker/overlay2/l/AOC4JUUL6MVGW5D2K33CMME77F:/var/lib/docker/overlay2/l/53NZMDI65C66H5NI65ZEKXYSMS:/var/lib/docker/overlay2/l/3RU5ZINZLYNHNT3WF4QLGEK7UH:/var/lib/docker/overlay2/l/TXVDFLEK4HSGPA5NN666MQTNAJ,upperdir=/var/lib/docker/overlay2/9aabf1593630ae1e44e55c3ec75a187f9a7fb1e4883b8e5a1d845195d9121300/diff,workdir=/var/lib/docker/overlay2/9aabf1593630ae1e44e55c3ec75a187f9a7fb1e4883b8e5a1d845195d9121300/work
395 21 0:43 / /var/lib/docker/overlay2/054f0d02a551be736963b3bfdb59e5be89ac23da13c4f7be32be91f7a4f5b6f9/merged rw,relatime shared:192 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/NBK6FZRLXBKEVRJEC7YNACV35K:/var/lib/docker/overlay2/l/4NHNH6AD2ZYO6PGVZRPX3OTSEJ:/var/lib/docker/overlay2/l/YGDGXYJ6QPNTXLUSSICGCJF5HX:/var/lib/docker/overlay2/l/4LF3F3RLVM4MUVXP7TIOQ7ZK5Q:/var/lib/docker/overlay2/l/VUMLNOD2EGST3SRDFMXN3DBGID:/var/lib/docker/overlay2/l/RGPTRREQGLC722AXPD3A77FUT6:/var/lib/docker/overlay2/l/IRCN2ZZBDJEXN7USWZVRJ2TCOC:/var/lib/docker/overlay2/l/K3DKPITHZPLZ6WLTWGZ6OM6ULV,upperdir=/var/lib/docker/overlay2/054f0d02a551be736963b3bfdb59e5be89ac23da13c4f7be32be91f7a4f5b6f9/diff,workdir=/var/lib/docker/overlay2/054f0d02a551be736963b3bfdb59e5be89ac23da13c4f7be32be91f7a4f5b6f9/work
413 21 0:44 / /var/lib/docker/overlay2/4512cb7c41cc048126e6da75a715611639e0bb4448d796d955a03e184727bd4a/merged rw,relatime shared:197 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/MSJUOH4VAYPTM72CMS5FSH2CHN:/var/lib/docker/overlay2/l/7DACBV45EOKAWAHHCEG6TDBF3V:/var/lib/docker/overlay2/l/J6W6YBXOMUFUZ7U4TJFMEMESKJ:/var/lib/docker/overlay2/l/WQUODOBXWBSJCR525MZZHXMIZR:/var/lib/docker/overlay2/l/IGFJP43TM5SZQ5ZACO4LCKX6GF:/var/lib/docker/overlay2/l/62KSXWR344DQ5JYTECOUEN3IDW,upperdir=/var/lib/docker/overlay2/4512cb7c41cc048126e6da75a715611639e0bb4448d796d955a03e184727bd4a/diff,workdir=/var/lib/docker/overlay2/4512cb7c41cc048126e6da75a715611639e0bb4448d796d955a03e184727bd4a/work
429 21 0:45 / /var/lib/docker/overlay2/d924db3794f1471eab6a239e52f48d6becc31f0ef4b573fb3441148d542c8cbc/merged rw,relatime shared:202 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/PXWN4QBO6MCHRX2OXOJOMTHZSB:/var/lib/docker/overlay2/l/US532I26U742V2TOSMVKRCWV64:/var/lib/docker/overlay2/l/XP4UPZOO3LWG7WMMGR6NVLPDJC:/var/lib/docker/overlay2/l/6G3SPUZLSWKTNEZS7KTYPXXJLX:/var/lib/docker/overlay2/l/5EJY4HB3HE6UWHUEU4LXXHP5JY:/var/lib/docker/overlay2/l/VR2QC2GIHW3E75Q5P7Q34LTUTL:/var/lib/docker/overlay2/l/AHPRZADUQVFQQDM4XTACH6RV5Q:/var/lib/docker/overlay2/l/AECEAPRSSFUIUURQTOIYUIVERV:/var/lib/docker/overlay2/l/OQAKWG6L4XMJZBAZ3UVOTRVM5I:/var/lib/docker/overlay2/l/NU7BTZQPPNDCFVYUZMLRBHFV2W:/var/lib/docker/overlay2/l/CUEUP3HJCQ54X7I6MAME2OQMUI,upperdir=/var/lib/docker/overlay2/d924db3794f1471eab6a239e52f48d6becc31f0ef4b573fb3441148d542c8cbc/diff,workdir=/var/lib/docker/overlay2/d924db3794f1471eab6a239e52f48d6becc31f0ef4b573fb3441148d542c8cbc/work
450 21 0:46 / /var/lib/docker/overlay2/0061bb3ff20d850c6df5a64bc32f08ad3c793d2272d4073f99c1b06fef1003d7/merged rw,relatime shared:207 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/AVT2IPF3QG277G5NTSAT3M3VND:/var/lib/docker/overlay2/l/OZBNV7MO5B72576M45JA7R5UIJ:/var/lib/docker/overlay2/l/PNJXDEEENGGIAJDO7PS7AFL7QI:/var/lib/docker/overlay2/l/7EMMBP2MLXSMN4VUBKJY65VTKA,upperdir=/var/lib/docker/overlay2/0061bb3ff20d850c6df5a64bc32f08ad3c793d2272d4073f99c1b06fef1003d7/diff,workdir=/var/lib/docker/overlay2/0061bb3ff20d850c6df5a64bc32f08ad3c793d2272d4073f99c1b06fef1003d7/work
464 21 0:47 / /var/lib/docker/overlay2/98a0016bce584f8360a52527b459ef63750ed2fc329f186644f369e47297038c/merged rw,relatime shared:212 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/KUF635KWJ3SQXIV6DRSDUBRFZT:/var/lib/docker/overlay2/l/BDZCJQ6NFSMBQ4X6ALYPS6BTW3:/var/lib/docker/overlay2/l/7HAUIIFTETQQ6IRYQD5TORXIVE:/var/lib/docker/overlay2/l/MSKRD32BSBWRT3DURJETOYEQTJ:/var/lib/docker/overlay2/l/YI6SKBDGJ5PEB4QDBTWG4NSAGL:/var/lib/docker/overlay2/l/QZIUTN63UZGCUECMEBVSLZK45A:/var/lib/docker/overlay2/l/YYEWC37KQGZLLED4EC2HHYDHDU:/var/lib/docker/overlay2/l/R27ILAHTQPPSEQRYD2ZJ56BBXQ:/var/lib/docker/overlay2/l/RTZRGZRB7OGW4OVZVJYR25APTG:/var/lib/docker/overlay2/l/CEZZM7FOL76DWBVI52WUFBMUAE:/var/lib/docker/overlay2/l/MPEZHV2WJ53WLNDJMU2MBW32MV,upperdir=/var/lib/docker/overlay2/98a0016bce584f8360a52527b459ef63750ed2fc329f186644f369e47297038c/diff,workdir=/var/lib/docker/overlay2/98a0016bce584f8360a52527b459ef63750ed2fc329f186644f369e47297038c/work
485 21 0:48 / /var/lib/docker/overlay2/bb60b7976a4aafeb353a52591458c5663c0494ce1beba7d66ee2a8b0e9ec524e/merged rw,relatime shared:217 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/LPO7WLQMZFDYF42B244GNWC7O6:/var/lib/docker/overlay2/l/PJDSIC3I2JDNOFVYCPRBREO7BZ:/var/lib/docker/overlay2/l/M7J4HXFSE7P4H4EIFSAUUD3PZY:/var/lib/docker/overlay2/l/EHX2SPXSOP5TDNDVZ5NSML7XHN:/var/lib/docker/overlay2/l/4A2GOA2EXPYEXXZNP7EQIAXHLU:/var/lib/docker/overlay2/l/EM7EZGRC5AEB3FA5GDTGVTN7MP:/var/lib/docker/overlay2/l/WWLXRRF6XNXFTA7T2CDEP3MGUI:/var/lib/docker/overlay2/l/OQDJWZMC3ZEJL52X62I5XF7KFT,upperdir=/var/lib/docker/overlay2/bb60b7976a4aafeb353a52591458c5663c0494ce1beba7d66ee2a8b0e9ec524e/diff,workdir=/var/lib/docker/overlay2/bb60b7976a4aafeb353a52591458c5663c0494ce1beba7d66ee2a8b0e9ec524e/work
489 21 0:50 / /var/lib/docker/overlay2/d2ad97bb7ecd982fbf4f3a0a36b8857653784b49ca1c39a401e2b415af763fd7/merged rw,relatime shared:227 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/JODKBVRHWOD3Q7YR7EDKXSEDRI:/var/lib/docker/overlay2/l/SGUV47EPACP4LWVWEG3LLIUPMR:/var/lib/docker/overlay2/l/VJCEXX4VB5F7PAEHHM5ZAE3ROI:/var/lib/docker/overlay2/l/7TPTYYLXDEW6WZYJXPS72YGGYT:/var/lib/docker/overlay2/l/GFOFT42NZFJTUPPULSMVLGL7LG:/var/lib/docker/overlay2/l/G3ELSWPFI7E67IXDMEK34M7UYO:/var/lib/docker/overlay2/l/ZDEZOPR4JEL566CQF3FC4U4H6I:/var/lib/docker/overlay2/l/IKTGA3436GEMPR2WYZZSCAOMXX:/var/lib/docker/overlay2/l/TBQV5CTNNJBLYQPT5NQTCQSZHC:/var/lib/docker/overlay2/l/QPAHIJAGNORJNVMJ5E7JPU5FF2:/var/lib/docker/overlay2/l/KFRY5M7MQTJTFUSAF2UBB4TYCD:/var/lib/docker/overlay2/l/3LMSUPFJ2UXPFRHGVM5FGEXBCI:/var/lib/docker/overlay2/l/JMG2DS7JDUIF7S3ZECJQDO7GN5:/var/lib/docker/overlay2/l/AYZJJDQ7JEOYPIPUS54ATMJGFV:/var/lib/docker/overlay2/l/SWIX4LLO6FJZIRJE6KJRZUTL7X,upperdir=/var/lib/docker/overlay2/d2ad97bb7ecd982fbf4f3a0a36b8857653784b49ca1c39a401e2b415af763fd7/diff,workdir=/var/lib/docker/overlay2/d2ad97bb7ecd982fbf4f3a0a36b8857653784b49ca1c39a401e2b415af763fd7/work
545 21 0:51 / /var/lib/docker/overlay2/ee48dddf44c15687db62340ea6be4d1a01d2d0c19de83711130bdb05ff050828/merged rw,relatime shared:232 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/4DIANANSK27ZQTF3DHPAQWILD2:/var/lib/docker/overlay2/l/JI4KCBTWNXTVPIQRKMSC63DJSA:/var/lib/docker/overlay2/l/FP47DRVB7Q4RTBNBHCAW5CVG7R:/var/lib/docker/overlay2/l/HXDPLJS5CH2KON6NLFHRLZKIUV:/var/lib/docker/overlay2/l/WQ3USRFCR24FNHRWEQQKYHZJT4,upperdir=/var/lib/docker/overlay2/ee48dddf44c15687db62340ea6be4d1a01d2d0c19de83711130bdb05ff050828/diff,workdir=/var/lib/docker/overlay2/ee48dddf44c15687db62340ea6be4d1a01d2d0c19de83711130bdb05ff050828/work
584 21 0:53 / /var/lib/docker/containers/0bdfa502008fb8f9b5b805ff19363cd776da54870f060dd579fa88dd19e9ef73/mounts/shm rw,nosuid,nodev,noexec,relatime shared:242 - tmpfs shm rw,size=65536k
657 21 0:60 / /var/lib/docker/containers/7cc6a6b8e4716b97ecc28bfdcf872fa1b2e4032f7d6682d6a1e044b335782d48/mounts/shm rw,nosuid,nodev,noexec,relatime shared:247 - tmpfs shm rw,size=65536k
672 20 0:3 net:[4026532243] /run/docker/netns/5ffef1b6220e rw shared:252 - nsfs nsfs rw
719 20 0:3 net:[4026532304] /run/docker/netns/09244915ac76 rw shared:257 - nsfs nsfs rw
593 21 0:69 / /var/lib/docker/containers/64aa327d0d1a6d41879c135ad12269444d9518d04ddf7d6a9603b61d0c3dd70b/mounts/shm rw,nosuid,nodev,noexec,relatime shared:262 - tmpfs shm rw,size=65536k
628 21 0:73 / /var/lib/docker/containers/a66a46091b76927101f2bae572378262e9d2e9d15ee0f2d1d507a5db298ead7f/mounts/shm rw,nosuid,nodev,noexec,relatime shared:272 - tmpfs shm rw,size=65536k
729 21 0:76 / /var/lib/docker/containers/a81206909098df21568de1a7e133711a6a7b2a25937115cd4927e4763424cc76/mounts/shm rw,nosuid,nodev,noexec,relatime shared:287 - tmpfs shm rw,size=65536k
824 20 0:3 net:[4026532371] /run/docker/netns/58a91660014c rw shared:292 - nsfs nsfs rw
844 21 0:84 / /var/lib/docker/containers/7ef938c6e92f8e5d09c5b66be0ec36f73d2348883f03da0efeb8f6bbe8a00e02/mounts/shm rw,nosuid,nodev,noexec,relatime shared:302 - tmpfs shm rw,size=65536k
772 21 0:93 / /var/lib/docker/containers/d4e311d88e5ff88052547919b14262dddfd2a0e18df0e0293f2b30841c439503/mounts/shm rw,nosuid,nodev,noexec,relatime shared:307 - tmpfs shm rw,size=65536k
790 20 0:3 net:[4026532432] /run/docker/netns/7f34f8505ca6 rw shared:312 - nsfs nsfs rw
862 21 0:96 / /var/lib/docker/containers/77439c32dddd1c2d66f99c79e2e38a873617544a7de5fbc71d8945c9c5287dfc/mounts/shm rw,nosuid,nodev,noexec,relatime shared:317 - tmpfs shm rw,size=65536k
1008 20 0:3 net:[4026532619] /run/docker/netns/e136be913eb6 rw shared:332 - nsfs nsfs rw
1321 20 0:3 net:[4026532864] /run/docker/netns/f1754b87a455 rw shared:342 - nsfs nsfs rw
1338 20 0:3 net:[4026532741] /run/docker/netns/5e571d2d2655 rw shared:347 - nsfs nsfs rw
1072 20 0:3 net:[4026532803] /run/docker/netns/ab43b46ec957 rw shared:352 - nsfs nsfs rw
968 21 0:153 / /var/lib/docker/containers/fe66adbcdb7c65b1aa90006bacfd200e35a458b48a86f096850b055801abe5ea/mounts/shm rw,nosuid,nodev,noexec,relatime shared:357 - tmpfs shm rw,size=65536k
977 21 0:154 / /var/lib/docker/containers/22e076acab05714af5086cd6a937c0393a65c275b69b58255471b93f9333cd1c/mounts/shm rw,nosuid,nodev,noexec,relatime shared:362 - tmpfs shm rw,size=65536k
1252 20 0:3 net:[4026532925] /run/docker/netns/05592a7b5e53 rw shared:372 - nsfs nsfs rw
1472 20 0:3 net:[4026532986] /run/docker/netns/fa963a63d7c1 rw shared:382 - nsfs nsfs rw
513 20 0:138 / /run/user/1001 rw,nosuid,nodev,relatime shared:337 - tmpfs tmpfs rw,size=3263388k,mode=700,uid=1001,gid=1001
834 21 0:155 / /tmp rw,nosuid,nodev shared:322 - tmpfs tmpfs rw
303 21 0:39 / /var/lib/docker/overlay2/09179d7f58943708d0f5a2ca96907fb16519406f83d96e41cf25e27980f11c9b/merged rw,relatime shared:172 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/E4S34TQPQ2CJ26GQW76HGRHDY5:/var/lib/docker/overlay2/l/ZFFZUSBWPJ5FCW4SVLVVD2PYUO:/var/lib/docker/overlay2/l/M52B72IJS4DXD6HDQRZVKHIG2J:/var/lib/docker/overlay2/l/HZ434YL6BSZFIWHO6G3MZQO7BX:/var/lib/docker/overlay2/l/KMRNWYM2GHKIDB2GEA3YRUSXTF:/var/lib/docker/overlay2/l/5F4Q2EI5LLKI7FNOBXDBJLWFEQ:/var/lib/docker/overlay2/l/5U4QBRJWFGOH7IYDMQEMR525M6,upperdir=/var/lib/docker/overlay2/09179d7f58943708d0f5a2ca96907fb16519406f83d96e41cf25e27980f11c9b/diff,workdir=/var/lib/docker/overlay2/09179d7f58943708d0f5a2ca96907fb16519406f83d96e41cf25e27980f11c9b/work
369 21 0:49 / /var/lib/docker/containers/27ea35d244053e069adac9ea4cbaa454890a32d96a85a002205d3c22cfb9e93a/mounts/shm rw,nosuid,nodev,noexec,relatime shared:187 - tmpfs shm rw,size=65536k
1135 20 0:3 net:[4026532234] /run/docker/netns/ede7325663ff rw shared:222 - nsfs nsfs rw
```

@giuseppe
Copy link
Collaborator

thanks for the strace output, it is very helpful.

Could you try replacing MS_RDONLY|MS_REMOUNT with MS_RDONLY|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_NOEXEC ?

I think the kernel complains that we don't keep these options set.

@rohrschacht
Copy link
Contributor Author

Sadly, that didn't solve the problem.
I'll attach the strace output of that run.

strace -f -e mount slirp4netns --configure --mtu=65520 --disable-host-loopback $(cat /tmp/pid) tap0 --enable-sandbox
 
WARNING: Support for sandboxing is experimental
strace: Process 22171 attached
sent tapfd=5 for tap0
[pid 22171] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22171, si_uid=1001, si_status=0, si_utime=0, si_stime=0} ---
received tapfd=5
Starting slirp
* MTU:             65520
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* Recommended IP:  10.0.2.100
mount("", "/", 0x56049ed62e07, MS_PRIVATE, NULL) = 0
mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, "size=1k") = 0
mount("", "/etc", 0x56049ed62e07, MS_REC|MS_SLAVE, NULL) = -1 EINVAL (Invalid argument)
mount("/etc", "/tmp/etc", 0x56049ed62e07, MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_BIND|MS_REC|MS_SLAVE, NULL) = 0
mount("", "/tmp/etc", 0x56049ed62e07, MS_REC|MS_SLAVE, NULL) = 0
mount("/etc", "/tmp/etc", 0x56049ed62e07, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
mount("", "/run", 0x56049ed62e07, MS_REC|MS_SLAVE, NULL) = 0
mount("/run", "/tmp/run", 0x56049ed62e07, MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_BIND|MS_REC|MS_SLAVE, NULL) = 0
mount("", "/tmp/run", 0x56049ed62e07, MS_REC|MS_SLAVE, NULL) = 0
mount("/run", "/tmp/run", 0x56049ed62e07, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
mount("tmpfs", "/", 0x56049ed622e7, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT, "size=0k") = -1 EPERM (Operation not permitted)
cannot mount tmpfs on /tmp
create_sandbox failed
do_slirp is exiting
do_slirp failed
parent failed
+++ exited with 1 +++

@AkihiroSuda AkihiroSuda added the bug Something isn't working label Nov 26, 2019
@giuseppe
Copy link
Collaborator

thanks for trying it out. Could you also try to drop the "size=0k" and replace it with NULL?

@rohrschacht
Copy link
Contributor Author

Thanks for keeping at it.
Unfortunately, still the same result:

mount("tmpfs", "/", 0x5636ace002e7, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT, NULL) = -1 EPERM (Operation not permitted)

To check, I also ran with the original mount options and NULL, but no luck either:

mount("tmpfs", "/", 0x561a35d982e7, MS_RDONLY|MS_REMOUNT, NULL) = -1 EPERM (Operation not permitted)

@giuseppe
Copy link
Collaborator

could you do just another attempt to replace both "tmpfs" with ""?

If you are on Freenode, please poke me (I am giuseppe there as well) so we can look at it together

rohrschacht added a commit to rohrschacht/slirp4netns that referenced this issue Nov 30, 2019
@rohrschacht
Fix rootless-containers#161: don't return if remount of "/" fails in …
005fba1 
…create_sandbox
@AkihiroSuda
Copy link
Member

@rohrschacht Will you open a PR?

@rohrschacht rohrschacht mentioned this issue Dec 3, 2019
Merged
@rohrschacht
Copy link
Contributor Author

Thanks for reminding me. I wanted to test this setup for some time and everything seems to work fine! I opened a PR now.

@AkihiroSuda
Copy link
Member

Thanks, let's keep this open until merging #163

@AkihiroSuda AkihiroSuda reopened this Dec 3, 2019
rohrschacht added a commit to rohrschacht/slirp4netns that referenced this issue Dec 3, 2019
@rohrschacht
Fix rootless-containers#161: don't return if remount of "/" fails in …
995bfc4 
…create_sandbox
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@giuseppe @AkihiroSuda @rohrschacht