Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LXD + Ubuntu 24.04 + --enable-sandbox: pivot_root(".", "old") = -1 EACCES (Permission denied) #348

Closed
AkihiroSuda opened this issue Aug 14, 2024 · 4 comments
Closed

LXD + Ubuntu 24.04 + --enable-sandbox: pivot_root(".", "old") = -1 EACCES (Permission denied) #348

AkihiroSuda opened this issue Aug 14, 2024 · 4 comments
Labels
area/packaging Issues about packages like rpm and deb

Comments

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Aug 14, 2024
edited
Loading 

$ slirp4netns $(cat /tmp/pid) --enable-sandbox tap0
sent tapfd=5 for tap0
received tapfd=5
Starting slirp
* MTU:             1500
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* DHCP begin:      10.0.2.15
* DHCP end:        10.0.2.30
* Recommended IP:  10.0.2.100
WARNING: 127.0.0.1:* on the host is accessible as 10.0.2.2 (set --disable-host-loopback to prohibit connecting to 127.0.0.1:*)
cannot pivot_root to /tmp
create_sandbox failed
do_slirp is exiting
do_slirp failed
parent failed

strace:

chdir("/tmp")                           = 0
pivot_root(".", "old")                  = -1 EACCES (Permission denied)

version:

$ slirp4netns --version
slirp4netns version 1.2.1
commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.5

Originally posted by @AkihiroSuda in rootless-containers/usernetes#337 (comment)

The issue doesn't seem to happen outside LXD.
It was working in Ubuntu 22.04 (slirp4netns v1.0.1), even inside LXD.
@AkihiroSuda
Copy link
Member Author

The issue doesn't happen when the slirp4netns binary is not placed as /usr/bin/slirp4netns.
The issue might be related to AppArmor.

@AkihiroSuda
Copy link
Member Author

Workaround:

echo "pivot_root," >>/etc/apparmor.d/local/slirp4netns
systemctl restart apparmor.service

@AkihiroSuda
Copy link
Member Author

Merge request to AppArmor: https://gitlab.com/apparmor/apparmor/-/merge_requests/1298

@AkihiroSuda AkihiroSuda added the area/packaging Issues about packages like rpm and deb label Aug 14, 2024
@AkihiroSuda
Copy link
Member Author

The issue (https://bugs.launchpad.net/apparmor/+bug/2067900) should have been fixed in AppArmor v4.0.2 (https://gitlab.com/apparmor/apparmor/-/merge_requests/1247).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/packaging Issues about packages like rpm and deb
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AkihiroSuda