10 Oct 2024 |
V. 🏳️⚧️ | Yeah sorry, though I didn't deem those messages relevant | 16:07:00 |
V. 🏳️⚧️ | In reply to @aloisw:kde.org I can reproduce the issue on that system, let's see if I can get somewhere. Oh right, the GHA runner is Ubuntu 24.04 as well | 16:08:14 |
aloisw | Yeah but the weird thing is that it's happening inside the sandbox, so it's likely somehow related to the kernel. | 16:09:42 |
aloisw | Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.035:1054): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97402 comm="unshare" requested="userns_create" target="unprivileged_userns"
Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.110:1055): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97425 comm="unshare" requested="userns_create" target="unprivileged_userns"
Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.233:1056): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97439 comm="nix-store" requested="userns_create" target="unprivileged_userns"
Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.235:1057): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97439 comm="nix-store" requested="userns_create" target="unprivileged_userns"
Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.236:1058): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="unprivileged_userns" name="/" pid=97445 comm="nix-store" flags="rw, rprivate"
Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.273:1059): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97444 comm="nix" requested="userns_create" target="unprivileged_userns"
Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.274:1060): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=97444 comm="nix" requested="userns_create" target="unprivileged_userns"
Oct 10 18:21:02 xubuntu kernel: audit: type=1400 audit(1728577262.276:1061): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="unprivileged_userns" name="/" pid=97451 comm="nix" flags="rw, rprivate"
These show up in the kernel log, and probably something inside Lix mishandles these denials. | 16:22:14 |
K900 | Mmm apparmor | 16:26:06 |
aloisw | Yeah but we should just fail outright instead of doing weird stuff (that eventually fails anyway) when the mount is denied. | 16:27:01 |
aloisw | It seems that Ubuntu deliberately breaks unprivileged user namespaces since 23.10 using AppArmor. | 16:36:15 |
KFears (tragedy arc) | But why... | 16:41:00 |
V. 🏳️⚧️ | https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces | 16:41:49 |
jade_ | In reply to @vigress9:matrix.org https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces i would say this is an ubuntu bug or an installer bug then. it is effectively not possible to know where the nix binary is besides perhaps by allowlisting the entire nix store or somehow using the profile link (which then still is jacked for local dev) | 20:54:29 |
jade_ | can either of you please file an issue on lix mentioning this so that someone can find it in the future | 20:55:04 |
jade_ | the other thing that nix could do if it is running as a privileged daemon is to inject apparmor that disables this into the sandbox | 20:56:20 |
jade_ | but in general we allow userns in the sandbox, even though it is somewhat of a magnet for kernel bugs. it is rather important for testing ourselves! maybe in a future version of the derivation specification you would have to explicitly allow userns access that applies to all systems, but IMO the only reasonable way to proceed now is to eliminate differences between systems tbh. | 20:58:01 |
11 Oct 2024 |
aloisw | In reply to @jade_:matrix.org i would say this is an ubuntu bug or an installer bug then. it is effectively not possible to know where the nix binary is besides perhaps by allowlisting the entire nix store or somehow using the profile link (which then still is jacked for local dev) The Lix bug is that it fails weirdly though. Ideally the error should be caught properly and Lix would do something sensible about it (fail, or disable the sandbox if sandbox-fallback is enabled) instead of doing weird things. | 06:58:49 |
KFears (tragedy arc) | Regarding Flake lockfiles: I think we can solve the long-term issue by taking the same approach as OpenTofu: https://opentofu.org/docs/intro/whats-new/#override-files-for-opentofu-keeping-compatibility
We can create flake.lix.lock or flake.ice or flake.lixfile or whatever that CppNix will for sure never read, and then we change Lix to read this new lockfile instead. If it doesn't exist, we copy the flake.lock to new lockfile and read the new lockfile. That way, after a few releases, we can remove the fallback behavior and introduce changes to the lockfile format, like having semver versions instead of int versions | 12:22:35 |
K900 | Hm, I'm not sure if this actually affects anything | 14:40:47 |
K900 | But nix-daemon reaps build processes after refscanning | 14:41:07 |
K900 | So you can end up with a zombie process just sitting there for a while | 14:41:18 |
Linux Hackerman | I just opened https://git.lix.systems/lix-project/lix/issues/544 -- I'll try to make and send a fix this evening. I'm a bit confused about the stack trace though -- I'm building with meson build -C build (having run meson setup build ) then running build/src/nix/nix and the stack trace looks pretty much the same (barring file paths). Any ideas why more of the frames can't be resolved into symbols? | 14:47:25 |
Linux Hackerman | ok, found it without the computer telling me where the exception comes from: https://gerrit.lix.systems/c/lix/+/2057 | 15:25:38 |
V. 🏳️⚧️ | In reply to @jade_:matrix.org can either of you please file an issue on lix mentioning this so that someone can find it in the future Done | 15:43:20 |
V. 🏳️⚧️ | In reply to @kfears:matrix.org
Regarding Flake lockfiles: I think we can solve the long-term issue by taking the same approach as OpenTofu: https://opentofu.org/docs/intro/whats-new/#override-files-for-opentofu-keeping-compatibility
We can create flake.lix.lock or flake.ice or flake.lixfile or whatever that CppNix will for sure never read, and then we change Lix to read this new lockfile instead. If it doesn't exist, we copy the flake.lock to new lockfile and read the new lockfile. That way, after a few releases, we can remove the fallback behavior and introduce changes to the lockfile format, like having semver versions instead of int versions flake.lick is right there | 16:06:09 |
K900 | lewd | 16:06:29 |
KFears (tragedy arc) | Very memorable, though | 16:10:22 |
KFears (tragedy arc) | One issue: i and o are adjacent on qwerty keyboard | 16:10:39 |
K900 | The true multiverse brain would be to then rename flakes to flicks | 16:11:41 |
K900 | So the filename is flick.lick | 16:11:47 |
K900 | (or, if we really want to mess with people, flick.lock) | 16:12:02 |
KFears (tragedy arc) | drop.kick | 16:21:12 |
oli | In reply to@vigress9:matrix.org
flake.lick is right there mmm tasty ice cream | 17:07:37 |