Path: csiph.com!news.mixmin.net!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail From: Lew Pitcher Newsgroups: alt.os.linux.slackware, comp.os.linux.misc, comp.os.linux.development.apps, comp.unix.programmer Subject: Re: Need advice about fixing PROC mount failures in a DIY Linux container Date: Sat, 7 Jan 2023 02:12:43 -0000 (UTC) Organization: A noiseless patient Spider Lines: 80 Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Date: Sat, 7 Jan 2023 02:12:43 -0000 (UTC) Injection-Info: reader01.eternal-september.org; posting-host="84209f28f2d99b4b985f1e397a1c4211"; logging-data="3487729"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+2F82mT+6hwpm2M8BTyZDgUadnibRwd1Y=" User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2) Cancel-Lock: sha1:qboNfa4irnoWbUa98nymSgt0udE= Xref: csiph.com alt.os.linux.slackware:33971 comp.os.linux.misc:36664 comp.os.linux.development.apps:917 comp.unix.programmer:14119 On Sat, 07 Jan 2023 01:27:28 +0000, Lew Pitcher wrote: > Hi, all > > I've come late to the party, and have just started learning > about the ins and outs of Linux containers. To get a better > understanding of the subject, I decided to learn about the > underlying technologies by building my own container software. > > I've modelled my DIY container on Brian Swetland's mkbox > container[1], and have a demonstration program that works > on my development system (a 64bit AMD Ryzen 5 3400G with > Radeon Vega Graphics, running Slackware Linux 14.2 with > the 4.4.301 kernel and all available patches applied). > [1] https://github.com/swetland/mkbox > > > However, when I run either Brian's mkbox or my demo program > on my "production" system (another 64bit AMD Ryzen 5 3400G > with Radeon Vega Graphics, running Slackware Linux 14.2 with > the 4.4.301 kernel and all available patches applied), the > container breaks while trying to mount the proc filesystem > to the new (isolated) root fs. > > Specifically, I get an "Operation not permitted" error when > I try to > mount("proc","proc","proc",MS_REC,NULL) > /but/ ONLY ON THIS ONE SYSTEM. > > This failure affects both my DIY container and Brian's mkbox > container. > > With my DIY container, I've checked the capabilities given > to the container process, and they are identical and complete > on both systems. On both systems, I run the container process > (mine and Brian's) from the same unprivileged UID/GID. > > I have to conclude that there's a difference in the two > environments that causes this problem, but I don't know what > that difference is. Both systems use the type CPU, the > same amount of memory, the same 64-bit addressing mode, > the same kernel, and the same distribution (with the same > essential utilities). > > There /are/ differences in the two systems: > pn the development system, my user is a member of a > number of groups that it is not a member of on the > "production" system. I run a root pulseaudio (I have my > reasons) on the development system that I do not on > the "production" system. Et cetera. > > Can anyone suggest an environmental factor or set of > factors that might cause this behaviour? > [snip] Well, I can answer my own question, now. But the answer leads to more questions. The reason I get "Operation not permitted" on the container /proc mount on my "production" system is that I also run an nfs server on my "production" system (and do not run one on my development system), and is nfs server maintains two mountpoints within the /proc filesystem. Apparently, the attempt to mount /proc within my container was blocked by the existance of these two mount points (/proc/fs/nfs and /proc/fs/nfsd), as when I shut down my rpc and nfs servers, and umounted these two mounts, I could successfully run my demo container. /Now/ the question is: how do I get my container /proc mount to ignore or bypass these two nfsd mounts? -- Lew Pitcher "In Skills, We Trust"