Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: TestUnshare fails with "operation not permitted", even with CONFIG_NET_NS=y #17206

Closed
owlab-exp opened this issue Sep 23, 2016 · 11 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Testing An issue that has been verified to require only test changes, not just a test failure.
Milestone

Comments

@owlab-exp
Copy link

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

none

What operating system and processor architecture are you using (go env)?

linux arm64

What did you do?

If possible, provide a recipe for reproducing the error.

A complete runnable program is good.

A link on play.golang.org is best.

I am building go1.7.1 on my arm64 machine, with go-linux-arm64-bootstrap.
I performed all.bash in src directory.

What did you expect to see?

Completed build without any error.

What did you see instead?

Build failed with the following error

...
--- FAIL: TestUnshare (0.01s)
    exec_linux_test.go:171: Cmd failed with err fork/exec /bin/cat: operation not permitted, output: 
FAIL
FAIL    syscall 0.960s
...

So, I changed the exec_linux_test.go from this,

165         cmd := exec.Command("cat", path)
166         cmd.SysProcAttr = &syscall.SysProcAttr{
167                 Unshareflags: syscall.CLONE_NEWNET,
168         }
169         out, err := cmd.CombinedOutput()
170         if err != nil {
171                 t.Fatalf("Cmd failed with err %v, output: %s", err, out)
172         }
173 
174         // Check there is only the local network interface
175         sout := strings.TrimSpace(string(out))
176         if !strings.Contains(sout, "lo:") {
177                 t.Fatalf("Expected lo network interface to exist, got %s", sout)
178         }
179 
180         lines := strings.Split(sout, "\n")
181         if len(lines) != 3 {
182                 t.Fatalf("Expected 3 lines of output, got %d", len(lines))
183         }

to this,

165         cmd := exec.Command("cat", path)
166         //cmd.SysProcAttr = &syscall.SysProcAttr{
167         //      Unshareflags: syscall.CLONE_NEWNET,
168         //}
169         out, err := cmd.CombinedOutput()
170         if err != nil {
171                 t.Fatalf("Cmd failed with err %v, output: %s", err, out)
172         }
173 
174         // Check there is only the local network interface
175         sout := strings.TrimSpace(string(out))
176         if !strings.Contains(sout, "lo:") {
177                 t.Fatalf("Expected lo network interface to exist, got %s", sout)
178         }
179 
180         lines := strings.Split(sout, "\n")
181         //if len(lines) != 3 {
182         if len(lines) != 4 {
183                 t.Fatalf("Expected 3 lines of output, got %d", len(lines))
184         }

After those changes, building finished without error.

@minux
Copy link
Member

minux commented Sep 23, 2016 via email

@owlab-exp
Copy link
Author

I am running it in a physical machine (Hikey board, debian-jessie), not in a container.

@mwhudson
Copy link
Contributor

Which kernel? Maybe it doesn't have CONFIG_NET_NS=y set?

@owlab-exp
Copy link
Author

The kernel is 3.1.8-linaro-hikey.
And /boot/config-3.1.8.0-linaro-hikey shows :

CONFIG_NET_NS=y

@minux
Copy link
Member

minux commented Sep 26, 2016 via email

@mwhudson
Copy link
Contributor

3.1 still sounds pretty old but I certainly don't know the details here,
sorry.

On 26 September 2016 at 13:16, Hun Jae Lee notifications@github.com wrote:

The kernel is 3.1.8-linaro-hikey.
And /boot/config-3.1.8.0-linaro-hikey shows :

CONFIG_NET_NS=y


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#17206 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AApBFuvQsEl-GVYA1cfA9_ifZLWXMkdJks5qtw7ggaJpZM4KEuEV
.

@quentinmit quentinmit changed the title exec_linux_test.go:171: Cmd failed with err fork/exec /bin/cat: operation not permitted syscall: TestUnshare fails with "operation not permitted", even with CONFIG_NET_NS=y Oct 3, 2016
@quentinmit quentinmit added this to the Go1.8 milestone Oct 3, 2016
@quentinmit quentinmit added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 3, 2016
@mdcnz
Copy link

mdcnz commented Oct 24, 2016

Saw this issue in a docker container:
starting from docker golang:1.7.3-wheezy image
removed go1.7.3
downloaded go1.4 binaries
git clone latest go source
ran ./all.bash as root

--- FAIL: TestUnshare (0.00s)
exec_linux_test.go:177: Cmd failed with err fork/exec /bin/cat: operation not permitted

If test is skipped, build is successful.

go version devel +3cbfcaa Mon Oct 24 02:33:39 2016 +0000 linux/amd64

@rsc rsc modified the milestones: Go1.9, Go1.8 Nov 11, 2016
@CAFxX
Copy link
Contributor

CAFxX commented Mar 14, 2017

Ran into this today using docker:

FROM ubuntu:latest
RUN apt-get -y update && apt-get install -y git golang build-essential gcc
RUN git clone https://github.com/golang/go.git
CMD cd go/src; GOROOT_BOOTSTRAP=`go env GOROOT` ./all.bash

@bradfitz
Copy link
Contributor

@CAFxX, privileged container or not? Kernel version? What does "ubuntu:latest" currently resolve to?

@bradfitz bradfitz added the Testing An issue that has been verified to require only test changes, not just a test failure. label Jul 14, 2017
@gopherbot
Copy link

CL https://golang.org/cl/48571 mentions this issue.

@shanemhansen
Copy link
Contributor

FWIW I verified that go1.9 docker builds work if you use the --privileged.

@golang golang locked and limited conversation to collaborators Sep 12, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Testing An issue that has been verified to require only test changes, not just a test failure.
Projects
None yet
Development

No branches or pull requests

10 participants