New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TEST-01-BASIC started suddenly failing in an unprivileged nspawn container on Arch Linux #13177
Comments
Ah, I see, this is from the relevant system.journal file:
The problematic line is:
Looks suspiciously related to #13141. @poettering |
Also, all this is because I screwed up the "skip" regex for man-only PRs, so CentOS CI just skipped the testing for #13141, sorry for that... (Fixed in systemd/systemd-centos-ci@fc74aa2) |
hmm, this is puzzling... My guess would be that the local kernel on those older distros accepts only a smaller range. Uh oh. Any chance you can test what values those kernels accept? i.e. echo "0 2147483647" into it, then "0 1073741823", then "0 536870911", "0 268435455", … i.e. all 2^n-1 from 31 down, to see what works on those kernels? |
@poettering given that it happens in user namespaces only I think it has something to do with https://lore.kernel.org/patchwork/patch/959770/, according to which
FWIW it's Arch and hence the kernel there isn't that old (5.2.2-arch1-1-ARCH to be precise) |
As @evverx said, the kernel is pretty new according to the os info log
|
@mrc0mmand @poettering would it maybe make sense to revert that PR to fix CentOS CI and then try to come up with something that would work in nspawn containers where only 65536 gids are mapped onto user namespaces by default and where |
hmmm urks, i see, nasty... i wonder what a long term fix for this could be though... what kind of container manager is this? How is /proc/sys/ mounted in it? i.e. read-only? or is this nspawn? |
It's nspawn:
|
hmm, i though we mounted /proc/sys read-only anyway... /me is confused |
This reverts commit 90ce762. See systemd#13177 (comment)
Yes, usually we do but it doesn't matter when |
I'm not sure how to fix it in general but I think in this particular case |
hmm, maybe we should introduce a |
I think we've discussed that before (though I can't seem to find the thread) and agreed that it might be a good idea. But in this case it's not enough because I think silently messing up |
hmm, what? it's automatically cast to the nearest value? but that'd actually be great! |
Not really. It turns |
hmm, well, but that might simply be because it leaves the values unset, and they then refer to the host gids, which get translated to the overflowgid for display, right? i mean, they are just the same values as before setting them and getting EINVAL, no? |
@poettering to answer these questions I or anybody else needs to launch a couple of containers (with and without https://lore.kernel.org/patchwork/patch/959770/). It might take a while. In the meantime, CentOS CI has been failing for two days and the only reliable way to "fix" it I came up with is to revert that PR: #13187. |
This reverts commit 90ce762. See #13177 (comment)
I posted #13191 now, which implements the "-" thing. Works fine, and behaves correctly according to my tests. (i.e. |
Centos CI passed with #13187, so let's close this. |
This reverts commit 90ce7627dfe824ff6e7c0ca5f96350fbcfec7118. See systemd/systemd#13177 (comment)
systemd version the issue has been seen with
Used distribution
For some reason past ~8 runs consistently failed with:
Full log: https://ci.centos.org/job/systemd-ci-build/745/artifact//artifacts_all/artifacts_Nuy3FU/vagrant-logs.aXu/vagrant-arch-testsuite.bow/TEST-01-BASIC_FAIL.log
The text was updated successfully, but these errors were encountered: