Auto Package Testing

unshare(1) fails within testbed VMs

Bug #2063214 reported by Paride Legovini
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Auto Package Testing
Triaged
Undecided
Unassigned

Bug Description

We hit this while running src:autopkgtest autopackage tests (d/t/unshare), but other packages may be affected too. In short: this works on my Noble laptop:

paride@ossimoro:~$ cat /etc/subuid
paride:100000:65536
paride@ossimoro:~$ cat /etc/subgid
paride:100000:65536

paride@ossimoro:~$ unshare --map-auto --map-root-user
root@ossimoro:~# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
root@ossimoro:~# su -c id
uid=0(root) gid=0(root) groups=0(root)

However, in a Noble amd64 testbed VM (running in lcy02):

ubuntu@autopkgtest:~$ cat /etc/subuid
ubuntu:100000:65536
ubuntu@autopkgtest:~$ cat /etc/subgid
ubuntu:100000:65536

ubuntu@autopkgtest:~$ unshare --map-auto --map-root-user
root@autopkgtest:~# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
root@autopkgtest:~# su -c id
su: cannot set groups: Operation not permitted
root@autopkgtest:~# echo $?
1

I am currently unable to tell what differs between the two systems.

See original description
Paride Legovini (paride)
description: updated
Revision history for this message
Paride Legovini (paride) wrote :

That depends on:

  kernel.apparmor_restrict_unprivileged_userns

See: https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction

Changed in auto-package-testing:
status: New → Invalid
status: Invalid → Triaged
Revision history for this message
Paride Legovini (paride) wrote :

We should make sure the testbed images have

  kernel.apparmor_restrict_unprivileged_userns=0

We probably want that to be added to setup-testbed.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.