src/main/tools/linux-sandbox-pid1.cc:393: "mount": Operation not permitted #1972
Comments
|
Interesting! I'll try to reproduce this and see if I can come up with a solution somehow, but I probably won't have time for it this week (and I'm on vacation next week). :( We have noticed reliability issues with the default kernel of Ubuntu 14.04 LTS, which I think is 3.13, as well. The issue is probably not the same issue, as we could never reproduce it on demand (but it seemed like somehow the system got stuck into a state where sandboxing from then on would fail and only a reboot would make it work again). But with the newer 4.x kernel available from the official Ubuntu repo, I never saw these or other issues with the sandbox. |
philwo
added
type: bug
P2
|
I'm seeing the same issue on this Docker image: To reproduce: |
|
Upgrading to Bazel 0.4.0 didn't help either. Here is log with debug sanbdox option enabled: [1]. Environment: |
|
I'll try to reproduce & fix this, but currently I have no idea what could cause the mounting of /proc to fail. :( |
|
We were able to fix the problem by starting Docker vm with some options. |
|
I ran into the same problem. and it looks like a kernel compatibility issue. apt-get dist-upgrade (on ubuntu 14.04) fixed the problem. |
|
I'm pretty sure it's a kernel version-related issue too. @davido: What options made it work? Also, what kernel are you using? |
|
It was Kernel here is: |
|
Seeing the same error in a Archlinux LXC container running on Proxmox (Debian Jessie kernel) $ uname -a --- Build logs Edit: Proxmox ISOs are here: https://www.proxmox.com/en/downloads |
|
Also seeing this error under CircleCI's docker containers: Within the CircleCI container: Console output: (venv-3.4.3) ubuntu@box260:~/code$ bazel test test/... --verbose_failures --sandbox_debug
INFO: Found 3 test targets...
ERROR: /home/ubuntu/.cache/bazel/_bazel_ubuntu/185255daeeca84642f8709521495e24f/external/org_jooq_jool/jar/BUILD:2:1: Extracting interface @org_jooq_jool//jar:jar failed: linux-sandbox failed: error executing command
(cd /home/ubuntu/.cache/bazel/_bazel_ubuntu/185255daeeca84642f8709521495e24f/bazel-sandbox/60d55d3c-50a2-4bb9-a03e-8fb9ffa83e6b-1/execroot/code && \
exec env - \
PATH=/home/ubuntu/.yarn/bin:/opt/circleci/nodejs/v6.5.0/bin:/opt/google-cloud-sdk/bin:/home/ubuntu/virtualenvs/venv-3.4.3/bin:/opt/ghc/8.0.1/bin:/opt/cabal/1.24/bin:/opt/alex/3.1.7/bin:/opt/happy/1.19.5/bin:/home/ubuntu/.composer/vendor/bin:/opt/circleci/.phpenv/shims:/opt/circleci/.phpenv/bin:/opt/circleci/.rvm/gems/ruby-2.2.6/bin:/opt/circleci/.rvm/gems/ruby-2.2.6@global/bin:/opt/circleci/.rvm/rubies/ruby-2.2.6/bin:/home/ubuntu/.go_workspace/bin:/usr/local/go/bin:/opt/circleci/nodejs/v6.5.0/bin:/opt/circleci/.pyenv/shims:/opt/circleci/.pyenv/bin:/usr/local/android-sdk-linux/platform-tools:/usr/local/android-sdk-linux/tools:/usr/local/apache-maven/bin:/home/ubuntu/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/gradle-1.10/bin:/opt/circleci/.rvm/bin:/opt/circleci/.rvm/bin \
/home/ubuntu/.cache/bazel/_bazel_ubuntu/185255daeeca84642f8709521495e24f/execroot/code/_bin/linux-sandbox @/home/ubuntu/.cache/bazel/_bazel_ubuntu/185255daeeca84642f8709521495e24f/bazel-sandbox/60d55d3c-50a2-4bb9-a03e-8fb9ffa83e6b-1/linux-sandbox.params -- external/bazel_tools/tools/jdk/ijar/ijar external/org_jooq_jool/jar/jool-0.9.12.jar bazel-out/local-fastbuild/genfiles/external/org_jooq_jool/jar/_ijar/jar/external/org_jooq_jool/jar/jool-0.9.12-ijar.jar).
src/main/tools/linux-sandbox.cc:183: linux-sandbox-pid1 has PID 45135
src/main/tools/linux-sandbox-pid1.cc:88: "mount": Permission denied
src/main/tools/linux-sandbox.cc:223: child exited normally with exitcode 1
ERROR: /home/ubuntu/code/BUILD:1:1 Extracting interface @org_jooq_jool//jar:jar failed: linux-sandbox failed: error executing command
(cd /home/ubuntu/.cache/bazel/_bazel_ubuntu/185255daeeca84642f8709521495e24f/bazel-sandbox/60d55d3c-50a2-4bb9-a03e-8fb9ffa83e6b-1/execroot/code && \
exec env - \
PATH=/home/ubuntu/.yarn/bin:/opt/circleci/nodejs/v6.5.0/bin:/opt/google-cloud-sdk/bin:/home/ubuntu/virtualenvs/venv-3.4.3/bin:/opt/ghc/8.0.1/bin:/opt/cabal/1.24/bin:/opt/alex/3.1.7/bin:/opt/happy/1.19.5/bin:/home/ubuntu/.composer/vendor/bin:/opt/circleci/.phpenv/shims:/opt/circleci/.phpenv/bin:/opt/circleci/.rvm/gems/ruby-2.2.6/bin:/opt/circleci/.rvm/gems/ruby-2.2.6@global/bin:/opt/circleci/.rvm/rubies/ruby-2.2.6/bin:/home/ubuntu/.go_workspace/bin:/usr/local/go/bin:/opt/circleci/nodejs/v6.5.0/bin:/opt/circleci/.pyenv/shims:/opt/circleci/.pyenv/bin:/usr/local/android-sdk-linux/platform-tools:/usr/local/android-sdk-linux/tools:/usr/local/apache-maven/bin:/home/ubuntu/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/gradle-1.10/bin:/opt/circleci/.rvm/bin:/opt/circleci/.rvm/bin \
/home/ubuntu/.cache/bazel/_bazel_ubuntu/185255daeeca84642f8709521495e24f/execroot/code/_bin/linux-sandbox @/home/ubuntu/.cache/bazel/_bazel_ubuntu/185255daeeca84642f8709521495e24f/bazel-sandbox/60d55d3c-50a2-4bb9-a03e-8fb9ffa83e6b-1/linux-sandbox.params -- external/bazel_tools/tools/jdk/ijar/ijar external/org_jooq_jool/jar/jool-0.9.12.jar bazel-out/local-fastbuild/genfiles/external/org_jooq_jool/jar/_ijar/jar/external/org_jooq_jool/jar/jool-0.9.12-ijar.jar).
INFO: Elapsed time: 7.713s, Critical Path: 2.15s
|
|
Small update. I tried deactivating AppArmor for my LXC container with I still get the Operation not permitted issue while building Bazel |
|
I manage to build bazel itself in a LXC container by deactivating the sandboxing altogether with: |
|
On my debian system I had to modify bazel as follow:
but I don't know what are the genera implication of this nor how to check that is not breaking anything. |
Try to run /bin/true as a test of whether the Linux sandbox works, instead of just trying to create a bunch of namespaces as a proxy. This helps resolve issues on Linux distros where the earlier check worked, but then the sandbox ultimately failed due to other operations being unsupported. As an example, Debian Jessie and certain Docker versions seem to allow the creation of PID namespaces, but forbid mounting a new proc on top of /proc (see #1972). This resulted in Bazel thinking that sandboxing works fine, when it actually didn't. The improved check correctly catches this situation and disabled sandboxing. -- PiperOrigin-RevId: 151116894 MOS_MIGRATED_REVID=151116894
|
I went to write up a patch doing that, and it turns out it doesn't actually work... You still end up with the wrong PIDs on /proc. Turns out the root cause isn't the kernel version; it's actually what you have mounted in /proc. In my case, it's /proc/xen. containers/bubblewrap#134 and opencontainers/runc#252 both reference the same issue. However, you can work around it by unmounting /proc/xen in a privileged mount namespace first: brian[16259] dev-builder ~
$ sudo unshare --mount --propagation private
root[875] dev-builder /home2/brian
# umount /proc/xen
root[876] dev-builder /home2/brian
# su brian
brian[16264] dev-builder ~
$ unshare --fork --pid --mount --map-root-user
root[16264] dev-builder ~
# mount -t proc proc /procThat workaround does require privileges, but you could in theory do it before spawning the login shell or something. I think I'm going to just unmount /proc/xen system-wide because it's for compatibility and it looks like my systems don't have anything, but there are options. Given that it looks like this is a kernel/system issue and not really a Bazel issue, and c2d773e made it fail gracefully, I'm going to close this now. I'll send out the test case I wrote to catch /proc being wrong with @tsuri's idea to make it more obvious that it doesn't work if anybody else tries it in the future. |
While investigating #1972, I wrote this test to evaluate a potential solution. This test caught the fact that the solution didn't work, which makes it valuable for future changes to the sandbox. Change-Id: I435e9b9543374554c09d8d7c0918c24d9dc8f19d PiperOrigin-RevId: 155500491
|
Has anyone applied the workaround successfully? Say I start with (It would be extra cool if the Bazel team maintained a docker image so it would be easy to run bazel builds on CI like Circle) |
|
Yes, see my comment from "Dec 14, 2016": Workaround is to pass |
|
I don't think that works in CI environments where you don't run the container yourself. See https://discuss.circleci.com/t/option-to-run-docker-with-privileged-on-circle-2-0/12377 |
|
@alexeagle The container builder team has |
|
It's built from: https://github.com/GoogleCloudPlatform/cloud-builders/ |
|
Sorry to comment on this stale thread. But we hit the same issue of linux-sandbox being unavailable when running bazel inside a docker container. Root of the problem stems from Nvidia although. Problem: Due to Nvidia Runtime Mounting Proc, when running bazel within a docker container, we hit We see that there's a nested proc mount Whilst I know this is nvidia problem and limited to local execution, it would be nice to be able to use linux-sandbox within a docker container w/ access to Nvidia runtime. Proposal: |
When trying to build anything with the new sandbox and Debian Jessie's amd64 default 3.16.0-4 kernel, it fails with
src/main/tools/linux-sandbox-pid1.cc:393: "mount": Operation not permitted. @philsc and I have previously looked for ways to make /proc show the right PIDs in a PID namespace on that kernel without root permission and not come up with anything.I don't have any good answers in the way of solutions. asan definitely does not do well with a broken /proc (that's what @philsc and I were working on previously, although we ran into other, more fundamental issues and gave up), and from what I've seen of java it won't either. However, having a PID namespace is really nice for preventing runaway processes (I periodically have to use pgrep and manually kill runaway test process with the old sandbox).
These commands show the same issue with that kernel:
Those same commands succeed with 4.3.0-0 kernel from jessie-backports, so I'm pretty sure Bazel's sandbox will too (haven't checked though):
/cc @philwo
The text was updated successfully, but these errors were encountered: