bug#21410: Environment containers

[Alex Vong]

On 29/10/2015, Thompson, David <address@hidden> wrote:
> On Wed, Oct 28, 2015 at 11:56 AM, Ludovic Courtès <address@hidden> wrote:
>> "Thompson, David" <address@hidden> skribis:
>>
>>> On Wed, Oct 28, 2015 at 11:14 AM, Alex Vong <address@hidden>
>>> wrote:
>>>> On 28/10/2015, Ludovic Courtès <address@hidden> wrote:
>>>>> Alex Vong <address@hidden> skribis:
>>>>>
>>>>>> On 27/10/2015, Ludovic Courtès <address@hidden> wrote:
>>>>>
>>>>> [...]
>>>>>
>>>>>>> Do you still experience the test failures mentioned in that report?
>>>>>>> If
>>>>>>> not, could you email address@hidden, specifying which commit
>>>>>>> works for you?
>>>>>>>
>>>>>> Yes, there are 4 tests still failing with the latest master branch
>>>>>> without unprivileged container.
>>>>>
>>>>> Which tests?  Does tests/container.scm pass?
>>>>>
>>>> It doesn't pass if I run as unprivileged user. It passes if I run as
>>>> root. I will be mailing the test logs on another mail.
>>>
>>> This is because Debian doesn't let unprivileged users create user
>>> namespaces without explicitly overriding some configuration.
>>
>> How could we determine whether this restriction is in place?  That would
>> allow us to skip the test on these systems.
>
> I think it is /proc/sys/kernel/unprivileged_userns_clone, but I don't
> know what the contents are exactly.  0 when off, 1 when on?  Can
> someone on Debian confirm?
>
Yes, I think that's the case.
Before I run `$ sysctl -w kernel.unprivileged_userns_clone=1',
`$ cat /proc/sys/kernel/unprivileged_userns_clone' returns 0.
After I run `$ sysctl -w kernel.unprivileged_userns_clone=1',
`$ cat /proc/sys/kernel/unprivileged_userns_clone' returns 1.

> If we can get the test suite passing, I'd like to extract these user
> namespace presence tests to a procedure that 'guix environment' can
> use to give the user an informative error message in these cases.
>
> - Dave
>