Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bwrap: Failed to make / slave: Permission denied #20093

Closed
linas opened this issue Nov 24, 2021 · 3 comments
Closed

bwrap: Failed to make / slave: Permission denied #20093

linas opened this issue Nov 24, 2021 · 3 comments

Comments

@linas
Copy link

linas commented Nov 24, 2021

Having trouble setting up opam inside an LXC container. I suspect this is related to issue #12050 but maybe not?

First attempt:

opam init --comp=4.09.0
...
∗ installed base-bigarray.base
∗ installed base-threads.base
∗ installed base-unix.base
[ERROR] The compilation of ocaml-base-compiler failed at
        "/home/ubuntu/.opam/opam-init/hooks/sandbox.sh build ./configure
        --prefix=/home/ubuntu/.opam/4.09.0 -C".

#=== ERROR while compiling ocaml-base-compiler.4.09.0 =========================#
# context     2.0.5 | linux/x86_64 |  | https://opam.ocaml.org#78177fc5
# path        ~/.opam/4.09.0/.opam-switch/build/ocaml-base-compiler.4.09.0
# command     ~/.opam/opam-init/hooks/sandbox.sh build ./configure --prefix=/home/ubuntu/.opam/4.09.0 -C
# exit-code   1
# env-file    /tmp/opam-xxx-3094/ocaml-base-compiler-3094-e0ba4f.env
# output-file /tmp/opam-xxx-3094/ocaml-base-compiler-3094-e0ba4f.out
### output ###
# bwrap: Failed to make / slave: Permission denied
...

Running init a second time finishes cleanlly, but there are no switches listed by opam swtich. So I try this:

opam switch create 4.09.0 --jobs=1

Get the same error message:

bwrap: Failed to make / slave: Permission denied

The container is running today's version of ubuntu focal.

Reading through #12050 carefully, it suggests that the root issue has something to do with creating mountpoints, which (wildly guessing here) might be something that is blocked by systemd in the container host.

Will post more as I figure out more.

@linas
Copy link
Author

linas commented Nov 24, 2021

Probably an important detail: the LXC container is an unprivileged container, and NOT a root container. Thus, I am guessing that the entire reason for running bubblewrap https://github.com/containers/bubblewrap is obviated, and that I may as well run unsandboxed. Presumably, the worst that can happen is that I'd lose the container.

@linas
Copy link
Author

linas commented Nov 24, 2021

So it would appear that the following worked:

rm -r ~/.opam
opam init --comp=4.09.0  --disable-sandboxing

It's a work-around that's good enough for me.

@kit-ty-kate
Copy link
Member

--disable-sandboxing is indeed the intended option for this particular use-case. Feel free to reopen if that’s not enough.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants