Reverted to a previous version and updated the documentation

sosy-lab · Jun 9, 2024 · e6f5585 · e6f5585
1 parent 632283c
commit e6f5585
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 23 deletions.
diff --git a/benchexec/containerexecutor.py b/benchexec/containerexecutor.py
@@ -673,6 +673,7 @@ def grandchild():
                 # close remaining ends of pipe
                 os.close(from_parent)
                 os.close(to_parent)
+            # here Python will exec() the tool for us
 
         def child():
             """Setup everything inside the container,
@@ -707,6 +708,17 @@ def child():
                 container.close_open_fds(keep_files=necessary_fds)
 
                 try:
+                    if self._container_system_config:
+                        # A standard hostname increases reproducibility.
+                        try:
+                            socket.sethostname(container.CONTAINER_HOSTNAME)
+                        except PermissionError:
+                            logging.warning(
+                                "Changing hostname in container prevented "
+                                "by system configuration, "
+                                "real hostname will leak into the container."
+                            )
+
                     if not self._allow_network:
                         container.activate_network_interface("lo")
 
@@ -725,27 +737,6 @@ def child():
                             memory_nodes,
                         )
 
-                    if self._container_system_config:
-                        # A standard hostname increases reproducibility.
-                        try:
-                            socket.sethostname(container.CONTAINER_HOSTNAME)
-                        except PermissionError:
-                            if (
-                                util.try_read_file(
-                                    "/proc/sys/kernel/apparmor_restrict_unprivileged_userns"
-                                )
-                                == "1"
-                            ):
-                                logging.warning(
-                                    container._ERROR_MSG_USER_NS_RESTRICTION
-                                )
-                            else:
-                                logging.warning(
-                                    "Changing hostname in container prevented "
-                                    "by system configuration, "
-                                    "real hostname will leak into the container."
-                                )
-
                     # Marking this process as "non-dumpable" (no core dumps) also
                     # forbids several other ways how other processes can access and
                     # influence it:

diff --git a/doc/container.md b/doc/container.md
@@ -266,9 +266,18 @@ with several versions of the Linux kernel, including at least kernel versions up
 If a kernel upgrade does not help, please use a different access mode for NFS-mounted directories,
 such as `--hidden-dir` or `--read-only-dir`.
 
-#### Problems due to default user namespaces restrictions on Ubuntu 24.04 (and possibly later versions): `Changing hostname in container prevented by system configuration...`, `Creating UID mapping into container failed: [Errno 1] Operation not permitted`, `Could not write to setgroups file in /proc: [Errno 13] Permission denied`, `Creating GID mapping into container failed: [Errno 1] Operation not permitted`
+#### Problems due to default user namespaces restrictions on Ubuntu 24.04 (and possibly later versions)
 
-It seems that you are using BenchExec on Ubuntu 24.04 (or newer versions), which restricts the use of unprivileged user namespaces, making it impossible to change the hostname or create GID/UID mappings in a container. You can temporarily disable AppArmor's restriction on unprivileged user namespaces by executing 
+If you encounter any of the following errors/warnings while using container mode:
+
+- `Failed to configure container with operation 'fcntl.ioctl(sock, _SIOCSIFFLAGS, ifreq)': [Errno 1] Operation not permitted`
+-  `Failed to configure container with operation 'raise OSError(errno, msg)': [Errno 13] mount(None, b'/tmp/BenchExec_run_aiwscwd2', b'tmpfs', 0, b'size=100%') failed: Permission denied`
+- `Creating UID mapping into container failed: [Errno 1] Operation not permitted`
+- `Could not write to setgroups file in /proc: [Errno 13] Permission denied`
+- `Could not write to setgroups file in /proc: [Errno 13] Permission denied`
+- `Changing hostname in container prevented by system configuration, real hostname will leak into the container.`
+
+It seems that you are using BenchExec on Ubuntu 24.04 (or newer versions), which restricts the use of unprivileged user namespaces, making it impossible to change the hostname, create GID/UID mappings, or do some other operations to set up a container. You can temporarily disable AppArmor's restriction on unprivileged user namespaces by executing 
 ```
 echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
 ```