diff --git a/benchexec/containerexecutor.py b/benchexec/containerexecutor.py index 3620091d1..bf442d6cf 100644 --- a/benchexec/containerexecutor.py +++ b/benchexec/containerexecutor.py @@ -673,6 +673,7 @@ def grandchild(): # close remaining ends of pipe os.close(from_parent) os.close(to_parent) + # here Python will exec() the tool for us def child(): """Setup everything inside the container, @@ -707,6 +708,17 @@ def child(): container.close_open_fds(keep_files=necessary_fds) try: + if self._container_system_config: + # A standard hostname increases reproducibility. + try: + socket.sethostname(container.CONTAINER_HOSTNAME) + except PermissionError: + logging.warning( + "Changing hostname in container prevented " + "by system configuration, " + "real hostname will leak into the container." + ) + if not self._allow_network: container.activate_network_interface("lo") @@ -725,27 +737,6 @@ def child(): memory_nodes, ) - if self._container_system_config: - # A standard hostname increases reproducibility. - try: - socket.sethostname(container.CONTAINER_HOSTNAME) - except PermissionError: - if ( - util.try_read_file( - "/proc/sys/kernel/apparmor_restrict_unprivileged_userns" - ) - == "1" - ): - logging.warning( - container._ERROR_MSG_USER_NS_RESTRICTION - ) - else: - logging.warning( - "Changing hostname in container prevented " - "by system configuration, " - "real hostname will leak into the container." - ) - # Marking this process as "non-dumpable" (no core dumps) also # forbids several other ways how other processes can access and # influence it: diff --git a/doc/container.md b/doc/container.md index c0d5b1713..1e91929f4 100644 --- a/doc/container.md +++ b/doc/container.md @@ -266,9 +266,18 @@ with several versions of the Linux kernel, including at least kernel versions up If a kernel upgrade does not help, please use a different access mode for NFS-mounted directories, such as `--hidden-dir` or `--read-only-dir`. -#### Problems due to default user namespaces restrictions on Ubuntu 24.04 (and possibly later versions): `Changing hostname in container prevented by system configuration...`, `Creating UID mapping into container failed: [Errno 1] Operation not permitted`, `Could not write to setgroups file in /proc: [Errno 13] Permission denied`, `Creating GID mapping into container failed: [Errno 1] Operation not permitted` +#### Problems due to default user namespaces restrictions on Ubuntu 24.04 (and possibly later versions) -It seems that you are using BenchExec on Ubuntu 24.04 (or newer versions), which restricts the use of unprivileged user namespaces, making it impossible to change the hostname or create GID/UID mappings in a container. You can temporarily disable AppArmor's restriction on unprivileged user namespaces by executing +If you encounter any of the following errors/warnings while using container mode: + +- `Failed to configure container with operation 'fcntl.ioctl(sock, _SIOCSIFFLAGS, ifreq)': [Errno 1] Operation not permitted` +- `Failed to configure container with operation 'raise OSError(errno, msg)': [Errno 13] mount(None, b'/tmp/BenchExec_run_aiwscwd2', b'tmpfs', 0, b'size=100%') failed: Permission denied` +- `Creating UID mapping into container failed: [Errno 1] Operation not permitted` +- `Could not write to setgroups file in /proc: [Errno 13] Permission denied` +- `Could not write to setgroups file in /proc: [Errno 13] Permission denied` +- `Changing hostname in container prevented by system configuration, real hostname will leak into the container.` + +It seems that you are using BenchExec on Ubuntu 24.04 (or newer versions), which restricts the use of unprivileged user namespaces, making it impossible to change the hostname, create GID/UID mappings, or do some other operations to set up a container. You can temporarily disable AppArmor's restriction on unprivileged user namespaces by executing ``` echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns ```