-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ubuntu 24.x "permission denied" in mount(/, /)
#236
Comments
I just thought to check
|
Looks like this came in 23.10: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces; now trying to work out how to disable it. Leaving this issue open in case folks who have more experience have advice. |
Per the above link; this is a workaround:
But the general advice is to make an apparmor profile. Perhaps this is something nsjail can do? |
Unfortunately nsjail does not support AppArmor profiles at this moment (I believe they would be happy to do so). If you are running things via Docker (I guess you are not, but still maybe worth documenting it here) you can use I also believe there should be some way to disable AppArmor just for a single process. An alternative is to create an empty profile for it as well. Some commands from here may be helpful: https://www.cyberciti.biz/faq/ubuntu-linux-howto-disable-apparmor-commands/ |
Thanks @disconnect3d . We're not running in Docker. I'm running on a vanilla install of Ubuntu 24.40 here, with only the setup commands above. An empty profile sounds OK. too; thanks. Just worth knowing about this gotcha (maybe updating some docs somewhere?) Will close now as the |
We have
nsjail
working on Ubuntu 20.x with cgroupsv2 (despite initially hitting issues around #196); but on an upgraded machine now running 24.x we see this (tail of a log):seemingly it can't mount the root directory (?) which seems surprising. The command is:
and the referenced cfg file is https://github.com/compiler-explorer/compiler-explorer/blob/main/etc/nsjail/compilers-and-tools.cfg (with the
log_level
set toDEBUG
).Additionally these commands were run before, to get the cgroups to work:
The text was updated successfully, but these errors were encountered: