src/main/tools/linux-sandbox-pid1.cc:393: "mount": Operation not permitted

[brian-peloton]

When trying to build anything with the new sandbox and Debian Jessie's amd64 default 3.16.0-4 kernel, it fails with src/main/tools/linux-sandbox-pid1.cc:393: "mount": Operation not permitted. @philsc and I have previously looked for ways to make /proc show the right PIDs in a PID namespace on that kernel without root permission and not come up with anything.

I don't have any good answers in the way of solutions. asan definitely does not do well with a broken /proc (that's what @philsc and I were working on previously, although we ran into other, more fundamental issues and gave up), and from what I've seen of java it won't either. However, having a PID namespace is really nice for preventing runaway processes (I periodically have to use pgrep and manually kill runaway test process with the old sandbox).

These commands show the same issue with that kernel:

brian[907] dev-builder ~:
$ unshare --mount --map-root-user --pid --fork
root[857] dev-builder ~:
# mount -t proc proc /proc
mount: permission denied
root[857] dev-builder ~:

Those same commands succeed with 4.3.0-0 kernel from jessie-backports, so I'm pretty sure Bazel's sandbox will too (haven't checked though):

brian[17107] brian-debian ~:
$ unshare --mount --map-root-user --pid --fork
root[501] brian-debian ~:
# mount -t proc proc /proc
root[501] brian-debian ~:

/cc @philwo

[philwo]

Interesting! I'll try to reproduce this and see if I can come up with a solution somehow, but I probably won't have time for it this week (and I'm on vacation next week). :(

We have noticed reliability issues with the default kernel of Ubuntu 14.04 LTS, which I think is 3.13, as well. The issue is probably not the same issue, as we could never reproduce it on demand (but it seemed like somehow the system got stuck into a state where sandboxing from then on would fail and only a reboot would make it work again). But with the newer 4.x kernel available from the official Ubuntu repo, I never saw these or other issues with the sandbox.

[davido]

I'm seeing the same issue on this Docker image: https://hub.docker.com/r/gerritforge/gerrit-ci-slave-bazel. I'm using openSUSE 42.

To reproduce:

$ docker run -ti --entrypoint=/bin/bash gerritforge/gerrit-ci-slave-bazel
$ su - jenkins
$ git clone --recursive https://gerrit.googlesource.com/gerrit
$ bazel build gerrit
INFO: Found 1 target...
ERROR: /home/jenkins/.cache/bazel/_bazel_jenkins/4e8644684552b40c50dc624b79e09982/external/jsonevent_layout/jar/BUILD:2:1: Extracting interface @jsonevent_layout//jar:jar failed: linux-sandbox failed: error executing command /home/jenkins/.cache/bazel/_bazel_jenkins/4e8644684552b40c50dc624b79e09982/execroot/gerrit/_bin/linux-sandbox ... (remaining 5 argument(s) skipped).
src/main/tools/linux-sandbox-pid1.cc:393: "mount": Operation not permitted
Target //:gerrit failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 23.554s, Critical Path: 0.88s

[davido]

Upgrading to Bazel 0.4.0 didn't help either. Here is log with debug sanbdox option enabled: [1].

Environment:

$ bazel info       
bazel-bin: /home/jenkins/.cache/bazel/_bazel_jenkins/4e8644684552b40c50dc624b79e09982/execroot/gerrit/bazel-out/local-fastbuild/bin
bazel-genfiles: /home/jenkins/.cache/bazel/_bazel_jenkins/4e8644684552b40c50dc624b79e09982/execroot/gerrit/bazel-out/local-fastbuild/genfiles
bazel-testlogs: /home/jenkins/.cache/bazel/_bazel_jenkins/4e8644684552b40c50dc624b79e09982/execroot/gerrit/bazel-out/local-fastbuild/testlogs
command_log: /home/jenkins/.cache/bazel/_bazel_jenkins/4e8644684552b40c50dc624b79e09982/command.log
committed-heap-size: 990MB
execution_root: /home/jenkins/.cache/bazel/_bazel_jenkins/4e8644684552b40c50dc624b79e09982/execroot/gerrit
gc-count: 9
gc-time: 259ms
install_base: /home/jenkins/.cache/bazel/_bazel_jenkins/install/0cc4b236e213b245b1e75e931bb2c011
max-heap-size: 7398MB
message_log: /home/jenkins/.cache/bazel/_bazel_jenkins/4e8644684552b40c50dc624b79e09982/message.log
output_base: /home/jenkins/.cache/bazel/_bazel_jenkins/4e8644684552b40c50dc624b79e09982
output_path: /home/jenkins/.cache/bazel/_bazel_jenkins/4e8644684552b40c50dc624b79e09982/execroot/gerrit/bazel-out
package_path: %workspace%
release: release 0.4.0
server_pid: 1270
used-heap-size: 606MB
workspace: /home/jenkins/projects/gerrit

jenkins@68fab8fdcf00:~/projects/gerrit$ uname -a
Linux 68fab8fdcf00 4.1.34-33-default NVIDIA/nvidia-docker#1 SMP PREEMPT Thu Oct 20 08:03:29 UTC 2016 (fe18aba) x86_64 x86_64 x86_64 GNU/Linux

• [1] http://paste.openstack.org/show/588037/

[philwo]

I'll try to reproduce & fix this, but currently I have no idea what could cause the mounting of /proc to fail. :(

[davido]

We were able to fix the problem by starting Docker vm with some options.

[faithseed]

I ran into the same problem. and it looks like a kernel compatibility issue. apt-get dist-upgrade (on ubuntu 14.04) fixed the problem.

3.16.0-77-generic NVIDIA/nvidia-docker#99~14.04.1-Ubuntu failed
4.4.0-53-generic NVIDIA/nvidia-docker#74~14.04.1-Ubuntu works

[brian-peloton]

I'm pretty sure it's a kernel version-related issue too.

@davido: What options made it work? Also, what kernel are you using?

[davido]

It was --priviledged: [1].

Kernel here is:

$ uname -a
Linux linux-ucwl.site 4.1.34-33-default NVIDIA/nvidia-docker#1 SMP PREEMPT Thu Oct 20 08:03:29 UTC 2016 (fe18aba) x86_64 x86_64 x86_64 GNU/Linux

• https://docs.docker.com/engine/reference/commandline/run/#/full-container-capabilities---privileged