The devpts check fails when running the ebuild in GID namespaces. This is because mount options see the actual UID and GID values without namespace mappings. With the check failing (for no real reason), we'd need to fall back to using the old suid method of installation. Reproducible: Always Steps to Reproduce: 1. Download and unpack the current stage tarball 2. Run it in a systemd-nspawn container 3. Try to re-build glibc Actual Results: # sys-libs/glibc $ ebuild glibc-9999.ebuild clean pretend Appending /home/kakra/devel/git/src/github.com/kakra/gentoo-glibc to PORTDIR_OVERLAY... * Checking general environment sanity. * In order to use glibc with USE=-suid, you must make sure that * you have devpts mounted at /dev/pts with the gid=5 option. * Openrc should do this for you, so you should check /etc/fstab * and make sure you do not have any invalid settings there. * ERROR: sys-libs/glibc-9999::gentoo failed (pretend phase): * mount & fix your /dev/pts settings * * Call stack: * ebuild.sh, line 125: Called pkg_pretend * glibc-9999.ebuild, line 760: Called sanity_prechecks * glibc-9999.ebuild, line 631: Called check_devpts * glibc-9999.ebuild, line 557: Called die * The specific snippet of code: * die "mount & fix your /dev/pts settings" * * If you need support, post the output of `emerge --info '=sys-libs/glibc-9999::gentoo'`, * the complete build log and the output of `emerge -pqv '=sys-libs/glibc-9999::gentoo'`. * The complete build log is located at '/var/log/portage/sys-libs:glibc-9999:20200104-165735.log'. * For convenience, a symlink to the build log is located at '/var/tmp/portage/sys-libs/glibc-9999/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/sys-libs/glibc-9999/temp/die.env'. * Working directory: '/var/tmp/portage/sys-libs/glibc-9999/homedir' * S: '/var/tmp/portage/sys-libs/glibc-9999/work/glibc-9999' Expected Results: # sys-libs/glibc $ ebuild glibc-9999.ebuild clean pretend Appending /home/kakra/devel/git/src/github.com/kakra/gentoo-glibc to PORTDIR_OVERLAY... * Checking general environment sanity. make -s -j5 -l8 glibc-test * Checking that IA32 emulation is enabled in the running kernel ... [ ok ] * Checking gcc for __thread support ... [ ok ] * Checking running kernel version (5.4.7-gentoo >= 3.2.0) ... [ ok ] * Checking linux-headers version (4.19.0 >= 3.2.0) ... [ ok ] I'm pushing a proposed fix to github. The maintainer may want to backport the patch to current ebuilds of glibc.
I don't think just running systemd-nspawn is enough to break /dev/pts. You are probably doing something very specific, like unprivileged users namespaces. But it's hard to guess as you did not provide actual systemd-nspawn command. On a real system /dev/pts is mounted as: $ cat /proc/mounts | fgrep pts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 On a systemd-nspawn system: $ sudo systemd-nspawn -D ./amd64-unstable # cat /proc/mounts | fgrep pts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0 # ACCEPT_KEYWORDS='**' emerge -v1 =sys-libs/glibc-9999 Please provide a few details: 1. Actual systemd-nspawn command ran 2. 'cat /proc/mounts | fgrep pts' output on host 3. 'cat /proc/mounts | fgrep pts' output on container 4. emerge --info systemd
(In reply to Sergei Trofimovich from comment #1) > Please provide a few details: > 1. Actual systemd-nspawn command ran # cat /etc/systemd/nspawn/container.nspawn [Exec] LinkJournal=host ResolvConf=bind-host # Namespace-Id PrivateUsers=65536 [Files] BindReadOnly=/usr/src BindReadOnly=/usr/portage Bind=/mnt/btrfs-pool/distfiles:/usr/portage/distfiles Bind=/mnt/btrfs-pool/packages:/usr/portage/packages PrivateUsersChown=yes [Network] VirtualEthernet=no # sudo systemd-nspawn -D /var/lib/machines/container Spawning container tpl-netactive on /var/lib/machines/container. Press ^] three times within 1s to kill container. Selected user namespace base 65536 and range 65536. > 2. 'cat /proc/mounts | fgrep pts' output on host # fgrep pts /proc/mounts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 > 3. 'cat /proc/mounts | fgrep pts' output on container # fgrep pts /proc/mounts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=65541,mode=620,ptmxmode=666 0 0 > 4. emerge --info systemd Attached.
Created attachment 602594 [details] emerge --info systemd
(In reply to Kai Krakow from comment #2) > (In reply to Sergei Trofimovich from comment #1) > > Please provide a few details: > > 1. Actual systemd-nspawn command ran > > # cat /etc/systemd/nspawn/container.nspawn > [Exec] > LinkJournal=host > ResolvConf=bind-host > > # Namespace-Id > PrivateUsers=65536 Presence ot this file alone did not change behaviour of my systemd-nspawn command. Passing --private-users=65536 did: # systemd-nspawn --private-users=65536 -D amd64-stable-glibc-2.30 Selected user namespace base 65536 and range 65536 amd64-stable-glibc-2 / # fgrep pts /proc/mounts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=65541,mode=620,ptmxmode=666 0 0
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3aa558e231d4721b384f4239b23b793253be2f42 commit 3aa558e231d4721b384f4239b23b793253be2f42 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-03-28 00:29:16 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-03-28 00:29:16 +0000 sys-libs/glibc: drop devpts mount checks, bug #704780 USE=-suid is a defaut for a while. The check made sense when transition from USE=suid -> USE=-suid was happening. Should not be needed nowadays. The check fails in private-users containers where devpts is mounted as a private group: # systemd-nspawn --private-users=65536 -D amd64-stable-glibc-2.30 Selected user namespace base 65536 and range 65536 amd64-stable-glibc-2.30 # fgrep pts /proc/mounts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=65541,mode=620,ptmxmode=666 0 0 PTYs still work in that setup. I guess due to ptmxmode=666 broad permissions. Let's drop the old check and allow more pts configurations. Reported-by: Kai Krakow Closes: https://bugs.gentoo.org/704780 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> sys-libs/glibc/glibc-2.31-r2.ebuild | 24 ------------------------ sys-libs/glibc/glibc-9999.ebuild | 24 ------------------------ 2 files changed, 48 deletions(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9f6a29817f5039507af213da5abb0254b13da19 commit c9f6a29817f5039507af213da5abb0254b13da19 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-05-11 20:52:29 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-05-11 20:52:29 +0000 sys-libs/glibc: drop devpts mount checks, bug #704780 This is the same as b793253be2f42 ("sys-libs/glibc: drop devpts mount checks, bug #704780") applied to stable ebuilds. Toralf reports that sys-apps/bubblewrap also does not follow tty group convention when mounts devpts. Let's drop it from stable ebuilds as well. Reported-by: Toralf Förster Reported-by: Kai Krakow Closes: https://bugs.gentoo.org/704780 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> sys-libs/glibc/glibc-2.30-r8.ebuild | 24 ------------------------ 1 file changed, 24 deletions(-)
