913958 – sys-apps/portage with systemd-nspawn - Unable to configure loopback interface: Operation not permitted

Bug 913958 - sys-apps/portage with systemd-nspawn - Unable to configure loopback interface: Operation not permitted

Summary: sys-apps/portage with systemd-nspawn - Unable to configure loopback interface...

Status:	UNCONFIRMED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Core (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Portage team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-09-10 22:38 UTC by Michael Jones
Modified:	2023-09-11 01:12 UTC (History)
CC List:	0 users

See Also:	https://github.com/systemd/systemd/issues/13308
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Jones 2023-09-10 22:38:10 UTC

Using a sysrescuecd USB stick to recover a machine with a bad install, i mount the root filesystem of the broken machine to /tmp/drive, and then use systemd-nspawn to chroot into it.

systemd-nspawn --directory=/tmp/drive/ --boot

The chroot environment has internet access. However, I see 

> Unable to configure loopback interface: Operation not permitted

for ever package that has pre-merge checks run, for example:

> Running pre-merge checks for sys-devel/gcc-11.3.1_p20221209

and

> Running pre-merge checks for acct-group/nobody-0

It seems there could be some improvements to the logic for these pre-merge checks, so that inability to configure loopback either fails the package or doesn't get printed out.

Reproducible: Always

Comment 1 Mike Gilbert gentoo-dev

2023-09-11 00:35:22 UTC

You need to either disable the network-sandbox feature, or enable CAP_NET_ADMIN in systemd-nspawn.

Comment 2 Michael Jones 2023-09-11 00:43:44 UTC

Basic functionality should work out of the box.

Portage shouldn't be warning every package for something that can be detected and  and predicted to always fail every time. 

If systemd-nspawn is known to not support this feature, warn once at the top of the log, and then surpress it for subsequent packages.

Comment 3 Mike Gilbert gentoo-dev

2023-09-11 00:53:05 UTC

(In reply to Michael Jones from comment #2)
> If systemd-nspawn is known to not support this feature

I think you misunderstand the issue.

By default, systemd-nspawn removes the permission (CAP_NET_ADMIN) that Portage needs to manipulate network settings. It's arguably more secure by default.

It's not really possible to make Portage's network-sandbox feature work "out-of-the-box" in such an environment.

In any case, it's just a warning that you can ignore. Or you can disable the feature to make the warning go away.

If you would like to supply a patch to make the warning less obnoxious, we would probably accept it.

Comment 4 Mike Gilbert gentoo-dev

2023-09-11 01:12:08 UTC

Some thoughts from IRC:

We would need to check if portage.process._configure_loopback_interface() fails and cache that.

That's somewhat difficult since that function is invoked in a sandboxed child process specific to each package being built. So we would need IPC of some sort.

I suppose we could spawn a very specific "test child" that does nothing but set up namespaces and configure the loopback interface and report success/failure, and cache the result of that in the main emerge process. That would be executed before we attempt any package operations.