Bug 732972

Summary:	app-emulation/qemu-5.0.0-r2: multiple sandbox violations for zfs and docker
Product:	Gentoo Linux	Reporter:	Rafael Kitover <rkitover>
Component:	Current packages	Assignee:	Matthias Maier <tamiko>
Status:	RESOLVED FIXED
Severity:	normal	CC:	mva, slyfox, virtualization
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	build log emerge --info

Description Rafael Kitover 2020-07-17 02:40:13 UTC

app-emulation/qemu-5.0.0-r2::gentoo was built with the following:
USE="-accessibility aio alsa bzip2 caps capstone curl -debug -doc fdt filecaps -glusterfs -gnutls gtk -infiniband io-uring -iscsi -jemalloc jpeg lzo ncurses nfs nls numa opengl oss pin-upstream-blobs plugins png pulseaudio python -rbd -sasl sdl sdl-image seccomp (-selinux) -slirp -smartcard snappy spice ssh -static -static-user systemtap tci -test usb usbredir -vde vhost-net vhost-user-fs virgl virtfs vnc vte xattr xen -xfs xkb zstd" ABI_X86="(64)" PYTHON_TARGETS="python3_6 python3_7 python3_8" QEMU_SOFTMMU_TARGETS="-aarch64 -alpha -arm -cris -hppa -i386 -lm32 -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -moxie -nios2 -or1k -ppc -ppc64 -riscv32 -riscv64 -rx -s390x -sh4 -sh4eb -sparc -sparc64 -tricore -unicore32 x86_64 -xtensa -xtensaeb" QEMU_USER_TARGETS="-aarch64 -aarch64_be -alpha -arm -armeb -cris -hppa -i386 -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -mipsn32 -mipsn32el -nios2 -or1k -ppc -ppc64 -ppc64abi32 -ppc64le -riscv32 -riscv64 -s390x -sh4 -sh4eb -sparc -sparc32plus -sparc64 -tilegx -x86_64 -xtensa -xtensaeb"
FEATURES="strict multilib-strict split-elog binpkg-dostrip buildpkg assume-digests usersync fixlafiles merge-sync preserve-libs sfperms ipc-sandbox xattr ebuild-locks parallel-fetch unknown-features-warn protect-owned qa-unresolved-soname-deps unmerge-logs binpkg-logs unmerge-orphans split-log userfetch pid-sandbox config-protect-if-modified distlocks binpkg-docompress ccache news"

>>> Attempting to run pkg_info() for 'app-emulation/qemu-5.0.0-r2'
Using:
  app-emulation/spice-protocol-0.14.1
  sys-firmware/edk2-ovmf-201905
    USE=binary
  sys-firmware/ipxe-1.0.0_p20190728
  sys-firmware/seabios-1.12.0
    USE=binary
  sys-firmware/sgabios-0.1_pre8-r1

>>> Source configured.
 * --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
 * LOG FILE: "/var/tmp/portage/app-emulation/qemu-5.0.0-r2/temp/sandbox.log"
 * 
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line
F: open_wr
S: deny
P: /dev/zfs
A: /dev/zfs
R: /dev/zfs
C: zfs get -rHp -t filesystem all epyc/gentoo/var 

F: open_wr
S: deny
P: /var/run/faillock/root
A: /var/run/faillock/root
R: /run/faillock/root
C: sudo -n docker version 

F: open_wrS: deny
P: /var/run/faillock/root
A: /var/run/faillock/root
R: /run/faillock/root
C: sudo -n docker version 

F: open_wr
S: deny
P: /dev/zfs
A: /dev/zfs
R: /dev/zfs
C: zfs get -rHp -t filesystem all epyc/gentoo/var 

F: open_wr
S: deny
P: /var/run/faillock/root
A: /var/run/faillock/rootR: /run/faillock/rootC: sudo -n docker version F: open_wrS: denyP: /var/run/faillock/rootA: /var/run/faillock/rootR: /run/faillock/rootC: sudo -n docker version  * --------------------------------------------------------------------------------

Reproducible: Always

Comment 1 Rafael Kitover 2020-07-17 02:41:32 UTC

Created attachment 649604 [details]
build log

Comment 2 Rafael Kitover 2020-07-17 02:41:55 UTC

Created attachment 649606 [details]
emerge --info

Comment 3 Larry the Git Cow gentoo-dev

2020-07-17 22:07:02 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=648b9dd9236af78df5f63dc226a3c109b0f4dab1

commit 648b9dd9236af78df5f63dc226a3c109b0f4dab1
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-07-17 22:06:41 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-07-17 22:06:57 +0000

    app-emulation/qemu: pass --disable-containers
    
    By default qemu build system tries to run docker and zfs tools.
    We don't want that as part of normal build process.
    
    Reported-by: Rafael Kitover
    Closes: https://bugs.gentoo.org/732972
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 app-emulation/qemu/qemu-5.0.0-r2.ebuild | 1 +
 app-emulation/qemu/qemu-9999.ebuild     | 1 +
 2 files changed, 2 insertions(+)

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2020-07-17 22:08:36 UTC

Please give it a try. I don't have any of the tools installed thus not sure if it fixes it.

Comment 5 Rafael Kitover 2020-07-17 22:48:22 UTC

Does indeed fix both the zfs and docker sandbox violations, I was able to merge successfully.

No idea what this means for the zfs use flag, which I don't have enabled right now, but that's a separate issue, will take a look sometime.

Comment 6 Vadim A. Misbakh-Soloviov (mva) gentoo-dev

2020-09-21 06:35:14 UTC

@slyfox, I'm not sure that we really "don't want that": https://wiki.qemu.org/Features/Containers

Maybe, we should consider to add the paths to "allow-from-sandbox" list?

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2020-09-21 07:48:12 UTC

(In reply to Vadim A. Misbakh-Soloviov (mva) from comment #6)
> @slyfox, I'm not sure that we really "don't want that":
> https://wiki.qemu.org/Features/Containers
> 
> Maybe, we should consider to add the paths to "allow-from-sandbox" list?

qemu's configure says:
> --disable-containers     don't use containers for cross-building
which is about cross-building qemu itself.

Your link explains details of running container images by qemu (provide container-specific devices and so on). I think these are two unrelated things.

You can look at the details of 'use_containers' definition and use site: https://github.com/qemu/qemu/search?q=use_containers&unscoped_q=use_containers

But I suspect you arrived here because something around qemu is broken for you. In that case I suggest filing a new bug as it's probably unrelated to container environment autodetection.