Summary: | sys-apps/portage with systemd-nspawn - Unable to configure loopback interface: Operation not permitted | ||
---|---|---|---|
Product: | Portage Development | Reporter: | Michael Jones <gentoo> |
Component: | Core | Assignee: | Portage team <dev-portage> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/systemd/systemd/issues/13308 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Michael Jones
2023-09-10 22:38:10 UTC
You need to either disable the network-sandbox feature, or enable CAP_NET_ADMIN in systemd-nspawn. Basic functionality should work out of the box. Portage shouldn't be warning every package for something that can be detected and and predicted to always fail every time. If systemd-nspawn is known to not support this feature, warn once at the top of the log, and then surpress it for subsequent packages. (In reply to Michael Jones from comment #2) > If systemd-nspawn is known to not support this feature I think you misunderstand the issue. By default, systemd-nspawn removes the permission (CAP_NET_ADMIN) that Portage needs to manipulate network settings. It's arguably more secure by default. It's not really possible to make Portage's network-sandbox feature work "out-of-the-box" in such an environment. In any case, it's just a warning that you can ignore. Or you can disable the feature to make the warning go away. If you would like to supply a patch to make the warning less obnoxious, we would probably accept it. Some thoughts from IRC: We would need to check if portage.process._configure_loopback_interface() fails and cache that. That's somewhat difficult since that function is invoked in a sandboxed child process specific to each package being built. So we would need IPC of some sort. I suppose we could spawn a very specific "test child" that does nothing but set up namespaces and configure the loopback interface and report success/failure, and cache the result of that in the main emerge process. That would be executed before we attempt any package operations. |