Skip to content

Commit

Permalink
Adjust the logging level and defined the error message as a module-le…
Browse files Browse the repository at this point in the history 
…vel constant, rearrange the order of the container setup steps.
  • Loading branch information
younghojan committed May 29, 2024
1 parent 964acf9 commit 632283c
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 28 deletions.
7 changes: 4 additions & 3 deletions benchexec/container.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,10 +115,11 @@
)
"""Whether we use generated native code for clone or an unsafe Python fallback"""

USER_NS_RESTRICTION = (
util.try_read_file("/proc/sys/kernel/apparmor_restrict_unprivileged_userns") == "1"
_ERROR_MSG_USER_NS_RESTRICTION = (
"Ubuntu 24.04 restircts unprivileged user namespaces, please try "
"'echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns' "
"as a temporary workaround."
)
"""Whether the kernel restricts unprivileged user namespaces"""


@contextlib.contextmanager
Expand Down
46 changes: 27 additions & 19 deletions benchexec/containerexecutor.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -707,17 +707,6 @@ def child():
container.close_open_fds(keep_files=necessary_fds)

try:
if self._container_system_config:
# A standard hostname increases reproducibility.
try:
socket.sethostname(container.CONTAINER_HOSTNAME)
except PermissionError:
logging.warning(
"Changing hostname in container prevented "
"by system configuration, "
"real hostname will leak into the container."
)

if not self._allow_network:
container.activate_network_interface("lo")

Expand All @@ -736,6 +725,27 @@ def child():
memory_nodes,
)

if self._container_system_config:
# A standard hostname increases reproducibility.
try:
socket.sethostname(container.CONTAINER_HOSTNAME)
except PermissionError:
if (
util.try_read_file(
"/proc/sys/kernel/apparmor_restrict_unprivileged_userns"
)
== "1"
):
logging.warning(
container._ERROR_MSG_USER_NS_RESTRICTION
)
else:
logging.warning(
"Changing hostname in container prevented "
"by system configuration, "
"real hostname will leak into the container."
)

# Marking this process as "non-dumpable" (no core dumps) also
# forbids several other ways how other processes can access and
# influence it:
Expand All @@ -753,15 +763,13 @@ def child():
traceback.extract_tb(e.__traceback__, limit=-1)[0].line,
e,
)
if container.USER_NS_RESTRICTION and e.errno in [
errno.EPERM, # container.activate_network_interface() failed
errno.EACCES, # _setup_container_filesystem failed
if util.try_read_file(
"/proc/sys/kernel/apparmor_restrict_unprivileged_userns"
) == "1" and e.errno in [
errno.EPERM,
errno.EACCES,
]:
logging.warning(
"Ubuntu 24.04 restircts unprivileged user namespaces,"
" please try 'echo 0 | sudo tee /proc/sys/kernel/"
"apparmor_restrict_unprivileged_userns' as a temporary workaround."
)
logging.critical(container._ERROR_MSG_USER_NS_RESTRICTION)
return CHILD_OSERROR

try:
Expand Down
14 changes: 8 additions & 6 deletions benchexec/containerized_tool.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,12 +124,14 @@ def _init_container_and_load_tool(tool_module, *args, **kwargs):
try:
_init_container(*args, **kwargs)
except OSError as e:
if container.USER_NS_RESTRICTION:
logging.warning(
"Ubuntu 24.04 restircts unprivileged user namespaces,"
" please try 'echo 0 | sudo tee /proc/sys/kernel/"
"apparmor_restrict_unprivileged_userns' as a temporary workaround."
)
if (
util.try_read_file("/proc/sys/kernel/apparmor_restrict_unprivileged_userns")
== "1"
) and e.errno in [
errno.EPERM,
errno.EACCES,
]:
logging.critical(container._ERROR_MSG_USER_NS_RESTRICTION)
raise BenchExecException(f"Failed to configure container: {e}")
return _load_tool(tool_module)

Expand Down

0 comments on commit 632283c

Please sign in to comment.