-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BenchExec not working after upgrading from Ubuntu 23.10 to 24.04 #1041
Comments
Thanks! I had heard rumors about this change but haven't found the time to test it yet. Yes, we definitively want to add documentation about this to BenchExec, and we also want to detect this specific situation in BenchExec itself and print a message that tells users what they need to do (like we do here). But first, is there a different way how users can make BenchExec work except by re-enabling unprivileged user namespaces globally? Can AppArmor be configured to allow it for BenchExec specifically? Do you happen to know this? |
I guess there's another way to deal with this. It is also mentioned in Ubuntu 24.04 LTS Release Notes referenced above:
However, I currently know very little about AppArmor and am not quite sure. |
Ok, I think it would be possible to ship this with our Ubuntu package. But I can't test it right now, and also not all users will install from this package, so we want the added documentation and error messages anyway. Would you like to contribute this? |
Sure I'd love to! I think I just need to add the corresponding content in the Common Problems section in container.md. I'll have it done in 24 hours. |
Thanks! Would be great if the container code in BenchExec could also detect this particular case. |
On Ubuntu since 24.04, user namespaces are forbidden for regular users (cf. #1041 and #1042). There is a global sysctl switch to enable them again, but applications whose AppArmor profile allows this can also use it. (Typically, AppArmor only restricts application, but in this case an AppArmor profile can actually provide a privilege than an unconfined application does not have.) More explanations are at https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces In order to make BenchExec usable out-of-the-box after installing the .deb package we want to ship such an AppArmor profile. This is made complicated by the fact that the AppArmor profile that is necessary on Ubuntu 24.04+ breaks AppArmor on previous Ubuntu versions. So we have to install this profile conditionally. I found a way to do so using ucf (a tool for handling config files) and this seems to work in my tests on Ubuntu 22.04 (old AppArmor), Ubuntu 24.04 (new AppArmor), and Debian 12 (old AppArmor), as well as installation without AppArmor present. There are two known remaining problems: - If one upgrades from Ubuntu 22.04 to Ubuntu 24.04 while having BenchExec installed, the AppArmor profile will not be installed, so BenchExec will not work. Upgrading or reinstalling the BenchExec package makes it work. - The command "python3 -m benchexec.test_tool_info" will not work, because the AppArmor profile won't match it. One has to either disable container mode or temporarily allow the use of user namespaces for the whole system. If we implement #1053 this would just work. Part of #1041.
Besides the improved error messages regarding this issue, the Ubuntu package of the next release of BenchExec will also ship with the necessary AppArmor config such that BenchExec works out-of-the-box again on Ubuntu. Of course, users of BenchExec who install it from git or pip or use inside a container or so will still need to change the |
On Ubuntu since 24.04, user namespaces are forbidden for regular users (cf. sosy-lab#1041 and sosy-lab#1042). There is a global sysctl switch to enable them again, but applications whose AppArmor profile allows this can also use it. (Typically, AppArmor only restricts application, but in this case an AppArmor profile can actually provide a privilege than an unconfined application does not have.) More explanations are at https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces In order to make BenchExec usable out-of-the-box after installing the .deb package we want to ship such an AppArmor profile. This is made complicated by the fact that the AppArmor profile that is necessary on Ubuntu 24.04+ breaks AppArmor on previous Ubuntu versions. So we have to install this profile conditionally. I found a way to do so using ucf (a tool for handling config files) and this seems to work in my tests on Ubuntu 22.04 (old AppArmor), Ubuntu 24.04 (new AppArmor), and Debian 12 (old AppArmor), as well as installation without AppArmor present. There are two known remaining problems: - If one upgrades from Ubuntu 22.04 to Ubuntu 24.04 while having BenchExec installed, the AppArmor profile will not be installed, so BenchExec will not work. Upgrading or reinstalling the BenchExec package makes it work. - The command "python3 -m benchexec.test_tool_info" will not work, because the AppArmor profile won't match it. One has to either disable container mode or temporarily allow the use of user namespaces for the whole system. If we implement sosy-lab#1053 this would just work. Part of sosy-lab#1041.
I recently upgraded my system from Ubuntu 23.10 to 24.04, and BenchExec stopped working. I installed BenchExec from the PPA following the instructions provided here. I believe I have configured everything correctly, as
python3 -m benchexec.check_cgroups
did not produce any output.However, when I run
containerexec --debug /usr/bin/ls
, I encounter the following error:BenchExec then exits with an error. This seems to be caused by Ubuntu 24.04 now restricting user namespaces by default.
Referencing the Ubuntu 24.04 LTS Release Notes, it states:
I disabled this restriction by executing:
However, this solution is temporary and will be reset upon reboot. A persistent setting can be applied by creating a new file
/etc/sysctl.d/60-apparmor-namespace.conf
with the following contents:Do we need to update the BenchExec documentation to inform users about this issue and the steps to resolve it on Ubuntu 24.04?
The text was updated successfully, but these errors were encountered: