-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/gns3-server: ubridge doesn't work #292258
Comments
Looks like it has something to do with systemd dynamic users, created gns3 user normally, and the wrapper seems to be working. However, there is another error now:
Not sure if related to dynamic user removal, or unrelated to above yet. |
Any update on this? |
I haven't done anything further on this issue. I was hopping a maintainer or someone else with more knowledge in this area would step in. If I have spare time, I might look into it deeper. |
Hello, and sorry for the late reply. I started investigating the issue, looks like it is related to the use of error: failed to inherit capabilities: Operation not permitted DynamicUser is a rather complex setting and its use with SUID wrappers ( Indeed, the SystemD documentation states that
And the NoNewPrivileges argument cannot be disabled (in the case DynamicUser is used), and it clearly forbids the service process to elevate privileges, and so to run ubridge SUID wrapper:
As a result, I think we should remove this |
I did the PR to remove SystemD hardenings: #303442 I have tested it on my workstation and it fixes the problems with ubridge on my workstation: base_node.py:701 Starting new uBridge hypervisor 0.0.0.0:36177
hypervisor.py:169 starting ubridge: ['/run/wrappers/bin/ubridge', '-H', '0.0.0.0:36177']
hypervisor.py:179 ubridge started PID=292152
base_node.py:704 Hypervisor 0.0.0.0:36177 has successfully started
ubridge_hypervisor.py:83 Connected to uBridge hypervisor on 127.0.0.1:36177 after 0.1015 seconds I would need help from someone to review the PR and also test the patch, please 🙏 |
Describe the bug
When I try to start docker appliences I get the following error:
I viewed module source, and noticied that
ubridge_path
is set to/nix/store/...
package, rather than/run/wrappers/bin/ubridge
which gives those capabilities.I have created PR (#292095) to fix this. But then run into another problem, it finds the wrapper, but fails when it tries to verify version with an error.
After few patches to
gns3-server
code, I got a more informative error:I have searched for this error, and it originates from nixos/modules/security/wrappers/wrapper.c
Unfortunatly at this point of diagnostic my knowledge is lacking with respect to capabilites, and C.
Also
gns3-server
package works fine when started as a user withubridge
group (with the wrapper inubridge_path
). It looks like it has something to do with systemd, systemd service configuration or hardening. I tried commenting out the later, but it didn't change much.Steps To Reproduce
Steps to reproduce the behavior:
services.gns3-server
andservices.gns3-server.ubridge
Expected behavior
Docker applience start without errors
Notify maintainers
@anthonyroussel
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.Add a 👍 reaction to issues you find important.
The text was updated successfully, but these errors were encountered: