search

containers / bubblewrap

Low-level unprivileged sandboxing tool used by Flatpak and similar projects
Other
3.87k stars 235 forks source link

bubblewrap refuses to work with an unreachable automount #541

Open ghost opened 1 year ago

ghost commented 1 year ago

If you setup a systemd automount similar to this:

# var-home-user-mount.automount
[Unit]
Description=auto mount
StartLimitIntervalSec=0
Requires=network.target

[Automount]
Where=/var/home/user/mount
TimeoutIdleSec=10min

[Install]
WantedBy=remote-fs.target
# var-home-user-mount.mount
[Unit]
Description=mount
Requires=network.target
StartLimitIntervalSec=0

[Mount]
What=//10.0.0.1/c
Where=/var/home/user/mount
Options=uid=1000,gid=1000,nofail,mfsymlinks
Type=cifs

And place bwrap/flatpak application desktop file into xdg-autostart directory (~/.config/autostart), (← this is unnecessary. just an unreachable automount is enough to reproduce the issue) it'll stuck for a very long time then give up:

bwrap: Can't bind mount /oldroot/var on /newroot/var: Unable to remount recursively with correct flags: No such device

For instance, ALL my flatpak apps refuse to autostart just because an automount exists, the same error spams in journalctl. Disabling the automount fixes the issue.

> bwrap --version
bubblewrap 0.5.0
ghost commented 1 year ago

this was the command i used which had this issue:

sudo bwrap \
    --die-with-parent \
    --ro-bind / / \
    --tmpfs /tmp \
    --dev-bind /dev/null /dev/null \
    /usr/bin/bash

But it's also reproducible with all flatpak apps I use. CopyQ to name one.

ghost commented 1 year ago

Adding hard mount option appears to workaround the issue, however it's not really a workaround as it tends to freeze the accessing program forever until it became reachable again. No it's not. Repeatedly retried to reproduce and bubblewrap still froze, despite hard mount option being used.

The precise condition to reproduce this issue, is to make sure automount unit is active, and mount unit is stuck at mounting state (attempting to mount an unreachable filesystem), then all newly executed bubblewrap will also freeze, until the mount unit is timed out and failed, then bubblewrap will also fail complaining about the Can't bind mount error.

bubblewrap will not freeze / throw error if only automount unit is active and mount unit is already failed. And of course it also won't freeze when mount unit is active.

ghost commented 1 year ago

to make sure mount unit is stuck at mounting state, you can configure firewall to drop all packets. bubblewrap will always freeze as the mount unit is stuck and throw error as soon as the mount unit is timed out and failed.

something's probably wrong with bubblewrap's bind mount handling.

sorry if the issue looks messy, i was tired trying to troubleshoot the root cause of my flatpak apps not autostarting.

ghost commented 1 year ago

for now setting automount path to /run/user/1000/mount and then create a symlink ~/mount -> /run/user/1000/mount workarounds the issue.

I still don't know why is having automount in /var/home a issue, but not in /run/user. but bruh, whatever.