search

freedomofpress / dangerzone

Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs
https://dangerzone.rocks/
GNU Affero General Public License v3.0
3.73k stars 172 forks source link

Latest gVisor release breaks Dangerzone #928

Open apyrgio opened 1 month ago

apyrgio commented 1 month ago

It seems that the latest gVisor release (release-20240916.0) is breaking the development branch of Dangezone. I believe this is the case due to the following:

  1. Our tests have been failing since 5 days ago, when the newest binaries for gVisor were released.
  2. I have rebuilt the v0.7.0 image for Dangerzone, which should run properly on all of our supported platforms, and I get an error as well.

The gVisor error we're seeing when running the container by hand is this:

I0923 13:05:11.356492       1 main.go:201] **************** gVisor ****************
W0923 13:05:11.358402       1 boot.go:266] Not setting product_name: open /sys/devices/virtual/dmi/id/product_name: no such file or directory
I0923 13:05:11.358522       1 boot.go:279] Setting host-shmem-huge: "never"
W0923 13:05:11.359241       1 specutils.go:129] noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.
I0923 13:05:11.359297       1 chroot.go:92] Setting up sandbox chroot in "/tmp"
W0923 13:05:11.359386       1 chroot.go:109] Failed to copy /etc/localtime: open /etc/localtime: no such file or directory. UTC timezone will be used.
I0923 13:05:11.359425       1 chroot.go:37] Mounting "proc" at "/tmp/proc"
W0923 13:05:11.359477       1 util.go:64] FATAL ERROR: error setting up chroot: error mounting proc in chroot: error mounting "proc" at "/tmp/proc": mount("proc", "/tmp/proc", 15) failed: operation not permitted
error setting up chroot: error mounting proc in chroot: error mounting "proc" at "/tmp/proc": mount("proc", "/tmp/proc", 15) failed: operation not permitted
D0923 13:05:11.360661      12 sandbox.go:1330] Destroying sandbox "dangerzone"

You can find the full error report here: gvisor.log. I'll give it a check with the previous gVisor release as well.

apyrgio commented 1 month ago

Yeap, building Dangerzone with the 2024-08-26 gVisor release works. The change I made was:

diff --git a/Dockerfile b/Dockerfile
index 9988660..872e634 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -88,7 +88,7 @@ FROM alpine:latest
 RUN apk --no-cache -U upgrade && \
     apk --no-cache add python3

-RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \
+RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/20240826/$(uname -m)"; \
     wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \
     sha512sum -c runsc.sha512 && \
     rm -f runsc.sha512 && \

I'll open an issue in the gVisor tracker, in case someone has encountered something similar.

Edit: opened https://github.com/google/gvisor/issues/10944.

almet commented 1 week ago

gVisor released a fix for this, which is available in https://github.com/google/gvisor/releases/tag/release-20241104.0, se we should be able to unpin it :-) 🎉