search

maelstrom-software / maelstrom

Maelstrom is a fast Rust, Go, and Python test runner that runs every test in its own container. Tests are either run locally or distributed to a clustered job runner.
https://maelstrom-software.com/
Apache License 2.0
471 stars 10 forks source link

Error on Ubuntu 24.04 while writing to /proc/self/setgroups: Permission denied (os error 13) #337

Open zed opened 2 months ago

zed commented 2 months ago 
maelstrom-pytest --list
Error: client background process

Caused by:
    0: write("/proc/self/setgroups")
    1: Permission denied (os error 13)
dispatcher: error: transport error

Caused by:
    0: connection error: Broken pipe (os error 32)
    1: Broken pipe (os error 32)
Error: receiving RPC response from client process

Caused by:
    receiving on a closed channel

The workaround from https://github.com/lima-vm/lima/issues/2319#issuecomment-2094746425 helps:

echo "kernel.apparmor_restrict_unprivileged_userns = 0" | sudo tee /etc/sysctl.d/99-userns.conf
sudo sysctl --system
nfachan commented 2 months ago

Ah yes. We've run into this before. Thanks for reporting it.

At the very least, we should document this and the workaround. I'm not sure if we can work around it by either not mapping users or mapping to non-root users by default.

https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

bobbobbio commented 2 months ago

I think the best way to fix it is to install a profile for the program somehow like this

add a profile to /etc/apparmor.d/maelstrom with

abi <abi/4.0>,
include <tunables/global>

profile maelstrom /home/<username>/.cargo/bin/cargo-maelstrom flags=(unconfined) {
  userns,
}

but replace with your username, or else change the path to the right binary (maelstrom-pytest or w/e)

then run

sudo apparmor_parser -r /etc/apparmor.d/maelstrom

maybe the application could prompt to install it for you, or we can add docs explaining