From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=reject dis=none) header.from=gnedt.at Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gnedt.at header.i=@gnedt.at header.a=rsa-sha256 header.s=rsa-1 header.b=ZKfRlLde; dkim=pass header.d=gnedt.at header.i=@gnedt.at header.a=ed25519-sha256 header.s=ed25519-1 header.b=evqsbRvb; dkim-atps=neutral Received: from mail.davizone.at (mail.davizone.at [IPv6:2a01:4f8:190:7398::1]) by passt.top (Postfix) with ESMTPS id 619455A0282 for ; Sun, 06 Jul 2025 17:16:00 +0200 (CEST) Received: by mail.davizone.at (Postfix) with ESMTPSA id AC3DD1200E7 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) for ; Sun, 6 Jul 2025 17:15:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gnedt.at; s=rsa-1; t=1751814959; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SbrctO74XQy8Ygt5mQz6rbn2iyOhh+7OzCR9fBZsaSU=; b=ZKfRlLdeI5THGOdbCrIXYxp0yW1x4noAjoxUE393nuHsCBr7a8gLLYh2pAaDPREg4H6nmK Im7TXezanHMr4KW0oXVIYPdW0kAAGdCxqw/tREXgt/tS2JMwEr3XXZqo2pTGxCOUQ65wXS MEX/8OIxOUPlSVnlrqb8iIlDwqtkQ9Q5X5Cmm6RinG1jpLKrmUzPQmxZOfcVHnH4ufLit1 mGcKKwhPOpklQr2/YHCT2m/TJCpmsTQ+ah0TYNnq9Vyz3EG2WD27OpijHaHTdvzz0HI+D+ pSfUGFcAyMYotyOh04kfm0qTBV26OtCDGN/cl+bEzIMSC+6FrmGMbGz+5kdZ8g== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=gnedt.at; s=ed25519-1; t=1751814959; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SbrctO74XQy8Ygt5mQz6rbn2iyOhh+7OzCR9fBZsaSU=; b=evqsbRvbNhNn1l7X6soXod7zDX8ewSgTSFV3eB1kY2anH/0+xdU4cV1fO545ZSQzMvK9ho q4zxFsYqeOlgmeCQ== X-Davizone-Smtp-Source: 7yzPvY40nhoHl7EM9X+Zgew6oNILx+LzglhK7pwd6kdr3JT3kgWFs/C+bHQccRun693c9a5d jZYfh6H+TVR01TPp23HjViFYdDkg4PVRiBvSAFTZpCHJBLJpwC6t16/8lGRuDGk5hHnk4utE ew26RyPcy3qmp2vqmoe06FGhvtftBaep7p71lSkhQIofvR2F/tghRwrWF6tpA/vSPgiSa0U2 3wP+8XzVD8gCvc4+gEM+CWxMbsBCc2FsV7McyHs1OstTLmr1rOM+6RzUxA== Message-ID: <671252c8-88f6-45b7-b719-b82786e84bb7@gnedt.at> Date: Sun, 6 Jul 2025 17:15:58 +0200 MIME-Version: 1.0 From: Lisa Gnedt Content-Language: en-US, de-AT To: passt-user@passt.top Subject: Issues when using pasta with bubblewrap Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-MailFrom: lisa+passt-user@gnedt.at X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: C7X2UU3EIUXWY3QOGPJBELBCDLZWCUMJ X-Message-ID-Hash: C7X2UU3EIUXWY3QOGPJBELBCDLZWCUMJ X-Mailman-Approved-At: Mon, 07 Jul 2025 12:00:00 +0200 X-Mailman-Version: 3.3.8 Precedence: list List-Id: "For passt users: support, questions and answers" Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi, I am working on integrating pasta into NixPak [1], which boils down to using pasta together with bubblewrap [2]. It basically works, but in a specific edge-case I am running into problems. The edge-case is when bubblewrap creates two layers of user namespaces. What I am basically doing is let bubblewrap create a new network namespace and then start pasta to create the interfaces accordingly. In the NixPak support, I am doing this in coordination with bubblewrap to start pasta before the actual application is launched. However, here are a few minimum examples for re-producing the problem. All testcases were run using pasta 2025_06_11.0293c6f on Linux 6.12.34-hardened1. Testcase A: Single layer of user namespaces -> Works ---------------------------------------------------- First, I start the bwrap sandbox with a new network namespace: $ bwrap --unshare-all --ro-bind / / /bin/sh sh-5.2$ ip -br a lo UNKNOWN 127.0.0.1/8 ::1/128 In another terminal window, I start pasta with the pid of the bubblewrap child which runs inside the new Linux namespaces: $ pasta --config-net --no-dhcp --no-dhcpv6 --no-ndp --no-ra --no-map-gw --tcp-ns none --udp-ns none --tcp-ports none --udp-ports none --ns-ifname eth0 --address 192.168.1.100 --netmask 255.255.255.0 --gateway 192.168.1.1 --mac-addr 52:54:00:12:34:56 --dns-forward 192.168.1.1 --search none 389267 No interfaces with usable IPv6 routes Template interface: eno2 (IPv4) Namespace interface: eth0 MAC: host: 52:54:00:12:34:56 DNS: 192.168.1.1 Then, I go back to the bwrap sandbox and check that the network namespace is now fully set up: sh-5.2$ ip -br a lo UNKNOWN 127.0.0.1/8 ::1/128 eth0 UNKNOWN 192.168.1.100/24 fe80::bceb:d3ff:fe9c:d037/64 Testcase B: Two layers of user namespaces -> Fails directly, but works with nsenter ----------------------------------------------------------------------------------- First, I start again the bwrap sandbox with a new network namespace and the option --dev which is one case where bubblewrap creates two layers of user namespaces: $ bwrap --unshare-all --ro-bind / / --dev /dev /bin/sh sh-5.2$ ip -br a lo UNKNOWN 127.0.0.1/8 ::1/128 In another terminal window, I try to start pasta with the pid of the bubblewrap child which runs inside the new Linux namespaces: $ pasta --config-net --no-dhcp --no-dhcpv6 --no-ndp --no-ra --no-map-gw --tcp-ns none --udp-ns none --tcp-ports none --udp-ports none --ns-ifname eth0 --address 192.168.1.100 --netmask 255.255.255.0 --gateway 192.168.1.1 --mac-addr 52:54:00:12:34:56 --dns-forward 192.168.1.1 --search none 390352 No interfaces with usable IPv6 routes Couldn't switch to pasta namespaces: Operation not permitted This does not work, since pasta joined the second layer user namespace which does not own the network namespace. What works although is if I join the first layer user namespace with nsenter and then let pasta run: $ nsenter -t 390352 -U --preserve-credentials --user-parent -- pasta --config-net --no-dhcp --no-dhcpv6 --no-ndp --no-ra --no-map-gw --tcp-ns none --udp-ns none --tcp-ports none --udp-ports none --ns-ifname eth0 --address 192.168.1.100 --netmask 255.255.255.0 --gateway 192.168.1.1 --mac-addr 52:54:00:12:34:56 --dns-forward 192.168.1.1 --search none --netns /proc/390352/ns/net No interfaces with usable IPv6 routes Template interface: eno2 (IPv4) Namespace interface: eth0 MAC: host: 52:54:00:12:34:56 DNS: 192.168.1.1 Then, I go back to the bwrap sandbox and check that the network namespace is now fully set up: sh-5.2$ ip -br a lo UNKNOWN 127.0.0.1/8 ::1/128 eth0 UNKNOWN 192.168.1.100/24 fe80::54fa:e1ff:fe87:79e/64 Ideas for Solutions ------------------- I am trying to find a solution that works with both testcases (single and two layers of user namespaces). My idea would be to always join the owning user namespace of the network namespace. I tried to simulate this with nsenter, but for some reason I am not getting pasta working for the single layer user namespace (testcase A): $ bwrap --unshare-all --ro-bind / / /bin/sh sh-5.2$ ip -br a lo UNKNOWN 127.0.0.1/8 ::1/128 $ nsenter -t 390424 -U --preserve-credentials -- pasta --config-net --no-dhcp --no-dhcpv6 --no-ndp --no-ra --no-map-gw --tcp-ns none --udp-ns none --tcp-ports none --udp-ports none --ns-ifname eth0 --address 192.168.1.100 --netmask 255.255.255.0 --gateway 192.168.1.1 --mac-addr 52:54:00:12:34:56 --dns-forward 192.168.1.1 --search none --netns /proc/390424/ns/net No interfaces with usable IPv6 routes Couldn't switch to pasta namespaces: Operation not permitted While experimenting with this, I wondered if it is a scenario that pasta would like to support out of the box. It might be easier to get it correct when directly controlling all syscalls involved and not have to mix and match multiple tools. Since Linux 4.9 it seems to be possible to get the owning user namespace of a network namespace with the ioctl NS_GET_USERNS [3]. Do you consider looking into this or would you accept a patch for adding support for this? Best regards, Lisa Gnedt [1] https://github.com/nixpak/nixpak [2] https://github.com/containers/bubblewrap [3] https://man7.org/linux/man-pages/man2/ns_get_userns.2const.html