dangerzone icon indicating copy to clipboard operation
dangerzone copied to clipboard
verified publisher icon freedomofpress

Latest gVisor release breaks Dangerzone

Open apyrgio opened this issue 1 year ago • 1 comments

It seems that the latest gVisor release (release-20240916.0) is breaking the development branch of Dangezone. I believe this is the case due to the following:

  1. Our tests have been failing since 5 days ago, when the newest binaries for gVisor were released.
  2. I have rebuilt the v0.7.0 image for Dangerzone, which should run properly on all of our supported platforms, and I get an error as well.

The gVisor error we're seeing when running the container by hand is this:

I0923 13:05:11.356492       1 main.go:201] **************** gVisor ****************
W0923 13:05:11.358402       1 boot.go:266] Not setting product_name: open /sys/devices/virtual/dmi/id/product_name: no such file or directory
I0923 13:05:11.358522       1 boot.go:279] Setting host-shmem-huge: "never"
W0923 13:05:11.359241       1 specutils.go:129] noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.
I0923 13:05:11.359297       1 chroot.go:92] Setting up sandbox chroot in "/tmp"
W0923 13:05:11.359386       1 chroot.go:109] Failed to copy /etc/localtime: open /etc/localtime: no such file or directory. UTC timezone will be used.
I0923 13:05:11.359425       1 chroot.go:37] Mounting "proc" at "/tmp/proc"
W0923 13:05:11.359477       1 util.go:64] FATAL ERROR: error setting up chroot: error mounting proc in chroot: error mounting "proc" at "/tmp/proc": mount("proc", "/tmp/proc", 15) failed: operation not permitted
error setting up chroot: error mounting proc in chroot: error mounting "proc" at "/tmp/proc": mount("proc", "/tmp/proc", 15) failed: operation not permitted
D0923 13:05:11.360661      12 sandbox.go:1330] Destroying sandbox "dangerzone"

You can find the full error report here: gvisor.log. I'll give it a check with the previous gVisor release as well.

apyrgio avatar Sep 23 '24 13:09 apyrgio

Yeap, building Dangerzone with the 2024-08-26 gVisor release works. The change I made was:

diff --git a/Dockerfile b/Dockerfile
index 9988660..872e634 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -88,7 +88,7 @@ FROM alpine:latest
 RUN apk --no-cache -U upgrade && \
     apk --no-cache add python3
 
-RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \
+RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/20240826/$(uname -m)"; \
     wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \
     sha512sum -c runsc.sha512 && \
     rm -f runsc.sha512 && \

I'll open an issue in the gVisor tracker, in case someone has encountered something similar.

Edit: opened https://github.com/google/gvisor/issues/10944.

apyrgio avatar Sep 23 '24 13:09 apyrgio

gVisor released a fix for this, which is available in https://github.com/google/gvisor/releases/tag/release-20241104.0, se we should be able to unpin it :-) 🎉

almet avatar Nov 09 '24 20:11 almet

This is solved by https://github.com/freedomofpress/dangerzone/commit/c4bb7c28c882e2552fe09585232d984d88f3ff50

almet avatar Nov 25 '24 17:11 almet