prefix-dev
os error 38 when using sandbox mode
Hello, I want to build a conda package using rattler-build, in sandbox mode, on a remote HPC. It works fine on my local pc, but not on the HPC. I get the following error:
sandboxing failure: Function not implemented (os error 38)
2025-09-10T16:02:45.340628Z ERROR Running build for{recipe="pkg_name-10.0.0-hd82799e_0"}:Running build script: rattler_build::script::interpreter::bash: Script failed with status 1
2025-09-10T16:02:45.340680Z ERROR Running build for{recipe="pkg_name-10.0.0-hd82799e_0"}:Running build script: rattler_build::script::interpreter::bash:
Script execution failed.
Work directory: /xxx/bld/rattler-build_pkg_name_1757520140/work
Prefix: /xxx/bld/rattler-build_pkg_name_1757520140/host_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placeho
Build prefix: /xxx/bld/rattler-build_pkg_name_1757520140/build_env
To run the script manually, use the following command:
cd "/xxx/bld/rattler-build_pkg_name_1757520140/work" && ./conda_build.sh
To run commands interactively in the build environment:
cd "/xxx/bld/rattler-build_pkg_name_1757520140/work" && source build_env.sh
Error: × Script failed to execute
The build works without the sandboxoption. My guess it that the infrastructure I'm working on lacks some features/dependencies (from sandboxing failure: Function not implemented (os error 38)) but I'm not sure where to search/what to look for.
- Local OS: Ubuntu 22.04
- HPC OS: Red Hat Enterprise Linux 8.10
- rattler-build version: 0.47.0
Thanks !
EDIT: the max rust version available on this HPC is 1.83, whereas rattler seems to rely on is 1.86. Is this what could be causing this ?
Hi @EugenePlanteurCS thank you for trying sandboxing with rattler-build! My first thoughts are that it sounds like our sandbox implementation relies on features that were not activated on your Linux kernel ...
Under the hood we are using https://github.com/phylum-dev/birdcage/. It uses Linux namespaces.
Maybe you can check the following:
Check Kernel Configuration
First, examine your kernel's configuration to see which namespace types are compiled in:
# Check current kernel config (most common location)
grep -E "CONFIG_.*_NS" /boot/config-$(uname -r)
# Alternative: check compressed config if available
zcat /proc/config.gz | grep -E "CONFIG_.*_NS"
Look for these key configuration options:
-
CONFIG_USER_NS=y- User namespaces [^1][^2] -
CONFIG_PID_NS=y- Process ID namespaces -
CONFIG_NET_NS=y- Network namespaces -
CONFIG_UTS_NS=y- UTS namespaces -
CONFIG_IPC_NS=y- IPC namespaces -
CONFIG_MNT_NS=y- Mount namespaces
Hi, thank you for your answer !
Using the command grep -E "CONFIG_.*_NS" /boot/config-$(uname -r), all variables are set as expected:
-
CONFIG_USER_NS=y -
CONFIG_PID_NS=y -
CONFIG_NET_NS=y -
CONFIG_UTS_NS=y -
CONFIG_IPC_NS=y
Except for CONFIG_MNT_NS, it is not present.
Hi @EugenePlanteurCS I think unfortunately the missing MNT_NS is the issue. It looks like it is needed to control filesystem access and "mount" folders as readonly / readwrite / ...
I don't think there is a good workaround. Does docker work on these systems? We could also - longer term - think about implementing a sandbox that uses docker instead.
Hi ! Thanks for looking into this ! Out of curiosity I tried the command on my pc, with the following output:
CONFIG_UTS_NS=y
CONFIG_TIME_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NET_NSH=m
CONFIG_PATA_NS87415=m
CONFIG_PATA_NS87410=m
CONFIG_TCG_NSC=m
CONFIG_RPMSG_NS=m
CONFIG_GENERIC_VDSO_TIME_NS=y
# CONFIG_NET_NS_REFCNT_TRACKER is not set
The MNT_NS isn't present either, but the sandbox mode works fine.
Running rattler build in a docker is also a possibility, I haven't looked at it yet.
Thank you !
Hmm in that case you could check whether e.g. bash is accessible, or any of the tools that you are using?