Binfmt_misc: permission denied in unprivileged container

Greelan · April 28, 2024, 5:01am

Trying to take advantage of the kernel from 6.7 onwards adding support for the mounting of binfmt_misc inside unprivileged containers. The purpose is to run box86/box64 on an aarch64 system to emulate amd64.

However, systemd-binfmt complains of “permission denied”.

root@ampx64:~# systemctl status systemd-binfmt.service 
× systemd-binfmt.service - Set Up Additional Binary Formats
     Loaded: loaded (/usr/lib/systemd/system/systemd-binfmt.service; static)
     Active: failed (Result: exit-code) since Sun 2024-04-28 14:29:17 AEST; 24min ago
       Docs: man:systemd-binfmt.service(8)
             man:binfmt.d(5)
             https://docs.kernel.org/admin-guide/binfmt-misc.html
             https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
    Process: 2337 ExecStart=/usr/lib/systemd/systemd-binfmt (code=exited, status=1/FAILURE)
   Main PID: 2337 (code=exited, status=1/FAILURE)
        CPU: 10ms

Apr 28 14:29:17 ampx64 systemd[1]: Starting systemd-binfmt.service - Set Up Additional Binary Formats...
Apr 28 14:29:17 ampx64 systemd-binfmt[2337]: Failed to flush binfmt_misc rules, ignoring: Permission denied
Apr 28 14:29:17 ampx64 systemd-binfmt[2337]: /etc/binfmt.d/box64.conf:2: Failed to add binary format 'box64': Permission denied
Apr 28 14:29:17 ampx64 systemd-binfmt[2337]: /etc/binfmt.d/box86.conf:2: Failed to add binary format 'x86': Permission denied
Apr 28 14:29:17 ampx64 systemd-binfmt[2337]: /usr/lib/binfmt.d/python3.10.conf:1: Failed to add binary format 'python3.10': Permission denied
Apr 28 14:29:17 ampx64 systemd-binfmt[2337]: /usr/lib/binfmt.d/python3.12.conf:1: Failed to add binary format 'python3.12': Permission denied
Apr 28 14:29:17 ampx64 systemd[1]: systemd-binfmt.service: Main process exited, code=exited, status=1/FAILURE
Apr 28 14:29:17 ampx64 systemd[1]: systemd-binfmt.service: Failed with result 'exit-code'.
Apr 28 14:29:17 ampx64 systemd[1]: Failed to start systemd-binfmt.service - Set Up Additional Binary Formats.

Relevant info:

root@ampx64:~# uname -a
Linux ampx64 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 02:32:42 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux

root@ampx64:~# mount | grep binfmt
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)

root@ampx64:~# ls -la /proc/sys/fs/binfmt_misc/
total 0
drwxr-xr-x 2 root   root    0 Apr 28 12:49 .
dr-xr-xr-x 1 nobody nogroup 0 Apr 28 12:49 ..
--w------- 1 root   root    0 Apr 28 12:49 register
-rw-r--r-- 1 root   root    0 Apr 28 12:49 status

root@ampx64:~# ls -la /etc/binfmt.d/
total 18
drwxr-xr-x   2 root root   4 Apr 28 07:49 .
drwxr-xr-x 115 root root 219 Apr 28 12:48 ..
-rw-r--r--   1 root root 212 Apr 28 07:45 box64.conf
-rw-r--r--   1 root root 210 Feb  3 01:33 box86.conf

And on the host:

ubuntu@cloudvm:~$ incus version
Client version: 6.0.0
Server version: 6.0.0

Any hints appreciated.

stgraber · April 28, 2024, 8:56pm

Greelan · June 24, 2024, 11:46am

Any guide as to when this will be in a release?

stgraber · June 25, 2024, 1:37am

It has been already, in both 6.1 and 6.2.

Greelan · June 25, 2024, 1:58am

I see. I’m on LTS. Any timeline for LTS getting it?

Or is it reasonable enough to switch to stable?

stgraber · June 25, 2024, 2:50am

We should be releasing 6.0.1 this week which would include this fix.

Greelan · June 25, 2024, 5:28am

Nice, thanks

Greelan · June 30, 2024, 2:45pm

Confirmed now working. Thank you