Running Sandstorm browser tests on Debian 10 (buster)

[Troy Farrell]

In case you hadn't noticed, I use many different systems every day.  Today I've built Sandstorm on a Debian 10 system.  I noted that make bundle && make test fails with the following error when trying to start sandstorm from tests/tmp-sandstorm:

*** Uncaught exception ***

sandstorm/run-bundle.c++:1418: failed: unshare(CLONE_NEWUSER): Operation not permitted

stack: 4e1747 4e028b 4e01bc 6accb5 6ac87f

make: *** [Makefile:167: test] Error 1

I suspect that sandstorm is trying to do its process namespace magic and something that it's doing is not allowed.  But I'm far from understanding what.  This is a clean system.  Sandstorm has not been installed on it yet and there is no sandstorm user or group.  Also, I'm running the build and test as a normal user, not as root.

I'm going to try installing Sandstorm (as built on the system) to see if it works once installed.

Thanks for your feedback,

Troy

[Troy Farrell]

I can confirm that installing Sandstorm with make install causes the tests to continue without the above unshare(CLONE_NEWUSER): Operation not permitted error.  I'm not sure why, but removing the sandstorm user and group does not cause the error to return.  Removing /opt/sandstorm, /usr/local/bin/sandstorm, tests/tmp-sandstorm and make clean && make bundle && make test still works.  Doing the above and rebooting does not bring back the above error.  I haven't figured out the reason this fails the first time and never again after installation.

[Troy Farrell]

I found it!  By running $ sudo grep -ri sandstorm /etc, I found that Sandstorm sets sysctl kernel.unprivileged_userns_clone=1.  When I set this to zero, the test fails in the same manner I documented earlier.  I'll see if I can modify the test script to check for this.

[Troy Farrell]

I've submitted an issue to discuss possible changes to the test script.

https://github.com/sandstorm-io/sandstorm/issues/3477