bwrap: Failed to make / slave: Permission denied

Hi, I am new to Ocaml and configuring the environment.

After download the opam, I run opam init and then opam switch create 4.09.0 . The following fail message is printed.

<><> Gathering sources ><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
[ocaml-base-compiler.4.09.0] found in cache

<><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
[ERROR] The compilation of ocaml-base-compiler failed at "/home/jmh/.opam/opam-init/hooks/sandbox.sh build
        ./configure --prefix=/home/jmh/.opam/4.09.0 -C".
-> installed base-bigarray.base
-> installed base-threads.base
-> installed base-unix.base

#=== ERROR while compiling ocaml-base-compiler.4.09.0 =========================#
# context     2.0.7 | linux/x86_64 |  | https://opam.ocaml.org#2bc998a4
# path        ~/.opam/4.09.0/.opam-switch/build/ocaml-base-compiler.4.09.0
# command     ~/.opam/opam-init/hooks/sandbox.sh build ./configure --prefix=/home/jmh/.opam/4.09.0 -C
# exit-code   1
# env-file    ~/.opam/log/ocaml-base-compiler-11416-e7966f.env
# output-file ~/.opam/log/ocaml-base-compiler-11416-e7966f.out
### output ###
# bwrap: Failed to make / slave: Permission denied



<><> Error report <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+- The following actions failed
| - build ocaml-base-compiler 4.09.0
+-
+- The following changes have been performed (the rest was aborted)
| - install base-bigarray base
| - install base-threads  base
| - install base-unix     base
+-
# Run eval $(opam env) to update the current shell environment

opam version is 2.0.7 . Kernel version is 5.0.15 in Ubuntu 18,04,1 LTS

It seems there is problem with bwrap. I tried to do opam init --disable-sandboxing and create switch again. Nothing changed. Anyone know how to solve this problem? Many thanks.

If you search the Web fo “Failed to make / slave: Permission denied” you’ll see that you’re not the only one with this issue. It could be related to running Ubuntu in a virtual machine (?).

opam init --disable-sandboxing should avoid the issue. But you need to erase the ~/.opam/ directory left over from your previous opam init, otherwise the second init is useless.

Are you running inside an LXC container, or Snap, or similar? This is almost always caused due to being in an unprivileged container namespace, which prevents bwrap from being able to enforce its sandboxing.

Exactly. I am running inside an LXC container. In your opinion, is --disable-sandboxing the only solution? Do I have any other solutions? Many thanks

On a lxc, you don’t have other choices as bwrap (sandboxing tool) won’t be able to create sandboxes.

You need to run the LXC container as privileged, at which point you can create namespaces from within it. This will let opam sandboxing work, but beware that the LXC container itself is considerably less secure.

Linux namespace primitives aren’t composable, so you essentially need to choose where your primary protection comes from: the (pretty fine-grained) opam sandbox which will protect each package build, or the broader protection of LXC unprivileged containers. Which one you choose is up to you: opam lets you toggle sandboxing to the right value once you’ve made your decision.