From 940f1236c306ddc941570e31fa4855d93a54ba4c Mon Sep 17 00:00:00 2001
From: Zhaohui Sun <94606222+ZhaohuiS@users.noreply.github.com>
Date: Mon, 26 Jan 2026 12:06:56 +0800
Subject: [PATCH] Fix the nnpy installation failure for test_copp (#22073)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

What is the motivation for this PR?
To fix the failure of nnpy package installation, the root cause is

This error—failed to map segment from shared object—is almost always caused by the /tmp partition being mounted with the noexec flag.

In many security-hardened Linux environments (like those used for SONiC), the system prevents files in /tmp from being executed. Since pip creates a temporary build environment in /tmp to compile nnpy and cffi, the installation crashes when it tries to load the newly built library.

The Fix: Change the Temporary Directory
You can tell pip to use a different directory for building that has execution permissions (like your home directory or /var/tmp).

Why nnpy specifically is failing?

Unlike many other packages, nnpy is a "thick" wrapper around the C-library nanomsg. It uses a tool called CFFI (C Foreign Function Interface).
pip downloads the nnpy source.
It creates a "virtual" build environment in /tmp.
It compiles a C-extension (_cffi_backend.so).
It tries to "import" that C-extension to finish the metadata generation.
The Linux kernel sees the file is in a noexec zone and kills the process, resulting in the error you saw.

How did you do it?
change to use /var/tmp-build as TMPDIR for cffi and nnpy installation.

Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>
---
 tests/copp/copp_utils.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tests/copp/copp_utils.py b/tests/copp/copp_utils.py
index ca33cbb0d21..eb613317f6d 100644
--- a/tests/copp/copp_utils.py
+++ b/tests/copp/copp_utils.py
@@ -215,12 +215,14 @@ def _install_nano_bookworm(dut, creds, syncd_docker_name):
         https_proxy = creds.get('proxy_env', {}).get('https_proxy', '')
         # Change the permission of /tmp to 1777 to workaround issue sonic-net/sonic-buildimage#16034
         cmd = '''docker exec -e http_proxy={} -e https_proxy={} {} bash -c " \
-                chmod 1777 /tmp \
+                mkdir -p /var/tmp_build \
                 && rm -rf /var/lib/apt/lists/* \
                 && apt-get update \
                 && apt-get install -y python3-pip build-essential libssl-dev libffi-dev \
                 python3-dev python3-setuptools wget libnanomsg-dev python-is-python3 \
-                && pip3 install cffi==1.16.0 && pip3 install nnpy \
+                && TMPDIR=/var/tmp_build pip3 install --no-cache-dir cffi==1.16.0 \
+                && TMPDIR=/var/tmp_build pip3 install --no-cache-dir nnpy \
+                && rm -rf /var/tmp_build \
                 && mkdir -p /opt && cd /opt && wget \
                 https://raw.githubusercontent.com/p4lang/ptf/master/ptf_nn/ptf_nn_agent.py \
                 && mkdir ptf && cd ptf && wget \