Re: [systemd-devel] container /proc/filesystems owned by nobody:can't upgrade

[Mike Gilbert]

On Tue, Oct 3, 2017 at 11:38 AM, arnaud gaboury
 wrote:
> On 10/03/2017 05:19 PM, Mike Gilbert wrote:
>
> On Tue, Oct 3, 2017 at 4:01 AM, arnaud gaboury 
> wrote:
>
> My host is Archlinux, nspawn container is Fedora 26. Kernel is 4.13.3
>
> I can't fully upgrade my container as some files are owned by
> nobody:nobody and can't change to root. An example is filesystems. When
> upgrading, it returns error:
> < error: unpacking of archive failed on file /proc: cpio: chown >
> $ ls -a /proc:
> /proc/filesystems-r--r--r--   1 nobody  nobody 0
> Oct  3 09:53 filesystems
>
> # chown root:root /proc/filesystems
> chown: changing ownership of '/proc/filesystems': Operation not permitted
>
> Same kind of error with a few other packages.
>
> Can someone please help me to find a solution? Thank you
>
> I find it strange that a package upgrade would be trying to install
> the /proc directory on a running system. That's a directory that
> should only really be touched when performing an initial install; any
> other time, /proc will be mounted already and packages should not
> touch it.
>
> I would report this as a bug to Arch.
>
> If it is a bug, it shall be reported on Fedora, which is the OS running in
> the container, and not Arch which is the host.

Ah, I misread that. Yes, this would be a Fedora bug.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] container /proc/filesystems owned by nobody:can't upgrade

[Lennart Poettering]

On Di, 03.10.17 10:01, arnaud gaboury (arnaud.gabo...@gmail.com) wrote:

> My host is Archlinux, nspawn container is Fedora 26. Kernel is 4.13.3
> 
> I can't fully upgrade my container as some files are owned by
> nobody:nobody and can't change to root. An example is filesystems. When
> upgrading, it returns error:
> < error: unpacking of archive failed on file /proc: cpio: chown >
> $ ls -a /proc:
> /proc/filesystems    -r--r--r--   1 nobody  nobody 0
> Oct  3 09:53 filesystems
> 
> # chown root:root /proc/filesystems
> chown: changing ownership of '/proc/filesystems': Operation not permitted
> 
> Same kind of error with a few other packages.
> 
> Can someone please help me to find a solution? Thank you

Files in /proc being owned by "nobody" is an artifact of user
namespacing, as these files are owned by "root" on the host, which
doesn't exist in the container, and is hence mapped to the 'catch-all'
"nobody" user.

One way out could be to disable userns for the container (by dropping
--private-users from the cmdline). This makes things a lot less
secure, but removes any mapping of users, and the host root and the
container root will be identical.

You should be able to switch between --private-users and no
--private-user freely, and hence to this only temporarily.

Quite frankly, it's a bit of a shortcoming of RPM/fedora, that this
exists. It might be worth filing a bug against the relevant packages
or RPM so that they deal with this... I mean, sooner or later they
have to deal with the reality that is userns which makes changes like
this to their execution environment.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] container /proc/filesystems owned by nobody:can't upgrade

[arnaud gaboury]

On 10/03/2017 05:19 PM, Mike Gilbert wrote:
> On Tue, Oct 3, 2017 at 4:01 AM, arnaud gaboury
>  wrote:
>> My host is Archlinux, nspawn container is Fedora 26. Kernel is 4.13.3
>> I can't fully upgrade my container as some files are owned by
>> nobody:nobody and can't change to root. An example is filesystems.
>> When upgrading, it returns error: < error: unpacking of archive
>> failed on file /proc: cpio: chown > $ ls -a /proc: /proc/filesystems
>> -r--r--r-- 1 nobody nobody 0 Oct 3 09:53 filesystems # chown
>> root:root /proc/filesystems chown: changing ownership of
>> '/proc/filesystems': Operation not permitted Same kind of error with
>> a few other packages. Can someone please help me to find a solution?
>> Thank you
> I find it strange that a package upgrade would be trying to install
> the /proc directory on a running system. That's a directory that
> should only really be touched when performing an initial install; any
> other time, /proc will be mounted already and packages should not
> touch it. I would report this as a bug to Arch.
If it is a bug, it shall be reported on Fedora, which is the OS running
in the container, and not Arch which is the host.



signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] container /proc/filesystems owned by nobody:can't upgrade

[Mike Gilbert]

On Tue, Oct 3, 2017 at 4:01 AM, arnaud gaboury  wrote:
> My host is Archlinux, nspawn container is Fedora 26. Kernel is 4.13.3
>
> I can't fully upgrade my container as some files are owned by
> nobody:nobody and can't change to root. An example is filesystems. When
> upgrading, it returns error:
> < error: unpacking of archive failed on file /proc: cpio: chown >
> $ ls -a /proc:
> /proc/filesystems-r--r--r--   1 nobody  nobody 0
> Oct  3 09:53 filesystems
>
> # chown root:root /proc/filesystems
> chown: changing ownership of '/proc/filesystems': Operation not permitted
>
> Same kind of error with a few other packages.
>
> Can someone please help me to find a solution? Thank you

I find it strange that a package upgrade would be trying to install
the /proc directory on a running system. That's a directory that
should only really be touched when performing an initial install; any
other time, /proc will be mounted already and packages should not
touch it.

I would report this as a bug to Arch.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] container /proc/filesystems owned by nobody:can't upgrade

[arnaud gaboury]

On 10/03/2017 04:35 PM, Anthony Joseph Messina wrote:
> On Tuesday, October 3, 2017 3:01:25 AM CDT arnaud gaboury wrote:
>> My host is Archlinux, nspawn container is Fedora 26. Kernel is 4.13.3
>> I can't fully upgrade my container as some files are owned by
>> nobody:nobody and can't change to root. An example is filesystems.
>> When upgrading, it returns error: < error: unpacking of archive
>> failed on file /proc: cpio: chown > $ ls -a /proc: /proc/filesystems
>> -r--r--r-- 1 nobody nobody 0 Oct 3 09:53 filesystems # chown
>> root:root /proc/filesystems chown: changing ownership of
>> '/proc/filesystems': Operation not permitted Same kind of error with
>> a few other packages. Can someone please help me to find a solution?
>> Thank you
> In my experience, certain packages need to be installed/upgraded from
> outside the container to work around this. httpd is another one (if
> using user namespacing) since it sets file attributes on /usr/sbin/httpd.
httpd is indeed one the few package I can't upgrade.
> On a Fedora host (and a Fedora container), I do something like dnf
> --releasever=26 --nogpgcheck \
> --installroot=/var/lib/machines/mymachine --disablerepo='*' \
> --enablerepo=fedora --enablerepo=updates upgrade filesystem httpd I'm
> think Arch will also have a command to install/update files in the
> container from the outside.

I will investigate this direction.
Thank you for your hints.
>
>
> ___ systemd-devel mailing
> list systemd-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel


signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] container /proc/filesystems owned by nobody:can't upgrade

[Anthony Joseph Messina]

On Tuesday, October 3, 2017 3:01:25 AM CDT arnaud gaboury wrote:
> My host is Archlinux, nspawn container is Fedora 26. Kernel is 4.13.3
> 
> I can't fully upgrade my container as some files are owned by
> nobody:nobody and can't change to root. An example is filesystems. When
> upgrading, it returns error:
> < error: unpacking of archive failed on file /proc: cpio: chown >
> $ ls -a /proc:
> /proc/filesystems-r--r--r--   1 nobody  nobody 0
> Oct  3 09:53 filesystems
> 
> # chown root:root /proc/filesystems
> chown: changing ownership of '/proc/filesystems': Operation not permitted
> 
> Same kind of error with a few other packages.
> 
> Can someone please help me to find a solution? Thank you

In my experience, certain packages need to be installed/upgraded from outside 
the container to work around this. httpd is another one (if using user 
namespacing) since it sets file attributes on /usr/sbin/httpd.

On a Fedora host (and a Fedora container), I do something like

dnf --releasever=26 --nogpgcheck \
 --installroot=/var/lib/machines/mymachine --disablerepo='*' \
 --enablerepo=fedora --enablerepo=updates upgrade filesystem httpd

I'm think Arch will also have a command to install/update files in the 
container from the outside.

-- 
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
F9B6 560E 68EA 037D 8C3D  D1C9 FF31 3BDB D9D8 99B6


signature.asc
Description: This is a digitally signed message part.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] container /proc/filesystems owned by nobody:can't upgrade

[arnaud gaboury]

My host is Archlinux, nspawn container is Fedora 26. Kernel is 4.13.3

I can't fully upgrade my container as some files are owned by
nobody:nobody and can't change to root. An example is filesystems. When
upgrading, it returns error:
< error: unpacking of archive failed on file /proc: cpio: chown >
$ ls -a /proc:
/proc/filesystems    -r--r--r--   1 nobody  nobody 0
Oct  3 09:53 filesystems

# chown root:root /proc/filesystems
chown: changing ownership of '/proc/filesystems': Operation not permitted

Same kind of error with a few other packages.

Can someone please help me to find a solution? Thank you



___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel