toolbox icon indicating copy to clipboard operation
toolbox copied to clipboard
verified publisher icon containers

'systemd-tmpfiles --create' in Toolbx container gives lots of errors/warnings

Open debarshiray opened this issue 2 years ago • 0 comments

Describe the bug

Originally filed downstream for Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=2188304

Running systemd-tmpfiles --create inside a Toolbx container gives lots of errors and warnings:

$ sudo systemd-tmpfiles --create
fchownat() of /run/systemd/sessions failed: Operation not permitted
fchownat() of /run/systemd/users failed: Operation not permitted
fchownat() of /var/lib/systemd/coredump failed: Read-only file system
fchownat() of /tmp failed: Operation not permitted
Setting access ACL "u::rwx,g::r-x,g:adm:r-x,g:wheel:r-x,g:4294967295:r-x,g:4294967295:r-x,m::r-x,o::r-x" on /var/log/journal failed: Read-only file system
Failed to re-open '/var/log/journal': Operation not permitted
fchownat() of /var/log/journal failed: Read-only file system
Setting access ACL "u::rwx,g::r-x,g:adm:r-x,g:wheel:r-x,g:4294967295:r-x,g:4294967295:r-x,m::r-x,o::r-x" on /var/log/journal/3a9d668b4db749398a4a5e78a03bffa5 failed: Read-only file system
Failed to re-open '/var/log/journal/3a9d668b4db749398a4a5e78a03bffa5': Operation not permitted
fchownat() of /var/log/journal/3a9d668b4db749398a4a5e78a03bffa5 failed: Read-only file system
Failed to re-open '/var/log/journal/remote': Operation not permitted
fchownat() of /dev/snd/seq failed: Operation not permitted
fchownat() of /dev/snd/timer failed: Operation not permitted
fchownat() of /dev/loop-control failed: Operation not permitted
fchownat() of /dev/kvm failed: Operation not permitted
fchownat() of /dev/vhost-net failed: Operation not permitted
fchownat() of /dev/vhost-vsock failed: Operation not permitted
Setting access ACL "u::rw-,g::r-x,g:adm:r--,g:wheel:r--,g:4294967295:r--,g:4294967295:r--,m::r--,o::---" on /var/log/journal/3a9d668b4db749398a4a5e78a03bffa5/system.journal failed: Read-only file system
fchownat() of /var/log/journal/3a9d668b4db749398a4a5e78a03bffa5/system.journal failed: Read-only file system
fchownat() of /sys/kernel/security/tpm0/binary_bios_measurements failed: Operation not permitted
fchownat() of /sys/kernel/security/ima/binary_runtime_measurements failed: Operation not permitted

This is caused by some of the locations that are bind mounted into the container from the host operating system. These are those locations that are owned by a group or user other than $USER on the host. Since those group and user IDs are not available inside the container's user namespace, they are owned by nobody:nobody inside the container. For example:

$ ls -ld /run/systemd/sessions
drwxr-xr-x 2 nobody nobody 80 Apr 20 16:38 /run/systemd/sessions

Fedora's systemd RPM contains a file trigger that invokes systemd-tmpfiles --create:

%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d
if test -d "/run/systemd/system"; then
  systemd-tmpfiles --create || :
fi

Therefore, these errors/warnings show up in any RPM transaction that contains a tmpfiles.d(5) snippet, or this trigger itself if there are already tmpfiles.d(5)) snippets in the RPM database. eg., dnf install systemd.

Expected behaviour These errors/warnings from systemd-tmpfiles --create inside a Toolbx container shouldn't occur.

Info about your OS e.g., Fedora Silverblue and Workstation >= 37

debarshiray avatar May 03 '23 13:05 debarshiray