summaryrefslogtreecommitdiff
path: root/doc/forum
diff options
context:
space:
mode:
authorrotty2019-09-24 01:26:23 +0000
committeradmin2019-09-24 01:26:23 +0000
commit15533c406d20a7155fa12b0e9ba138c9e13b4d69 (patch)
tree7d020ef3421043ac888c3ec265a9ed0dedb9022e /doc/forum
parent7a313eb907cd52a4e32e41bc448408e6fffa33e3 (diff)
Problem report regarding unprivileged systemd-nspawn containers
Diffstat (limited to 'doc/forum')
-rw-r--r--doc/forum/Unprivileged_containers_break_propellor.mdwn53
1 files changed, 53 insertions, 0 deletions
diff --git a/doc/forum/Unprivileged_containers_break_propellor.mdwn b/doc/forum/Unprivileged_containers_break_propellor.mdwn
new file mode 100644
index 00000000..0cb02c9b
--- /dev/null
+++ b/doc/forum/Unprivileged_containers_break_propellor.mdwn
@@ -0,0 +1,53 @@
+When trying to set up an unprivileged nspawn container, e.g., like shown below, propellor breaks, as it bind-mounts the `/usr/local/propellor` directory from the host, which leads to broken UIDs when seen from inside the container. I'm assuming `propellChroot` in `src/Propellor/Property/Chroot.hs` is the code that's responsible. Unfortunately, I'm not very firm in Haskell, so I'm not sure I can solve this in reasonable time, but I'll give it a shot.
+
+
+Example config:
+
+```
+rec0 :: Systemd.Container
+rec0 = Systemd.debContainer "rec0" $ props
+ & Systemd.containerCfg "--network-veth"
+ & Systemd.containerCfg "-U"
+ & osDebian (Stable "buster") X86_64
+ & Apt.stdSourcesList
+ & Apt.installed ["pdns-recursor"] `requires` Systemd.running Systemd.networkd
+```
+
+This is the relevant output from a spin that includes the above container definition:
+
+```
+rec0 has container configuration --network-veth ... ok
+rec0 has container configuration -U ... ok
+rec0 has Operating System (Debian Linux (Stable "buster")) X86_64 ... ok
+rec0 standard sources.list ... ok
+Failed to connect to bus: Operation not permitted
+rec0 apt removed cron ifupdown rsyslog iptables isc-dhcp-client ... ok
+rec0 apt installed pdns-recursor ... failed
+propy nspawned rec0 ... failed
+propy overall ... failed
+```
+
+I figured out the (likely) cause like this:
+
+```
+$ findmnt /var/lib/container/rec0/usr/local/propellor
+TARGET SOURCE FSTYPE OPTIONS
+/var/lib/container/rec0/usr/local/propellor /dev/mapper/sys-root[/usr/local/propellor] ext4 rw,relatime,errors=remount-ro
+$ ls -l /var/lib/container/rec0/usr/local/propellor/dist/build/propellor-config/
+total 12272
+drwxr-xr-x 2 vu-rec0-0 vg-rec0-0 4096 Sep 24 01:19 autogen
+-rwxr-xr-x 1 root root 6279024 Sep 24 03:16 propellor-config
+-rwxr-xr-x 1 root root 6279024 Sep 24 03:16 propellor-config.built
+drwxr-xr-x 2 vu-rec0-0 vg-rec0-0 4096 Sep 24 03:16 propellor-config-tmp
+```
+
+I have `libnss-mymachines` setup, so the high UID/GID allocated by systemd show up with symbolic names. From inside the container, the root-owned files will show up as `nobody`:
+
+```
+# ls -l /usr/local/propellor/dist/build/propellor-config/
+total 12272
+drwxr-xr-x 2 root root 4096 Sep 24 01:19 autogen
+-rwxr-xr-x 1 nobody nogroup 6279024 Sep 24 03:16 propellor-config
+drwxr-xr-x 2 root root 4096 Sep 24 03:16 propellor-config-tmp
+-rwxr-xr-x 1 nobody nogroup 6279024 Sep 24 03:16 propellor-config.built
+```