From 7a313eb907cd52a4e32e41bc448408e6fffa33e3 Mon Sep 17 00:00:00 2001 From: serge1cohen Date: Mon, 16 Sep 2019 16:50:42 +0000 Subject: Added a comment: Works ! --- .../comment_2_152c6b9d0ac402c374d9cfaf9ef14904._comment | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 doc/forum/Combining_properties_with_HasInfo_and_another_without_HasInfo/comment_2_152c6b9d0ac402c374d9cfaf9ef14904._comment diff --git a/doc/forum/Combining_properties_with_HasInfo_and_another_without_HasInfo/comment_2_152c6b9d0ac402c374d9cfaf9ef14904._comment b/doc/forum/Combining_properties_with_HasInfo_and_another_without_HasInfo/comment_2_152c6b9d0ac402c374d9cfaf9ef14904._comment new file mode 100644 index 00000000..ef6658a2 --- /dev/null +++ b/doc/forum/Combining_properties_with_HasInfo_and_another_without_HasInfo/comment_2_152c6b9d0ac402c374d9cfaf9ef14904._comment @@ -0,0 +1,13 @@ +[[!comment format=mdwn + username="serge1cohen" + avatar="http://cdn.libravatar.org/avatar/df873622c2eeb5b34222b7af0d47abd0" + subject="Works !" + date="2019-09-16T16:50:42Z" + content=""" +Hi again, + +I have just commuted all HasInfo and Debian (to have HasInfo first) and all works ! +Cool, thanks ! + +Serge. +"""]] -- cgit v1.2.3 From 15533c406d20a7155fa12b0e9ba138c9e13b4d69 Mon Sep 17 00:00:00 2001 From: rotty Date: Tue, 24 Sep 2019 01:26:23 +0000 Subject: Problem report regarding unprivileged systemd-nspawn containers --- .../Unprivileged_containers_break_propellor.mdwn | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 doc/forum/Unprivileged_containers_break_propellor.mdwn diff --git a/doc/forum/Unprivileged_containers_break_propellor.mdwn b/doc/forum/Unprivileged_containers_break_propellor.mdwn new file mode 100644 index 00000000..0cb02c9b --- /dev/null +++ b/doc/forum/Unprivileged_containers_break_propellor.mdwn @@ -0,0 +1,53 @@ +When trying to set up an unprivileged nspawn container, e.g., like shown below, propellor breaks, as it bind-mounts the `/usr/local/propellor` directory from the host, which leads to broken UIDs when seen from inside the container. I'm assuming `propellChroot` in `src/Propellor/Property/Chroot.hs` is the code that's responsible. Unfortunately, I'm not very firm in Haskell, so I'm not sure I can solve this in reasonable time, but I'll give it a shot. + + +Example config: + +``` +rec0 :: Systemd.Container +rec0 = Systemd.debContainer "rec0" $ props + & Systemd.containerCfg "--network-veth" + & Systemd.containerCfg "-U" + & osDebian (Stable "buster") X86_64 + & Apt.stdSourcesList + & Apt.installed ["pdns-recursor"] `requires` Systemd.running Systemd.networkd +``` + +This is the relevant output from a spin that includes the above container definition: + +``` +rec0 has container configuration --network-veth ... ok +rec0 has container configuration -U ... ok +rec0 has Operating System (Debian Linux (Stable "buster")) X86_64 ... ok +rec0 standard sources.list ... ok +Failed to connect to bus: Operation not permitted +rec0 apt removed cron ifupdown rsyslog iptables isc-dhcp-client ... ok +rec0 apt installed pdns-recursor ... failed +propy nspawned rec0 ... failed +propy overall ... failed +``` + +I figured out the (likely) cause like this: + +``` +$ findmnt /var/lib/container/rec0/usr/local/propellor +TARGET SOURCE FSTYPE OPTIONS +/var/lib/container/rec0/usr/local/propellor /dev/mapper/sys-root[/usr/local/propellor] ext4 rw,relatime,errors=remount-ro +$ ls -l /var/lib/container/rec0/usr/local/propellor/dist/build/propellor-config/ +total 12272 +drwxr-xr-x 2 vu-rec0-0 vg-rec0-0 4096 Sep 24 01:19 autogen +-rwxr-xr-x 1 root root 6279024 Sep 24 03:16 propellor-config +-rwxr-xr-x 1 root root 6279024 Sep 24 03:16 propellor-config.built +drwxr-xr-x 2 vu-rec0-0 vg-rec0-0 4096 Sep 24 03:16 propellor-config-tmp +``` + +I have `libnss-mymachines` setup, so the high UID/GID allocated by systemd show up with symbolic names. From inside the container, the root-owned files will show up as `nobody`: + +``` +# ls -l /usr/local/propellor/dist/build/propellor-config/ +total 12272 +drwxr-xr-x 2 root root 4096 Sep 24 01:19 autogen +-rwxr-xr-x 1 nobody nogroup 6279024 Sep 24 03:16 propellor-config +drwxr-xr-x 2 root root 4096 Sep 24 03:16 propellor-config-tmp +-rwxr-xr-x 1 nobody nogroup 6279024 Sep 24 03:16 propellor-config.built +``` -- cgit v1.2.3 From 0a0ad7189f25e1bed6405c562c0c5cbaa59e0973 Mon Sep 17 00:00:00 2001 From: picca Date: Tue, 1 Oct 2019 13:03:04 +0000 Subject: --- .../isCopyOf_does_not_work_on_nfs_filesystem.mdwn | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 doc/forum/isCopyOf_does_not_work_on_nfs_filesystem.mdwn diff --git a/doc/forum/isCopyOf_does_not_work_on_nfs_filesystem.mdwn b/doc/forum/isCopyOf_does_not_work_on_nfs_filesystem.mdwn new file mode 100644 index 00000000..dff1fdc4 --- /dev/null +++ b/doc/forum/isCopyOf_does_not_work_on_nfs_filesystem.mdwn @@ -0,0 +1,25 @@ +Hello, I try to copy a vm image to a directory like this + + & "/nfs/share-temp/panbox-rel.img" `File.isCopyOf` panboxName + + +but when I run this, I get this error message + + sixs3.exp.synchrotron-soleil.fr /root/vm/panbox-rel.img owner picca:grp-instrumentation ... done + cp: failed to preserve ownership for '/nfs/share-temp/panbox-rel.img.propellor-new~': Operation not permitted + ** error: cp failed + ** warning: Cannot continue! + CallStack (from HasCallStack): + error, called at src/Propellor/Message.hs:143:9 in propellor-5.6.0-GGUJL7KihFnDmzjFSP3dov:Propellor.Message + sixs3.exp.synchrotron-soleil.fr /nfs/share-temp/panbox-rel.img is copy of /root/vm/panbox-rel.img ... failed + +I understand thaht it is not possible to use cp --preserve... on the nfs system. + +So is seems that Propellor miss a copyFile whcih is usable also on nfs system :). +what is the best way to solve this problem. + +I can copy the file without the preserve flag. + +Cheers + +Fred -- cgit v1.2.3