From 15533c406d20a7155fa12b0e9ba138c9e13b4d69 Mon Sep 17 00:00:00 2001 From: rotty Date: Tue, 24 Sep 2019 01:26:23 +0000 Subject: Problem report regarding unprivileged systemd-nspawn containers --- .../Unprivileged_containers_break_propellor.mdwn | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 doc/forum/Unprivileged_containers_break_propellor.mdwn (limited to 'doc/forum') diff --git a/doc/forum/Unprivileged_containers_break_propellor.mdwn b/doc/forum/Unprivileged_containers_break_propellor.mdwn new file mode 100644 index 00000000..0cb02c9b --- /dev/null +++ b/doc/forum/Unprivileged_containers_break_propellor.mdwn @@ -0,0 +1,53 @@ +When trying to set up an unprivileged nspawn container, e.g., like shown below, propellor breaks, as it bind-mounts the `/usr/local/propellor` directory from the host, which leads to broken UIDs when seen from inside the container. I'm assuming `propellChroot` in `src/Propellor/Property/Chroot.hs` is the code that's responsible. Unfortunately, I'm not very firm in Haskell, so I'm not sure I can solve this in reasonable time, but I'll give it a shot. + + +Example config: + +``` +rec0 :: Systemd.Container +rec0 = Systemd.debContainer "rec0" $ props + & Systemd.containerCfg "--network-veth" + & Systemd.containerCfg "-U" + & osDebian (Stable "buster") X86_64 + & Apt.stdSourcesList + & Apt.installed ["pdns-recursor"] `requires` Systemd.running Systemd.networkd +``` + +This is the relevant output from a spin that includes the above container definition: + +``` +rec0 has container configuration --network-veth ... ok +rec0 has container configuration -U ... ok +rec0 has Operating System (Debian Linux (Stable "buster")) X86_64 ... ok +rec0 standard sources.list ... ok +Failed to connect to bus: Operation not permitted +rec0 apt removed cron ifupdown rsyslog iptables isc-dhcp-client ... ok +rec0 apt installed pdns-recursor ... failed +propy nspawned rec0 ... failed +propy overall ... failed +``` + +I figured out the (likely) cause like this: + +``` +$ findmnt /var/lib/container/rec0/usr/local/propellor +TARGET SOURCE FSTYPE OPTIONS +/var/lib/container/rec0/usr/local/propellor /dev/mapper/sys-root[/usr/local/propellor] ext4 rw,relatime,errors=remount-ro +$ ls -l /var/lib/container/rec0/usr/local/propellor/dist/build/propellor-config/ +total 12272 +drwxr-xr-x 2 vu-rec0-0 vg-rec0-0 4096 Sep 24 01:19 autogen +-rwxr-xr-x 1 root root 6279024 Sep 24 03:16 propellor-config +-rwxr-xr-x 1 root root 6279024 Sep 24 03:16 propellor-config.built +drwxr-xr-x 2 vu-rec0-0 vg-rec0-0 4096 Sep 24 03:16 propellor-config-tmp +``` + +I have `libnss-mymachines` setup, so the high UID/GID allocated by systemd show up with symbolic names. From inside the container, the root-owned files will show up as `nobody`: + +``` +# ls -l /usr/local/propellor/dist/build/propellor-config/ +total 12272 +drwxr-xr-x 2 root root 4096 Sep 24 01:19 autogen +-rwxr-xr-x 1 nobody nogroup 6279024 Sep 24 03:16 propellor-config +drwxr-xr-x 2 root root 4096 Sep 24 03:16 propellor-config-tmp +-rwxr-xr-x 1 nobody nogroup 6279024 Sep 24 03:16 propellor-config.built +``` -- cgit v1.2.3