[systemd-devel] mknod forbidden in systemd-nspawn container

Emmanuel Coirier ecoirier at olfeo.com
Wed Dec 23 05:10:56 PST 2015 

Hello everyone,

I have encountered a problem with a systemd-nspawn container and deboostrap running in this container.

When I try to launch deboostrap inside the container, debootstrap stops because it tries to unpack a tar archive that creates devices like /dev/console. The error is "EPERM". Here is the full command list :

$ uname -a
Linux foretnoire 4.2.0-1-amd64 #1 SMP Debian 4.2.6-3 (2015-12-06) x86_64 GNU/Linux

$ cat /etc/debian_version 
stretch/sid

$ systemctl --version
systemd 228
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN

$ sudo debootstrap stretch teststretch
(all is working nicely, the problem is not here)

(adding a root password via passwd)

$ sudo systemd-nspawn -b -D teststretch/
(all is working nicely, getty logs me to root)

container# systemctl --version
systemd 228
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN

container# debootstrap stretch teststretch
...
(stops suddently, here is the problem)

container# cat teststretch/debootstrap/debootstrap.log
...
tar: dev/console: Cannot mknod: Operation not permitted
other similar errors with other devices
...

I've checked that the CAP_MKNOD is present :

container# capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,****cap_mknod****,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap+ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)

Triying to create a simple device is forbidden too :

container# ls -l /dev/console 
crw------- 1 root tty 136, 4 Dec 22 15:50 /dev/console
container# mknod /tmp/console c 136 4
mknod: '/tmp/console': Operation not permitted

How can I enable debootstrap to run smoothly in a nspawn container ? My goal is to have a light container able to build a software that runs in a light container (actually in a legacy chroot). And one of the first steps is to debootstrap a virgin system. Is this use case possible ?

Thank you for your lights !

-- 
Emmanuel Coirier

More information about the systemd-devel mailing list