[systemd-devel] container /proc/filesystems owned by nobody:can't upgrade

Lennart Poettering lennart at poettering.net
Thu Oct 5 11:11:33 UTC 2017


On Di, 03.10.17 10:01, arnaud gaboury (arnaud.gaboury at gmail.com) wrote:

> My host is Archlinux, nspawn container is Fedora 26. Kernel is 4.13.3
> 
> I can't fully upgrade my container as some files are owned by
> nobody:nobody and can't change to root. An example is filesystems. When
> upgrading, it returns error:
> < error: unpacking of archive failed on file /proc: cpio: chown >
> $ ls -a /proc:
> /proc/filesystems    -r--r--r--   1 nobody          nobody             0
> Oct  3 09:53 filesystems
> 
> # chown root:root /proc/filesystems
> chown: changing ownership of '/proc/filesystems': Operation not permitted
> 
> Same kind of error with a few other packages.
> 
> Can someone please help me to find a solution? Thank you

Files in /proc being owned by "nobody" is an artifact of user
namespacing, as these files are owned by "root" on the host, which
doesn't exist in the container, and is hence mapped to the 'catch-all'
"nobody" user.

One way out could be to disable userns for the container (by dropping
--private-users from the cmdline). This makes things a lot less
secure, but removes any mapping of users, and the host root and the
container root will be identical.

You should be able to switch between --private-users and no
--private-user freely, and hence to this only temporarily.

Quite frankly, it's a bit of a shortcoming of RPM/fedora, that this
exists. It might be worth filing a bug against the relevant packages
or RPM so that they deal with this... I mean, sooner or later they
have to deal with the reality that is userns which makes changes like
this to their execution environment.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list