Control: tags -1 + patch
On Mon, 12 Aug 2024 at 10:04:42 +0200, Alexandre Rossi wrote:
> My sbuild setup now fails on my sid systemd-nspawn container.
...
> E: 10mount: mknod:
> /var/run/schroot/mount/unstable-amd64-sbuild-c631feb3-ec9a-475b-b19a-407a3bacf44c/dev/console:
> Operation not permitted
This is not host-version-specific (reproducible in a systemd-nspawn
container on a sid host). Other container runners like podman have a
similar security policy and so will likely exhibit the same behaviour
as systemd-nspawn.
> The error comes from the mknod call at the end of
> /etc/schroot/setup.d/10mount .
> Commenting the associated lines works around the problem with no visible
> drawback for my usecase (sbuild).
The drawback of mounting /dev/console for not-your-use-case is that it
breaks the ability for interactive uses of schroot to detect the presence
of a terminal:
root@sid-nspawn:~# schroot -c sid-amd64-sbuild -- bash
(sid-amd64-sbuild)root@sid-nspawn:~# apt install mount
...
(sid-amd64-sbuild)root@sid-nspawn:~# tty
/dev/console
(sid-amd64-sbuild)root@sid-nspawn:~# umount /dev/console
(sid-amd64-sbuild)root@sid-nspawn:~# tty
not a tty
which causes various interactive tools to behave incorrectly.
On Thu, 15 Aug 2024 at 10:16:40 +0200, Jakob Haufe wrote:
> Can you try again with 1.6.13-4 and patching
> /etc/schroot/setup.d/10mount and replace the line 306 which reads
>
> mknod -m700 "$CHROOT_PATH/dev/console" c 5 1
>
> by
>
> touch "$CHROOT_PATH/dev/console"
The attached patch does this a bit more gracefully by trying to create
/dev/console as the expected char device 5,1 if we can (which works when
not in a container) but falling back to creating a regular file as mount
point if that's not possible.
smcv
From: Simon McVittie <s...@debian.org>
Date: Tue, 20 Aug 2024 00:29:59 +0100
Subject: setup.d/10mount: Don't assume we can mknod /dev/console
By default, systemd-nspawn containers run with CAP_MKNOD, but with a
seccomp profile that prevents creation of device nodes other than
the basics (and in particular preventing creation of char device 5,1,
conventionally /dev/console).
If we cannot create the usual device node for /dev/console as a mount
point onto which to mount the terminal from which schroot was invoked,
then we need to fall back to creating it as some other non-directory,
non-symlink inode that can act as a mount point. An empty regular
file will do.
Thanks: Jakob Haufe
Fixes: 271acf6e "Subject: Mount a new instance of /dev/pts in the chroot"
Bug-Debian: https://bugs.debian.org/1078539
Signed-off-by: Simon McVittie <s...@debian.org>
---
etc/setup.d/10mount | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/etc/setup.d/10mount b/etc/setup.d/10mount
index 5e734050..010b8b4c 100755
--- a/etc/setup.d/10mount
+++ b/etc/setup.d/10mount
@@ -301,9 +301,13 @@ if [ $STAGE = "setup-start" ] || [ $STAGE = "setup-recover" ]; then
# binding it onto /dev/console; so can we.
if stdin_tty="$(tty)"; then
if [ ! -e "$CHROOT_PATH/dev/console" ]; then
- # We need something to mount onto, and it might as well be
- # the correctly-numbered device node.
- mknod -m700 "$CHROOT_PATH/dev/console" c 5 1
+ # We need something to mount onto. Ideally it would be
+ # the correctly-numbered device node, c 5 1; but
+ # systemd-nspawn's seccomp profile does not allow creating
+ # that, so fall back to a regular empty file if necessary.
+ if ! mknod -m700 "$CHROOT_PATH/dev/console" c 5 1 2>/dev/null; then
+ touch "$CHROOT_PATH/dev/console"
+ fi
fi
mount --bind "$stdin_tty" "$CHROOT_PATH/dev/console"
