Hello everyone, I have encountered a problem with a systemd-nspawn container and deboostrap running in this container.
When I try to launch deboostrap inside the container, debootstrap stops because it tries to unpack a tar archive that creates devices like /dev/console. The error is "EPERM". Here is the full command list : $ uname -a Linux foretnoire 4.2.0-1-amd64 #1 SMP Debian 4.2.6-3 (2015-12-06) x86_64 GNU/Linux $ cat /etc/debian_version stretch/sid $ systemctl --version systemd 228 +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN $ sudo debootstrap stretch teststretch (all is working nicely, the problem is not here) (adding a root password via passwd) $ sudo systemd-nspawn -b -D teststretch/ (all is working nicely, getty logs me to root) container# systemctl --version systemd 228 +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN container# debootstrap stretch teststretch ... (stops suddently, here is the problem) container# cat teststretch/debootstrap/debootstrap.log ... tar: dev/console: Cannot mknod: Operation not permitted other similar errors with other devices ... I've checked that the CAP_MKNOD is present : container# capsh --print Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,****cap_mknod****,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap+ep Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root) Triying to create a simple device is forbidden too : container# ls -l /dev/console crw------- 1 root tty 136, 4 Dec 22 15:50 /dev/console container# mknod /tmp/console c 136 4 mknod: '/tmp/console': Operation not permitted How can I enable debootstrap to run smoothly in a nspawn container ? My goal is to have a light container able to build a software that runs in a light container (actually in a legacy chroot). And one of the first steps is to debootstrap a virgin system. Is this use case possible ? Thank you for your lights ! -- Emmanuel Coirier _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
