Bug 1723266

Summary: Unable to install 'filesystem' in rootless container
Product: [Fedora] Fedora Reporter: Akira TAGOH <tagoh>
Component: toolboxAssignee: Debarshi Ray <debarshir>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 34CC: bbaude, debarshir, dwalsh, gscrivan, harrymichal, igor.raits, jnovy, lsm5, mheon, mjw, ogutierr, packaging-team-maint, patrick, petersen, pmatilai, pmoravco, pnemade, travier, vmukhame
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-25 17:15:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Akira TAGOH 2019-06-24 05:47:54 UTC 
Description of problem:
The installation of filesystem-3.12-1.fc31 fails on unpacking.

Version-Release number of selected component (if applicable):
toolbox-0.0.10-1.fc30.noarch

How reproducible:
always

Steps to Reproduce:
1.enter into rawhide container
2.dnf install filesystem
3.

Actual results:
$ sudo dnf install filesystem
Last metadata expiration check: 1:13:14 ago on Mon 24 Jun 2019 04:33:28 AM UTC.
Dependencies resolved.
========================================================================================================================
 Package                      Architecture             Version                          Repository                 Size
========================================================================================================================
Installing:
 filesystem                   x86_64                   3.12-1.fc31                      rawhide                   1.1 M

Transaction Summary
========================================================================================================================
Install  1 Package

Total download size: 1.1 M
Installed size: 0  
Is this ok [y/N]: y
Downloading Packages:
filesystem-3.12-1.fc31.x86_64.rpm                                                       303 kB/s | 1.1 MB     00:03    
------------------------------------------------------------------------------------------------------------------------
Total                                                                                   217 kB/s | 1.1 MB     00:05     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Running scriptlet: filesystem-3.12-1.fc31.x86_64                                                                  1/1 
  Preparing        :                                                                                                1/1 
  Installing       : filesystem-3.12-1.fc31.x86_64                                                                  1/1 
Error unpacking rpm package filesystem-3.12-1.fc31.x86_64
error: unpacking of archive failed on file /media: cpio: chown

  Verifying        : filesystem-3.12-1.fc31.x86_64                                                                  1/1 

Failed:
  filesystem-3.12-1.fc31.x86_64                                                                                         

Error: Transaction failed


Expected results:
no errors happens.

Additional info:
Comment 1 Debarshi Ray 2019-06-25 13:55:33 UTC 
What does /etc/subuid and /etc/subgid say on your host?
Comment 2 Akira TAGOH 2019-06-26 07:52:57 UTC 
$ cat /etc/subuid 
tagoh:100000:65536
test:165536:65536
$ cat /etc/subgid
tagoh:100000:65536
test:165536:65536
Comment 3 Debarshi Ray 2019-06-26 15:57:34 UTC 
(In reply to Akira TAGOH from comment #0)
> Error unpacking rpm package filesystem-3.12-1.fc31.x86_64
> error: unpacking of archive failed on file /media: cpio: chown

I had a chat with Giuseppe in #podman, and this is caused by the package trying to chown /media, which is owned by nobody:nobody, inside the container. It's nobody:nobody because it's bind mounted in from the host, where it's owned by the real root on the host, which isn't available inside the container.

Looking at the error message, it looks pretty obvious now. Silly me.

Sadly this is an unsolved problem at the moment. You will have this problem in any rootless OCI container where an RPM tries to chown such a directory. :(
Comment 4 Jens Petersen 2019-07-09 07:28:10 UTC 
See also bug 1548403 - is it only Rawhide??
Comment 5 Debarshi Ray 2019-07-09 16:03:59 UTC 
(In reply to Jens Petersen from comment #4)
> See also bug 1548403 - is it only Rawhide??

Rootless Docker became a reality very recently. So if that's what's being used there, the problem looks the same.
Comment 6 Debarshi Ray 2019-07-09 16:06:08 UTC 
Reassigning to Podman because it's really an underlying container tooling issue.

One idea that Giuseppe had was to get Podman to use seccomp and ebpf to intercept select system calls to avoid failures like these.
Comment 7 Giuseppe Scrivano 2019-07-29 08:20:10 UTC 
there is not much we can do at the moment.  As Debarshi said, rpm tries to chown files that are owned by root on the host and that is not allowed by the kernel.

You could file a bug with rpm.  It could skip chowning /proc and /sys when running in a user namespace.
Comment 8 Fedora Program Management 2021-04-29 16:50:34 UTC 
This message is a reminder that Fedora 32 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '32'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 32 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 9 Ben Cotton 2021-05-25 17:15:17 UTC 
Fedora 32 changed to end-of-life (EOL) status on 2021-05-25. Fedora 32 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 10 Panu Matilainen 2021-12-01 08:33:12 UTC 
> You could file a bug with rpm.  It could skip chowning /proc and /sys when running in a user namespace.

How does one detect running in a user namespace?
Comment 11 Giuseppe Scrivano 2021-12-01 09:21:31 UTC 
$ cat /proc/self/uid_map 
         0          0 4294967295
$ cat /proc/self/gid_map 
         0          0 4294967295

If the content of these files is different than "0 0 4294967295" then you are running in a user namespace where the root user is not mapped to root in the initial user namespace.
Comment 12 Debarshi Ray 2022-01-17 12:45:42 UTC 
This was fixed recently in toolbox >= 0.0.99.3 in Fedora >= 34.