LXC konténer hiba: "...cpio: cap_set_file"

Virtualizáció

Üdv!
Fc26 alatt fc26 konténerben nem lehet httpd-t feltenni:
# dnf install httpd -y ... Error unpacking rpm package httpd-2.4.29-1.fc26.x86_64 error: unpacking of archive failed on file /usr/sbin/suexec;5a15ae89: cpio: cap_set_file httpd-2.4.29-1.fc26.x86_64 was supposed to be installed but is not! Verifying : httpd-2.4.29-1.fc26.x86_64 1/1

Failed:
httpd.x86_64 2.4.29-1.fc26

Mindent root-ként csinálok (hoszt,konténer) mégis ez a hiba.
https://discuss.linuxcontainers.org/t/cpio-cap-set-file/472/2

(lxc-2.0.9-1.fc26.x86_64)

Van erre megoldás?

797 megtekintés

strace alatt futtasd a parancsot, hogy látszódjon milyen syscall-nál van hiba.

A partició amin a container van engedi a setuid binárisokat?

0 szavazat

A hozzászóláshoz be kell jelentkezni

# strace dnf install httpd -y ... stat("/usr/lib/python3.6/site-packages/dnf/cli/main.py", {st_mode=S_IFREG|0644, st_size=5563, ...}) = 0 open("/usr/lib/python3.6/site-packages/dnf/cli/main.py", O_RDONLY|O_CLOEXEC) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=5563, ...}) = 0 ioctl(9, TCGETS, 0x7fff56129ec0) = -1 ENOTTY (Inappropriate ioctl for device) lseek(9, 0, SEEK_CUR) = 0 read(9, "# Copyright 2005 Duke University"..., 4096) = 4096 lseek(9, 0, SEEK_CUR) = 4096 read(9, " return ret\n\n cli.command."..., 8192) = 1467 read(9, "", 8192) = 0 close(9) = 0 stat("/usr/lib/python3.6/site-packages/dnf/cli/cli.py", {st_mode=S_IFREG|0644, st_size=41924, ...}) = 0 open("/usr/lib/python3.6/site-packages/dnf/cli/cli.py", O_RDONLY|O_CLOEXEC) = 9 fstat(9, {st_mode=S_IFREG|0644, st_size=41924, ...}) = 0 ioctl(9, TCGETS, 0x7fff56129ec0) = -1 ENOTTY (Inappropriate ioctl for device) lseek(9, 0, SEEK_CUR) = 0 read(9, "# Copyright 2005 Duke University"..., 4096) = 4096 lseek(9, 0, SEEK_CUR) = 4096 read(9, " \"\",\n "..., 8192) = 8192 read(9, " return ypl.updates or yp"..., 8192) = 8192 read(9, " available,\n or instal"..., 8192) = 8192 read(9, "nd)\n self.register_comman"..., 8192) = 8192 read(9, "onf.debug_solver = True\n "..., 8192) = 5060 read(9, "", 8192) = 0 close(9) = 0 write(3, "2017-11-22T17:51:04Z SUBDEBUG \nT"..., 728) = 728 getpid() = 65 write(2, "Error: Transaction failed\n", 26Error: Transaction failed ) = 26 write(3, "2017-11-22T17:51:04Z CRITICAL Er"..., 56) = 56 close(5) = 0 close(3) = 0 rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f7c325563b0}, {sa_handler=0x7f7c3293d9c0, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f7c325563b0}, 8) = 0 close(11) = 0 close(10) = 0 close(12) = 0 munmap(0x7f7c219fa000, 2908160) = 0 close(13) = 0 munmap(0x7f7c229d4000, 1904640) = 0 close(15) = 0 close(14) = 0 munmap(0x7f7c22182000, 1708032) = 0 munmap(0x7f7c207f9000, 13111296) = 0 munmap(0x7f7c201f3000, 6295552) = 0 munmap(0x7f7c21529000, 262144) = 0 munmap(0x7f7c22ca5000, 262144) = 0 sigaltstack(NULL, {ss_sp=0x55baf3d29320, ss_flags=0, ss_size=8192}) = 0 sigaltstack({ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=0}, NULL) = 0 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [WINCH], 8) = 0 rt_sigprocmask(SIG_SETMASK, [WINCH], NULL, 8) = 0 futex(0x7f7c30783994, FUTEX_WAKE_PRIVATE, 2147483647) = 0 exit_group(1) = ? +++ exited with 1 +++ [root@fedora-1 ~]#

# mount
/dev/sda2 on / type ext4 (rw,relatime,seclabel,data=ordered)
none on /dev type tmpfs (rw,relatime,seclabel,size=492k,mode=755)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys/net type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime,seclabel)
sysfs on /sys/devices/virtual/net type sysfs (rw,relatime,seclabel)
sysfs on /sys/devices/virtual/net type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
devpts on /dev/lxc/console type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
devpts on /dev/pts type devpts (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=666)
devpts on /dev/ptmx type devpts (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=666)
devpts on /dev/lxc/tty1 type devpts (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=666)
devpts on /dev/lxc/tty2 type devpts (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=666)
devpts on /dev/lxc/tty3 type devpts (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=666)
devpts on /dev/lxc/tty4 type devpts (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=666)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755)
cgroup on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
mqueue on /dev/mqueue type mqueue (rw,relatime,seclabel)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,seclabel,pagesize=2M)

Elvileg setuid ok, különben a passwd parancs se menne.
De a "devpts on /dev/lxc/console type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)" rész gyanus, nem?

0 szavazat

A hozzászóláshoz be kell jelentkezni

strace -f
paranccsal futtasd (ez jó a fork után indított processzekre is) és az eredményt tölts fel pastebin-re.

a mount parancsot a főgépen futattod?

0 szavazat

A hozzászóláshoz be kell jelentkezni

Bocs, hoszton:
# mount sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=3907136k,nr_inodes=976784,mode=755) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755) cgroup on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd) pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel) cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) configfs on /sys/kernel/config type configfs (rw,relatime) /dev/sda2 on / type ext4 (rw,relatime,seclabel,data=ordered) selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=43,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=15163) debugfs on /sys/kernel/debug type debugfs (rw,relatime,seclabel) mqueue on /dev/mqueue type mqueue (rw,relatime,seclabel) hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,seclabel,pagesize=2M) tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) vmware-vmblock on /run/vmblock-fuse type fuse.vmware-vmblock (rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other) /dev/sda2 on /var/lib/docker/containers type ext4 (rw,relatime,seclabel,data=ordered) /dev/sda2 on /var/lib/docker/devicemapper type ext4 (rw,relatime,seclabel,data=ordered) tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=783776k,mode=700,uid=1000,gid=1000) gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

A /var/lib/lxc alatt vannak a konténerek, setuid elvileg ok.

strace -f dnf install httpd -y
https://pastebin.com/c2xBbiRh

0 szavazat

A hozzászóláshoz be kell jelentkezni

Állítsd le a konténert ha teheted, utána:

chroot /var/lib/lxc/kontener_root/rootfs dnf install httpd

0 szavazat

A hozzászóláshoz be kell jelentkezni

Nem egészen jó így neki:
error: Failed to initialize NSS library Traceback (most recent call last): File "/usr/bin/dnf", line 57, in from dnf.cli import main File "/usr/lib/python3.6/site-packages/dnf/__init__.py", line 31, in import dnf.base File "/usr/lib/python3.6/site-packages/dnf/base.py", line 29, in from dnf.yum import history File "/usr/lib/python3.6/site-packages/dnf/yum/history.py", line 31, in import dnf.rpm.miscutils File "/usr/lib/python3.6/site-packages/dnf/rpm/__init__.py", line 22, in from . import transaction File "/usr/lib/python3.6/site-packages/dnf/rpm/transaction.py", line 14, in import rpm File "/usr/lib64/python3.6/site-packages/rpm/__init__.py", line 39, in from rpm.transaction import * File "/usr/lib64/python3.6/site-packages/rpm/transaction.py", line 5, in from rpm._rpm import ts as TransactionSetCore ImportError: cannot import name 'ts'

0 szavazat

A hozzászóláshoz be kell jelentkezni

ugyanaz a disztribucio a host és a konténer?

0 szavazat

A hozzászóláshoz be kell jelentkezni

A /usr/share/lxc/config/fedora.common.conf file-ban alapbol szerepel a setfcap drop, ez viszont kell a httpd installhoz:

lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio

Ehelyett legyen:

lxc.cap.drop = sys_nice sys_pacct sys_rawio

Inditsd ujra a containert es lon vilagossag :)

--
L

0 szavazat

A hozzászóláshoz be kell jelentkezni

Köszi! :)

0 szavazat

A hozzászóláshoz be kell jelentkezni

LXC konténer hiba: "...cpio: cap_set_file"

Hozzászólások