Post by arnaud gaboury
My host is Archlinux, nspawn container is Fedora 26. Kernel is 4.13.3
I can't fully upgrade my container as some files are owned by
nobody:nobody and can't change to root. An example is filesystems. When
< error: unpacking of archive failed on file /proc: cpio: chown >
/proc/filesystems -r--r--r-- 1 nobody nobody 0
Oct 3 09:53 filesystems
# chown root:root /proc/filesystems
chown: changing ownership of '/proc/filesystems': Operation not permitted
Same kind of error with a few other packages.
Can someone please help me to find a solution? Thank you
Files in /proc being owned by "nobody" is an artifact of user
namespacing, as these files are owned by "root" on the host, which
doesn't exist in the container, and is hence mapped to the 'catch-all'
One way out could be to disable userns for the container (by dropping
--private-users from the cmdline). This makes things a lot less
secure, but removes any mapping of users, and the host root and the
container root will be identical.
You should be able to switch between --private-users and no
--private-user freely, and hence to this only temporarily.
Quite frankly, it's a bit of a shortcoming of RPM/fedora, that this
exists. It might be worth filing a bug against the relevant packages
or RPM so that they deal with this... I mean, sooner or later they
have to deal with the reality that is userns which makes changes like
this to their execution environment.
Lennart Poettering, Red Hat