Can't update centos7 (or install httpd) in unprivileged LXC container.

dragon2611

Member
Jul 2, 2010
54
1
8
4.4-1/eb2d6f1e

Code:
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-6 will be updated
---> Package epel-release.noarch 0:7-8 will be an update
---> Package filesystem.x86_64 0:3.2-20.el7 will be updated
---> Package filesystem.x86_64 0:3.2-21.el7 will be an update
---> Package iputils.x86_64 0:20121221-7.el7 will be updated
---> Package iputils.x86_64 0:20160308-8.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================================================================
Package                                      Arch                                   Version                                           Repository                            Size
==================================================================================================================================================================================
Updating:
epel-release                                 noarch                                 7-8                                               epel                                  14 k
filesystem                                   x86_64                                 3.2-21.el7                                        base                                 1.0 M
iputils                                      x86_64                                 20160308-8.el7                                    base                                 147 k

Transaction Summary
==================================================================================================================================================================================
Upgrade  3 Packages

Total download size: 1.2 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): iputils-20160308-8.el7.x86_64.rpm                                                                                                                   | 147 kB  00:00:00
(2/3): epel-release-7-8.noarch.rpm                                                                                                                         |  14 kB  00:00:00
(3/3): filesystem-3.2-21.el7.x86_64.rpm                                                                                                                    | 1.0 MB  00:00:00
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                             3.3 MB/s | 1.2 MB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : filesystem-3.2-21.el7.x86_64                                                                                                                                   1/6
Error unpacking rpm package filesystem-3.2-21.el7.x86_64
error: unpacking of archive failed on file /proc: cpio: chown
  Updating   : iputils-20160308-8.el7.x86_64                                                                                                                                  2/6
Error unpacking rpm package iputils-20160308-8.el7.x86_64
error: filesystem-3.2-21.el7.x86_64: install failed
error: unpacking of archive failed on file /usr/bin/ping;58571209: cpio: cap_set_file
  Updating   : epel-release-7-8.noarch                                                                                                                                        3/6
error: iputils-20160308-8.el7.x86_64: install failed
  Cleanup    : epel-release-7-6.noarch                                                                                                                                        4/6
  Verifying  : epel-release-7-8.noarch                                                                                                                                        1/6
  Verifying  : epel-release-7-6.noarch                                                                                                                                        2/6
iputils-20121221-7.el7.x86_64 was supposed to be removed but is not!
  Verifying  : iputils-20121221-7.el7.x86_64                                                                                                                                  3/6
filesystem-3.2-20.el7.x86_64 was supposed to be removed but is not!
  Verifying  : filesystem-3.2-20.el7.x86_64                                                                                                                                   4/6
  Verifying  : iputils-20160308-8.el7.x86_64                                                                                                                                  5/6
  Verifying  : filesystem-3.2-21.el7.x86_64                                                                                                                                   6/6

Updated:
  epel-release.noarch 0:7-8

Failed:
  filesystem.x86_64 0:3.2-20.el7             filesystem.x86_64 0:3.2-21.el7             iputils.x86_64 0:20121221-7.el7             iputils.x86_64 0:20160308-8.el7

Complete!
[root@smokepong ~]#
 

dragon2611

Member
Jul 2, 2010
54
1
8
Code:
[root@smokepong ~]# yum install httpd
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.serverspace.co.uk
* epel: mirrors.coreix.net
* extras: mirror.sov.uk.goscomb.net
* updates: centos.serverspace.co.uk
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.4.6-45.el7.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================================================================
Package                                Arch                                    Version                                               Repository                             Size
==================================================================================================================================================================================
Installing:
httpd                                  x86_64                                  2.4.6-45.el7.centos                                   base                                  2.7 M

Transaction Summary
==================================================================================================================================================================================
Install  1 Package

Total download size: 2.7 M
Installed size: 9.4 M
Is this ok [y/d/N]: y
Downloading packages:
httpd-2.4.6-45.el7.centos.x86_64.rpm                                                                                                                       | 2.7 MB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : httpd-2.4.6-45.el7.centos.x86_64                                                                                                                               1/1
Error unpacking rpm package httpd-2.4.6-45.el7.centos.x86_64
error: unpacking of archive failed on file /usr/sbin/suexec;5857129a: cpio: cap_set_file
  Verifying  : httpd-2.4.6-45.el7.centos.x86_64                                                                                                                               1/1

Failed:
  httpd.x86_64 0:2.4.6-45.el7.centos
 
Dec 15, 2015
76
2
8
www.belcloud.net
I'm having the same issue:
http://prntscr.com/dm8m0u

Proxmox 4.4, lxc, unprivileged container, centos-7-default_20161207_amd64.tar.xz


For the filesystem rpm, the following command resolves it:
Code:
echo "%_netsharedpath /sys:/proc" >> /etc/rpm/macros.dist; yum -y update
But i'm still stuck with iputils.
Error unpacking rpm package iputils-20160308-8.el7.x86_64
error: unpacking of archive failed on file /usr/bin/ping;585aafa1: cpio: cap_set_file
iputils-20121221-7.el7.x86_64 was supposed to be removed but is not!
 

dragon2611

Member
Jul 2, 2010
54
1
8
I set unprivileged 0 in the containers conf file, did the update and then set it back to 1 but I'm not sure if that's really a good idea or not.
 
Sep 30, 2016
108
15
18
Slatina
www.domenii.eu
Practically, you have done '' Is it a reasonable workaround to set the container to privileged, install httpd, and then set it back again? You may then need to change the file ownerships afterward, but sure." via https://github.com/lxc/lxd/issues/1245#issuecomment-253804636

But editing conf and switching unprivileged on/off, I guess is not a good idea, to correct approach would be https://forum.proxmox.com/threads/convert-privileged-to-unprivileged-container.31066/#post-155177 backup and restore (via CLI)
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
3,456
540
113

logo78

New Member
Oct 18, 2017
2
0
1
41
Hi,
still has this issue with the most current kernel 4.13.4-1-pve.
The container is priviliged, setfcap is set... unfortunately no success installing httpd.

Any other hints, workarounds?

Edit:
Was my mistake.. I had to to remove the setfcap (File system capabilites) instead of keeping them in the 'drop'. setting of the corresponding conf-files...
Thx @fabian
 

Attachments

Last edited:

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
3,456
540
113
your screenshot (btw, it is always preferable to paste text context inside code tags instead of posting screenshots!) shows that you configured LXC to DROP the CAP_SETFCAP capability..
 

logo78

New Member
Oct 18, 2017
2
0
1
41
Ouhh... Thx!
Now I know the difference between keep and drop rules ;)

Removed just the setfcap capability from common.conf and fedora.common.conf and its working now.

Quite a pitty, that there is no better solution than to gain the capabilities for that httpd package.
 

xoxys

New Member
Feb 21, 2017
11
0
1
29
Sorry for reusing this thread but for me it is not working:

Code:
# uname -r
4.13.16-2-pve
Code:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
filesystem-3.2-25.el7.x86_64.rpm                                                                                                       | 1.0 MB  00:00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Aktualisieren    : filesystem-3.2-25.el7.x86_64                                                                                                         1/2
Error unpacking rpm package filesystem-3.2-25.el7.x86_64
error: unpacking of archive failed on file /sys: cpio: chown
  Überprüfung läuft: filesystem-3.2-25.el7.x86_64                                                                                                         1/2
filesystem-3.2-21.el7.x86_64 was supposed to be removed but is not!
  Überprüfung läuft: filesystem-3.2-21.el7.x86_64
setfcap is not set for centos:

Code:
# grep -r "setfcap"
voidlinux.common.conf:lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
archlinux.common.conf:lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
opensuse.common.conf:# lxc.cap.drop = setfcap
slackware.common.conf:lxc.cap.drop = mknod setfcap setpcap
gentoo.moresecure.conf:lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap setpcap sys_admin sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
Can anybody help?
 

Dexoid

New Member
Oct 23, 2016
4
0
1
30
Sorry for reusing this thread but for me it is not working:

Code:
# uname -r
4.13.16-2-pve
Code:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
filesystem-3.2-25.el7.x86_64.rpm                                                                                                       | 1.0 MB  00:00:00   
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Aktualisieren    : filesystem-3.2-25.el7.x86_64                                                                                                         1/2
Error unpacking rpm package filesystem-3.2-25.el7.x86_64
error: unpacking of archive failed on file /sys: cpio: chown
  Überprüfung läuft: filesystem-3.2-25.el7.x86_64                                                                                                         1/2
filesystem-3.2-21.el7.x86_64 was supposed to be removed but is not!
  Überprüfung läuft: filesystem-3.2-21.el7.x86_64
setfcap is not set for centos:

Code:
# grep -r "setfcap"
voidlinux.common.conf:lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
archlinux.common.conf:lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
opensuse.common.conf:# lxc.cap.drop = setfcap
slackware.common.conf:lxc.cap.drop = mknod setfcap setpcap
gentoo.moresecure.conf:lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap setpcap sys_admin sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
Can anybody help?
The problem exists. Who can help?
Kernel: 4.15.17-3-pve
 

qubozik

New Member
Jun 4, 2016
16
0
1
35
I, too, am seeing this issue once again.

Using 4.15.17-2-pve.

This was working at one point in time. Some time in the 4.13 series. Looks like the issue is back with the 4.15 series?
 

n1ete

New Member
Feb 26, 2017
16
0
1
35
can confirm this also...is there a bug report filed for this already?
 

mart.v

New Member
Mar 21, 2018
26
0
1
39
Same here :-( 4.15.18-1-pve

I cannot update CentOS 7 because of the filesystem package.

Code:
Running transaction
  Updating   : filesystem-3.2-25.el7.x86_64                                                                                                                                                 1/2
Error unpacking rpm package filesystem-3.2-25.el7.x86_64
error: unpacking of archive failed on file /sys: cpio: chown
  Verifying  : filesystem-3.2-25.el7.x86_64                                                                                                                                                 1/2
filesystem-3.2-21.el7.x86_64 was supposed to be removed but is not!
  Verifying  : filesystem-3.2-21.el7.x86_64                                                                                                                                                 2/2

Failed:
  filesystem.x86_64 0:3.2-21.el7                                                                 filesystem.x86_64 0:3.2-25.el7
EDIT: It seems that there is a bug report here: https://bugzilla.redhat.com/show_bug.cgi?id=1589968
But no solution so far.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!