Can't update centos7 (or install httpd) in unprivileged LXC container.

dragon2611 · Dec 18, 2016

4.4-1/eb2d6f1e

Code:

Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-6 will be updated
---> Package epel-release.noarch 0:7-8 will be an update
---> Package filesystem.x86_64 0:3.2-20.el7 will be updated
---> Package filesystem.x86_64 0:3.2-21.el7 will be an update
---> Package iputils.x86_64 0:20121221-7.el7 will be updated
---> Package iputils.x86_64 0:20160308-8.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================================================================
Package                                      Arch                                   Version                                           Repository                            Size
==================================================================================================================================================================================
Updating:
epel-release                                 noarch                                 7-8                                               epel                                  14 k
filesystem                                   x86_64                                 3.2-21.el7                                        base                                 1.0 M
iputils                                      x86_64                                 20160308-8.el7                                    base                                 147 k

Transaction Summary
==================================================================================================================================================================================
Upgrade  3 Packages

Total download size: 1.2 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): iputils-20160308-8.el7.x86_64.rpm                                                                                                                   | 147 kB  00:00:00
(2/3): epel-release-7-8.noarch.rpm                                                                                                                         |  14 kB  00:00:00
(3/3): filesystem-3.2-21.el7.x86_64.rpm                                                                                                                    | 1.0 MB  00:00:00
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                             3.3 MB/s | 1.2 MB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : filesystem-3.2-21.el7.x86_64                                                                                                                                   1/6
Error unpacking rpm package filesystem-3.2-21.el7.x86_64
error: unpacking of archive failed on file /proc: cpio: chown
  Updating   : iputils-20160308-8.el7.x86_64                                                                                                                                  2/6
Error unpacking rpm package iputils-20160308-8.el7.x86_64
error: filesystem-3.2-21.el7.x86_64: install failed
error: unpacking of archive failed on file /usr/bin/ping;58571209: cpio: cap_set_file
  Updating   : epel-release-7-8.noarch                                                                                                                                        3/6
error: iputils-20160308-8.el7.x86_64: install failed
  Cleanup    : epel-release-7-6.noarch                                                                                                                                        4/6
  Verifying  : epel-release-7-8.noarch                                                                                                                                        1/6
  Verifying  : epel-release-7-6.noarch                                                                                                                                        2/6
iputils-20121221-7.el7.x86_64 was supposed to be removed but is not!
  Verifying  : iputils-20121221-7.el7.x86_64                                                                                                                                  3/6
filesystem-3.2-20.el7.x86_64 was supposed to be removed but is not!
  Verifying  : filesystem-3.2-20.el7.x86_64                                                                                                                                   4/6
  Verifying  : iputils-20160308-8.el7.x86_64                                                                                                                                  5/6
  Verifying  : filesystem-3.2-21.el7.x86_64                                                                                                                                   6/6

Updated:
  epel-release.noarch 0:7-8

Failed:
  filesystem.x86_64 0:3.2-20.el7             filesystem.x86_64 0:3.2-21.el7             iputils.x86_64 0:20121221-7.el7             iputils.x86_64 0:20160308-8.el7

Complete!
[root@smokepong ~]#

dragon2611 · Dec 18, 2016

Code:

[root@smokepong ~]# yum install httpd
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.serverspace.co.uk
* epel: mirrors.coreix.net
* extras: mirror.sov.uk.goscomb.net
* updates: centos.serverspace.co.uk
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.4.6-45.el7.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================================================================
Package                                Arch                                    Version                                               Repository                             Size
==================================================================================================================================================================================
Installing:
httpd                                  x86_64                                  2.4.6-45.el7.centos                                   base                                  2.7 M

Transaction Summary
==================================================================================================================================================================================
Install  1 Package

Total download size: 2.7 M
Installed size: 9.4 M
Is this ok [y/d/N]: y
Downloading packages:
httpd-2.4.6-45.el7.centos.x86_64.rpm                                                                                                                       | 2.7 MB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : httpd-2.4.6-45.el7.centos.x86_64                                                                                                                               1/1
Error unpacking rpm package httpd-2.4.6-45.el7.centos.x86_64
error: unpacking of archive failed on file /usr/sbin/suexec;5857129a: cpio: cap_set_file
  Verifying  : httpd-2.4.6-45.el7.centos.x86_64                                                                                                                               1/1

Failed:
  httpd.x86_64 0:2.4.6-45.el7.centos

BelCloud · Dec 21, 2016

I'm having the same issue:
http://prntscr.com/dm8m0u

Proxmox 4.4, lxc, unprivileged container, centos-7-default_20161207_amd64.tar.xz

For the filesystem rpm, the following command resolves it:

Code:

echo "%_netsharedpath /sys:/proc" >> /etc/rpm/macros.dist; yum -y update

But i'm still stuck with iputils.
Error unpacking rpm package iputils-20160308-8.el7.x86_64
error: unpacking of archive failed on file /usr/bin/ping;585aafa1: cpio: cap_set_file
iputils-20121221-7.el7.x86_64 was supposed to be removed but is not!

matthew · Dec 23, 2016

Seeing same issue. Any resolution yet?

BelCloud · Dec 23, 2016

The only solution i've found is that we need to use ACLs to provide some extra privileges to the container, and i don't like giving such privileges

EuroDomenii · Jan 8, 2017

Quote from stgraber "Until the kernel supports unprivileged fs capabilities you need security.privileged set to true which should then fix your problem, at the cost of much degraded container security." https://github.com/lxc/lxd/issues/1245#issuecomment-233199884

dragon2611 · Jan 8, 2017

I set unprivileged 0 in the containers conf file, did the update and then set it back to 1 but I'm not sure if that's really a good idea or not.

EuroDomenii · Jan 8, 2017

Practically, you have done '' Is it a reasonable workaround to set the container to privileged, install httpd, and then set it back again? You may then need to change the file ownerships afterward, but sure." via https://github.com/lxc/lxd/issues/1245#issuecomment-253804636

But editing conf and switching unprivileged on/off, I guess is not a good idea, to correct approach would be https://forum.proxmox.com/threads/convert-privileged-to-unprivileged-container.31066/#post-155177 backup and restore (via CLI)

matthew · Jan 30, 2017

https://lkml.org/lkml/2016/11/19/158

About how long will it be until proxmox gets this patched in? I imagine will wait on upstream kernel?

fabian · Feb 1, 2017

matthew said:
https://lkml.org/lkml/2016/11/19/158

About how long will it be until proxmox gets this patched in? I imagine will wait on upstream kernel?

yes, this is not even merged into 4.10, so I imagine it will take some time.

hinhthoi · Oct 9, 2017

Hi, The latest kernel has been updated to fix this issue https://github.com/lxc/lxd/issues/1245

Has this been integrated into proxmox?

Thank you!

fabian · Oct 10, 2017

hinhthoi said:
Hi, The latest kernel has been updated to fix this issue https://github.com/lxc/lxd/issues/1245

Has this been integrated into proxmox?

Thank you!

is included in the 4.13 preview kernel available on pvetest, and will therefor be also included in the regular 4.13 kernel which will be part of 5.1

logo78 · Oct 18, 2017

Hi,
still has this issue with the most current kernel 4.13.4-1-pve.
The container is priviliged, setfcap is set... unfortunately no success installing httpd.

Any other hints, workarounds?

Edit:
Was my mistake.. I had to to remove the setfcap (File system capabilites) instead of keeping them in the 'drop'. setting of the corresponding conf-files...
Thx @fabian

fabian · Oct 18, 2017

your screenshot (btw, it is always preferable to paste text context inside code tags instead of posting screenshots!) shows that you configured LXC to DROP the CAP_SETFCAP capability..

logo78 · Oct 18, 2017

Ouhh... Thx!
Now I know the difference between keep and drop rules

Removed just the setfcap capability from common.conf and fedora.common.conf and its working now.

Quite a pitty, that there is no better solution than to gain the capabilities for that httpd package.

xoxys · May 16, 2018

Sorry for reusing this thread but for me it is not working:

Code:

# uname -r
4.13.16-2-pve

Code:

Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
filesystem-3.2-25.el7.x86_64.rpm                                                                                                       | 1.0 MB  00:00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Aktualisieren    : filesystem-3.2-25.el7.x86_64                                                                                                         1/2
Error unpacking rpm package filesystem-3.2-25.el7.x86_64
error: unpacking of archive failed on file /sys: cpio: chown
  Überprüfung läuft: filesystem-3.2-25.el7.x86_64                                                                                                         1/2
filesystem-3.2-21.el7.x86_64 was supposed to be removed but is not!
  Überprüfung läuft: filesystem-3.2-21.el7.x86_64

setfcap is not set for centos:

Code:

# grep -r "setfcap"
voidlinux.common.conf:lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
archlinux.common.conf:lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
opensuse.common.conf:# lxc.cap.drop = setfcap
slackware.common.conf:lxc.cap.drop = mknod setfcap setpcap
gentoo.moresecure.conf:lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap setpcap sys_admin sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog

Can anybody help?

Dexoid · Jun 18, 2018

xoxys said:

Sorry for reusing this thread but for me it is not working:

Code:

# uname -r
4.13.16-2-pve

Code:

Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
filesystem-3.2-25.el7.x86_64.rpm                                                                                                       | 1.0 MB  00:00:00   
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Aktualisieren    : filesystem-3.2-25.el7.x86_64                                                                                                         1/2
Error unpacking rpm package filesystem-3.2-25.el7.x86_64
error: unpacking of archive failed on file /sys: cpio: chown
  Überprüfung läuft: filesystem-3.2-25.el7.x86_64                                                                                                         1/2
filesystem-3.2-21.el7.x86_64 was supposed to be removed but is not!
  Überprüfung läuft: filesystem-3.2-21.el7.x86_64

setfcap is not set for centos:

Code:

# grep -r "setfcap"
voidlinux.common.conf:lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
archlinux.common.conf:lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio
opensuse.common.conf:# lxc.cap.drop = setfcap
slackware.common.conf:lxc.cap.drop = mknod setfcap setpcap
gentoo.moresecure.conf:lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap setpcap sys_admin sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog

Can anybody help?

The problem exists. Who can help?
Kernel: 4.15.17-3-pve

qubozik · Jun 25, 2018

I, too, am seeing this issue once again.

Using 4.15.17-2-pve.

This was working at one point in time. Some time in the 4.13 series. Looks like the issue is back with the 4.15 series?

n1ete · Aug 31, 2018

can confirm this also...is there a bug report filed for this already?

mart.v · Sep 6, 2018

Same here :-( 4.15.18-1-pve

I cannot update CentOS 7 because of the filesystem package.

Code:

Running transaction
  Updating   : filesystem-3.2-25.el7.x86_64                                                                                                                                                 1/2
Error unpacking rpm package filesystem-3.2-25.el7.x86_64
error: unpacking of archive failed on file /sys: cpio: chown
  Verifying  : filesystem-3.2-25.el7.x86_64                                                                                                                                                 1/2
filesystem-3.2-21.el7.x86_64 was supposed to be removed but is not!
  Verifying  : filesystem-3.2-21.el7.x86_64                                                                                                                                                 2/2

Failed:
  filesystem.x86_64 0:3.2-21.el7                                                                 filesystem.x86_64 0:3.2-25.el7

EDIT: It seems that there is a bug report here: https://bugzilla.redhat.com/show_bug.cgi?id=1589968
But no solution so far.

Can't update centos7 (or install httpd) in unprivileged LXC container.

Renowned Member

Renowned Member

Renowned Member

Renowned Member

Renowned Member

Renowned Member

Renowned Member

Renowned Member

Renowned Member

Proxmox Staff Member

New Member

Proxmox Staff Member

Active Member

Attachments

Proxmox Staff Member

Active Member

Member

New Member

Member

New Member

Well-Known Member