search

rpm-software-management / mock

Mock is a tool for a reproducible build of RPM packages.
GNU General Public License v2.0
383 stars 232 forks source link

subid nss provider breaks mock #1354

Closed yrro closed 7 months ago

yrro commented 7 months ago

Short description of the problem

When I try to use mock it always fails with:

$  mock shell
INFO: mock.py version 5.5 starting (python version = 3.12.2, NVR = mock-5.5-1.fc39), args: /usr/libexec/mock/mock -r fedora-39-x86_64 --shell
[...]
Start: cleaning package manager metadata
Finish: cleaning package manager metadata
INFO: enabled HW Info plugin
INFO: Package manager dnf detected and used (direct choice)
ERROR: Command failed: 
 # groupadd mock -g 135 --prefix /var/lib/mock/fedora-39-x86_64/root

Adding -v reveals what's going on...

DEBUG: ensuring that dir exists: /var/lib/mock/fedora-39-x86_64/root/usr/share/pki/ca-trust-source
DEBUG: ensuring that dir exists: /var/lib/mock/fedora-39-x86_64/root/usr/share/pki/ca-trust-source/./anchors
DEBUG: ensuring that dir exists: /var/lib/mock/fedora-39-x86_64/root/usr/share/pki/ca-trust-source/./blacklist
DEBUG: ensuring that dir exists: /var/lib/mock/fedora-39-x86_64/root/usr/share/pki/ca-trust-source/./blocklist
DEBUG: ensuring that dir exists: /var/lib/mock/fedora-39-x86_64/root/etc/dnf
DEBUG: configure DNF vars
DEBUG: ensuring that dir exists: /var/lib/mock/fedora-39-x86_64/root/var/cache/yum
DEBUG: child environment: None
DEBUG: Executing command: ['/bin/mount', '-n', '-o', 'bind', '/var/cache/mock/fedora-39-x86_64/yum_cache', '/var/lib/mock/fedora-39-x86_64/root/var/cache/yum'] with env {'TERM': 'vt100', 'SHELL': '/bin/sh', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'LANG': 'C.UTF-8'} and shell False
DEBUG: Child return code was: 0
DEBUG: ensuring that dir exists: /var/lib/mock/fedora-39-x86_64/root/var/cache/dnf
DEBUG: child environment: None
DEBUG: Executing command: ['/bin/mount', '-n', '-o', 'bind', '/var/cache/mock/fedora-39-x86_64/dnf_cache', '/var/lib/mock/fedora-39-x86_64/root/var/cache/dnf'] with env {'TERM': 'vt100', 'SHELL': '/bin/sh', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'LANG': 'C.UTF-8'} and shell False
DEBUG: Child return code was: 0
DEBUG: child environment: None
DEBUG: Executing command: ['userdel', '-f', 'mockbuild', '--prefix', '/var/lib/mock/fedora-39-x86_64/root'] with env {'TERM': 'vt100', 'SHELL': '/bin/sh', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'LANG': 'C.UTF-8'} and shell False
DEBUG: userdel: cannot remove entry 1673000001 from /var/lib/mock/fedora-39-x86_64/root//etc/subuid
DEBUG: Child return code was: 16
DEBUG: child environment: None
DEBUG: Executing command: ['groupdel', 'mock', '--prefix', '/var/lib/mock/fedora-39-x86_64/root'] with env {'TERM': 'vt100', 'SHELL': '/bin/sh', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'LANG': 'C.UTF-8'} and shell False
DEBUG: Child return code was: 8
DEBUG: child environment: None
DEBUG: Executing command: ['groupadd', 'mock', '-g', '135', '--prefix', '/var/lib/mock/fedora-39-x86_64/root'] with env {'TERM': 'vt100', 'SHELL': '/bin/sh', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'LANG': 'C.UTF-8'} and shell False
DEBUG: groupadd: group 'mock' already exists
DEBUG: Child return code was: 9

The first userdel command fails because cannot remove entry 1673000001 from /var/lib/mock/fedora-39-x86_64/root//etc/subuid - but /etc/subuid and /etc/subgid in the chroots are empty.

My system is joined to a FreeIPA domain, which provides users with subuid/subgid allocations. libsubid obtains these from thedirectory when a subid entry exists in nsswitch.conf. It appears that this is confusing userdel and friends when run by mock.

If I comment out this line from /etc/nsswitch.conf then mock works:

subid: sss

Output of rpm -q mock

mock-5.5-1.fc39.noarch

Steps to reproduce issue

  1. Run ipa-client-install using the --subid option
  2. Run mock --init
  3. Run mock --shell

Any additional notes

Output of `mock --debug-config`

 INFO: mock.py version 5.5 starting (python version = 3.12.2, NVR = mock-5.5-1.fc39), args: /usr/libexec/mock/mock --debug-config Start(bootstrap): init plugins INFO: selinux enabled Finish(bootstrap): init plugins Start: init plugins INFO: selinux enabled Finish: init plugins INFO: Signal handler active Start: run config_opts['additional_packages'] = [] config_opts['bootstrap_image'] = 'registry.fedoraproject.org/fedora:{{ releasever }}' config_opts['build_log_fmt_str'] = '%(message)s' config_opts['cache_alterations'] = False config_opts['chroot_name'] = 'default' config_opts['chroot_setup_cmd'] = 'install @{% if mirrored %}buildsys-{% endif %}build' config_opts['chrootuid'] = 1673000001 config_opts['cleanup_on_failure'] = False config_opts['cleanup_on_success'] = False config_opts['config_file'] = '/etc/mock/default.cfg' config_opts['config_path'] = '/etc/mock' config_opts['config_paths'] = ['/etc/mock/templates/fedora-branched.tpl', '/etc/mock/site-defaults.cfg', '/etc/mock/fedora-39-x86_64.cfg', '/etc/mock/chroot-aliases.cfg'] config_opts['description'] = 'Fedora {{ releasever }}' config_opts['dist'] = 'fc{{ releasever }}' config_opts['dnf.conf'] = ('\n' '[main]\n' 'keepcache=1\n' 'system_cachedir=/var/cache/dnf\n' 'debuglevel=2\n' 'reposdir=/dev/null\n' 'logfile=/var/log/yum.log\n' 'retries=20\n' 'obsoletes=1\n' 'gpgcheck=0\n' 'assumeyes=1\n' 'syslog_ident=mock\n' 'syslog_device=\n' 'install_weak_deps=0\n' 'metadata_expire=0\n' 'best=1\n' 'module_platform_id=platform:f{{ releasever }}\n' 'protected_packages=\n' 'user_agent={{ user_agent }}\n' '\n' '# repos\n' '\n' '[local]\n' 'name=local\n' 'baseurl=https://kojipkgs.fedoraproject.org/repos/f{{ releasever ' '}}-build/latest/$basearch/\n' 'cost=2000\n' 'enabled={{ not mirrored }}\n' 'skip_if_unavailable=False\n' '\n' '{% if mirrored %}\n' '[fedora]\n' 'name=fedora\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ ' 'releasever }}-primary\n' 'gpgcheck=1\n' 'skip_if_unavailable=False\n' '\n' '[updates]\n' 'name=updates\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ ' 'releasever }}-primary\n' 'gpgcheck=1\n' 'skip_if_unavailable=False\n' '\n' '[updates-testing]\n' 'name=updates-testing\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch\n' 'enabled=0\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ ' 'releasever }}-primary\n' 'gpgcheck=1\n' 'skip_if_unavailable=False\n' '\n' '[fedora-debuginfo]\n' 'name=fedora-debuginfo\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch\n' 'enabled=0\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ ' 'releasever }}-primary\n' 'gpgcheck=1\n' 'skip_if_unavailable=False\n' '\n' '[updates-debuginfo]\n' 'name=updates-debuginfo\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch\n' 'enabled=0\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ ' 'releasever }}-primary\n' 'gpgcheck=1\n' 'skip_if_unavailable=False\n' '\n' '[updates-testing-debuginfo]\n' 'name=updates-testing-debuginfo\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch\n' 'enabled=0\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ ' 'releasever }}-primary\n' 'gpgcheck=1\n' 'skip_if_unavailable=False\n' '\n' '[fedora-source]\n' 'name=fedora-source\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ ' 'releasever }}-primary\n' 'gpgcheck=1\n' 'enabled=0\n' 'skip_if_unavailable=False\n' '\n' '[updates-source]\n' 'name=updates-source\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ ' 'releasever }}-primary\n' 'gpgcheck=1\n' 'enabled=0\n' 'skip_if_unavailable=False\n' '\n' '# modular\n' '\n' '[fedora-modular]\n' 'name=Fedora Modular $releasever - $basearch\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch\n' '# if you want to enable it, you should set best=0\n' '# see https://bugzilla.redhat.com/show_bug.cgi?id=1673851\n' 'enabled=0\n' 'repo_gpgcheck=0\n' 'type=rpm\n' 'gpgcheck=1\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary\n' 'skip_if_unavailable=False\n' '\n' '[fedora-modular-debuginfo]\n' 'name=Fedora Modular $releasever - $basearch - Debug\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-debug-$releasever&arch=$basearch\n' 'enabled=0\n' 'repo_gpgcheck=0\n' 'type=rpm\n' 'gpgcheck=1\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary\n' 'skip_if_unavailable=False\n' '\n' '[fedora-modular-source]\n' 'name=Fedora Modular $releasever - Source\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-source-$releasever&arch=$basearch\n' 'enabled=0\n' 'repo_gpgcheck=0\n' 'type=rpm\n' 'gpgcheck=1\n' 'gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary\n' 'skip_if_unavailable=False\n' '\n' '[updates-modular]\n' 'name=Fedora Modular $releasever - $basearch - Updates\n' '#baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch\n' 'enabled=0\n' 'repo_gpgcheck=0\n' 'type=rpm\n' 'gpgcheck=1\n' 'gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch\n' 'skip_if_unavailable=False\n' '\n' '[updates-modular-debuginfo]\n' 'name=Fedora Modular $releasever - $basearch - Updates - Debug\n' '#baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/debug/\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-debug-f$releasever&arch=$basearch\n' 'enabled=0\n' 'repo_gpgcheck=0\n' 'type=rpm\n' 'gpgcheck=1\n' 'gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch\n' 'skip_if_unavailable=False\n' '\n' '[updates-modular-source]\n' 'name=Fedora Modular $releasever - Updates Source\n' '#baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/SRPMS/\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-source-f$releasever&arch=$basearch\n' 'enabled=0\n' 'repo_gpgcheck=0\n' 'type=rpm\n' 'gpgcheck=1\n' 'gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch\n' 'skip_if_unavailable=False\n' '{% endif %}\n') config_opts['enable_disable_repos'] = [] config_opts['extra_chroot_dirs'] = ['/run/lock'] config_opts['files'] = {'etc/hosts': '127.0.0.1 localhost localhost.localdomain\n' '::1 localhost localhost.localdomain localhost6 ' 'localhost6.localdomain6\n'} config_opts['legal_host_arches'] = ('x86_64',) config_opts['macros'] = {'%_buildhost': 'isis.ipa.robots.org.uk', '%_platform_multiplier': 1, '%_rpmfilename': '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm', '%_topdir': '/builddir/build'} config_opts['mirrored'] = True config_opts['no-config'] = {'epel-8': {'alternatives': {'alma+epel-8': {'description': ['Builds against ' 'AlmaLinux 8 ' 'repositories, ' 'together with ' 'the official ' 'EPEL ' 'repositories.', 'Project page: ' 'https://almalinux.org/']}, 'centos-stream+epel-8': {'description': ['Builds ' 'against ' 'CentOS ' 'Stream ' '8 ' 'repositories ' '(some ' 'packages ' 'may be ' 'a bit ' 'ahead ' 'the Red ' 'Hat ' 'Enterprise ' 'Linux ' '8) ' 'together ' 'with ' 'the ' 'official ' 'EPEL 8 ' 'repositories.', 'Project ' 'page: ' 'https://www.centos.org/centos-stream/']}, 'circlelinux+epel-8': {'description': ['Builds ' 'against ' 'Circle ' 'Linux 8 ' 'repositories, ' 'together ' 'with the ' 'official ' 'EPEL ' 'repositories.', 'Project ' 'page: ' 'https://cclinux.org/']}, 'rhel+epel-8': {'description': ['Builds against ' 'Red Hat ' 'Enterprise Linux ' '8 repositories, ' 'together with ' 'the official ' 'EPEL ' 'repositories.', 'This mimics what ' 'is done in the ' 'official EPEL ' 'build system, ' 'but you need a ' 'Red Hat ' 'subscription:', 'https://rpm-software-management.github.io/mock/Feature-rhelchroots']}, 'rocky+epel-8': {'description': ['Builds against ' 'Rocky Linux 8 ' 'repositories, ' 'together with ' 'the official ' 'EPEL ' 'repositories.', 'Project page: ' 'https://rockylinux.org/']}}}, 'epel-9': {'alternatives': {'alma+epel-9': {'description': ['Builds against ' 'AlmaLinux 9 ' 'repositories, ' 'together with ' 'the official ' 'EPEL ' 'repositories.', 'Project page: ' 'https://almalinux.org/']}, 'centos-stream+epel-9': {'description': ['Builds ' 'against ' 'CentOS ' 'Stream ' '9 ' 'repositories ' '(some ' 'packages ' 'may be ' 'a bit ' 'ahead ' 'the Red ' 'Hat ' 'Enterprise ' 'Linux ' '9) ' 'together ' 'with ' 'the ' 'official ' 'EPEL ' 'repositories.', 'Project ' 'page: ' 'https://www.centos.org/centos-stream/']}, 'rhel+epel-9': {'description': ['Builds against ' 'Red Hat ' 'Enterprise Linux ' '9 repositories, ' 'together with ' 'the official ' 'EPEL ' 'repositories.', 'This mimics what ' 'is done in the ' 'official EPEL ' 'build system, ' 'but you need a ' 'Red Hat ' 'subscription:', 'https://rpm-software-management.github.io/mock/Feature-rhelchroots']}, 'rocky+epel-9': {'description': ['Builds against ' 'Rocky Linux 9 ' 'repositories, ' 'together with ' 'the official ' 'EPEL ' 'repositories.', 'Project page: ' 'https://rockylinux.org/']}}}} config_opts['nspawn_args'] = ['--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.j3ypp8q8:/etc/resolv.conf', '--bind=/dev/btrfs-control', '--bind=/dev/mapper/control', '--bind=/dev/fuse', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11'] config_opts['package_manager'] = '{% if releasever|int >= 40 %}dnf5{% else %}dnf{% endif %}' config_opts['plugin_conf'] = {'__init___enable': False, '__init___opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'bind_mount_enable': True, 'bind_mount_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'create_dirs': False, 'dirs': [], 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'ccache_enable': False, 'ccache_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'compress': None, 'dir': '/var/cache/mock/fedora-39-x86_64/ccache/u1673000001/', 'max_cache_size': '4G', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'chroot_scan_enable': False, 'chroot_scan_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'only_failed': True, 'regexes': ['^[^k]?core(\\.\\d+)?$', '\\.log$'], 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64', 'write_tar': False}, 'compress_logs_enable': False, 'compress_logs_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'command': 'gzip', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'hw_info_enable': True, 'hw_info_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'lvm_root_enable': False, 'lvm_root_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'pool_name': 'mockbuild', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'mount_enable': True, 'mount_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'dirs': [], 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'overlayfs_enable': False, 'overlayfs_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'package_state_enable': True, 'package_state_opts': {'available_pkgs': False, 'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'installed_pkgs': True, 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'pm_request_enable': False, 'pm_request_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'procenv_enable': False, 'procenv_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'root_cache_enable': True, 'root_cache_opts': {'age_check': True, 'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'compress_program': 'pigz', 'decompress_program': None, 'dir': '/var/cache/mock/fedora-39-x86_64/root_cache/', 'exclude_dirs': ['./proc', './sys', './dev', './tmp/ccache', './var/cache/yum', './var/cache/dnf', './var/log'], 'extension': '.gz', 'max_age_days': 15, 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'rpkg_preprocessor_enable': False, 'rpkg_preprocessor_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'cmd': '/usr/bin/preproc-rpmspec %(source_spec)s ' '--output %(target_spec)s', 'requires': ['preproc-rpmspec'], 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'rpmautospec_enable': False, 'rpmautospec_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'cmd_base': ['/usr/bin/rpmautospec', 'process-distgit'], 'requires': ['rpmautospec'], 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'selinux_enable': True, 'selinux_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'showrc_enable': False, 'showrc_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'sign_enable': False, 'sign_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'cmd': 'rpmsign', 'opts': '--addsign %(rpms)s', 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'tmpfs_enable': False, 'tmpfs_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'keep_mounted': False, 'max_fs_size': None, 'mode': '0755', 'required_ram_mb': 900, 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}, 'yum_cache_enable': True, 'yum_cache_opts': {'basedir': '/var/lib/mock/fedora-39-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-39-x86_64', 'max_age_days': 30, 'max_metadata_age_days': 30, 'online': True, 'resultdir': '/var/lib/mock/fedora-39-x86_64/result', 'root': 'fedora-39-x86_64'}} config_opts['print_main_output'] = True config_opts['releasever'] = '39' config_opts['repo_arch'] = 'x86_64' config_opts['root'] = 'fedora-{{ releasever }}-{{ target_arch }}' config_opts['root_log_fmt_str'] = '%(levelname)s %(filename)s:%(lineno)d: %(message)s' config_opts['rpmbuild_arch'] = 'x86_64' config_opts['state_log_fmt_str'] = '%(asctime)s - %(message)s' config_opts['target_arch'] = 'x86_64' config_opts['verbose'] = 1 Finish: run
praiskup commented 7 months ago

Thank you for the report. Is this related to https://bugzilla.redhat.com/show_bug.cgi?id=2242018 ? If yes, please consider using the use_host_shadow_utils contributed by @mhjacks in #1283.

yrro commented 7 months ago

It seems like it might be related, but after setting use_host_shadow_utils to True in /etc/mock/site-defaults.cfg the userdel command still fails with the same message (userdel: cannot remove entry 1673000001 from /var/lib/mock/rhel-8-x86_64/root//etc/subuid) which causes the subsequent groupdel and groupadd commands to fail.

Full output of mock -v -r rhel-8-x86_64 --shell:

mock-shell-with-host-shadow-utils-2.txt

mhjacks commented 7 months ago

What do your root/etc/sub{u,g}id files have (inside the mock chroot)?

yrro commented 7 months ago

They're both empty:

$ ls -l /var/lib/mock/rhel-8-x86_64/root/etc/sub*
-rw-r--r--. 1 root root 0 Sep 10  2018 /var/lib/mock/rhel-8-x86_64/root/etc/subgid
-rw-r--r--. 1 root root 0 Sep 10  2018 /var/lib/mock/rhel-8-x86_64/root/etc/subuid
mhjacks commented 7 months ago

Thanks for the further clarification.

I ran into something very much like your initial reporting of the case that led to me contributing the feature Pavel referenced. (It's the groupadd mock call failing). What's not clear here (to me at least) is why userdel is looking for a 1673000001 entry at all in the chroot. I was thinking one might have snuck into the sub* files somehow.

Now, to be clear, on my IPA-joined systems that I run mock on, I have this in /etc/mock/site-defaults.cfg:

config_opts['use_host_shadow_utils'] = False

If you have that, the other thing I might check would be root/etc/nsswitch.conf, to see if the subid: line snuck in there.

It might also matter that I my sudo builds via sudo mock .... I also have not used mock to build RHEL-8 packages, though I have used my config to build other EL8 packages, so I wouldn't think it's a problem with software versions in the chroot.

There's a gnarly history of subids and shadow-utils, but the whole point of this feature is to make it so you can use them with mock.

yrro commented 7 months ago

Aha! I just realised that I was supposed to set use_host_shadow_utils to False. And now I see you've just added a comment saying the same thing. :)

Having configured that, mock --shell works so I think that fixes my problem, thanks!

It might be worth adding some logic to try to detect a 'broken' or at least undesirable host configuration, for instance if subid in /etc/nsswitch.conf is present and set to anything other than files, and display a warning message pointing the user to the use_host_shadow_utils setting.

yrro commented 7 months ago

What's not clear here (to me at least) is why userdel is looking for a 1673000001 entry at all in the chroot

I guess userdel uses libsubid to find out what entries my user has, which returns the values from FreeIPA. userdel then tries to remove those entries from /etc/subuid//etc/subgid.

Maybe userdel shouldn't fail if the entry it wants to remove /etc/subuid//etc/subgid is not present... or maybe there needs to be a way for userdel to find out from libsubid that the range it looked up isn't from those files, so therefore userdel shouldn't even try to remove the range from those files...

mhjacks commented 7 months ago

Awesome! I'm glad that fixed it for you.

The current dance with shadow-utils and subids is the gnarly thing I referred to before. I've long been a fan of IPA, and I was really excited when they decided they would start providing subid support in it. But quite a lot of userland utilities assume that the only way that can be implemented is through /etc/sub{g,u}id files. I've spent a lot of my "spare" time in software development trying to help patch that kind of thing out.

Unfortunately, some of the "normal" benefits of nss* utilities are not available with subids, for reasons that I don't fully understand (libc internals?). This makes it (as I understand) currently impossible to do "switch" subid providers - it either must be files or it must be sss.

It gets a little sticky to start parsing the host files, and there may come a point at which some of this stuff isn't as...icky...as it is right now.

FWIW, we are working upstream on better solutions in shadow-utils. Progress is not as rapid on all fronts as one might wish for, though.