search

rpm-software-management / mock

Mock is a tool for a reproducible build of RPM packages.
GNU General Public License v2.0
376 stars 219 forks source link

selinux error in lxd/lxc: Could not create dir /var/lib/mock/rocky+epel-9-x86_64-bootstrap/root/sys/fs/selinux. Error: [Errno 30] Read-only file system #1374

Open sena73 opened 1 month ago

sena73 commented 1 month ago

Short description of the problem

If I start mock in lxc or lxd container (rocky9/8, centos8/9), I get error 'Could not create dir /var/lib/mock/rocky+epel-9-x86_64-bootstrap/root/sys/fs/selinux. Error: [Errno 30] Read-only file system'

Currently the only way to workaround this problem is to install and configure selinux on the host system (which is Debian 12). Then the problem is gone, but I do not want that. Selinux is not working well on Debian and pollutes all logs, slows down the system.

I found old issue 258, which is similar but was not inside container...

Output of rpm -q mock

mock-5.5-1.el9.noarch

Steps to reproduce issue

  1. Try to build rpm using mock inside lxc or lxd container with CentOS 8/9 or Rocky 8/9 inside Debian 12

mock --rebuild packagename.el9.src.rpm

ERROR: Could not create dir /var/lib/mock/rocky+epel-9-x86_64-bootstrap/root/sys/fs/selinux. Error: [Errno 30] Read-only file system: '/var/lib/mock/rocky+epel-9-x86_64-bootstrap/root/sys/fs/selinux'

Full error message

Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/mockbuild/file_util.py", line 20, in mkdirIfAbsent os.makedirs(dirName) File "/usr/lib64/python3.9/os.py", line 225, in makedirs mkdir(name, mode) OSError: [Errno 30] Read-only file system: '/var/lib/mock/rocky+epel-9-x86_64-bootstrap/root/sys/fs/selinux'

Any additional notes

Output of `mock --debug-config`

 [mock_debug_config.txt](https://github.com/rpm-software-management/mock/files/15419066/mock_debug_config.txt)
praiskup commented 1 month ago

You need to have the rights to for mounting in container (typically CAP_SYS_ADMIN), then you can use Mock properly. I don't know how to achieve this using lxc/lxd, we have this doc file that would appreciate your help if you can provide a better guidance.

What I typically do is, as a non-root user, podman run --rm -ti --privileged ....

sena73 commented 2 weeks ago

You need to have the rights to for mounting in container (typically CAP_SYS_ADMIN), then you can use Mock properly. I don't know how to achieve this using lxc/lxd, we have this doc file that would appreciate your help if you can provide a better guidance.

What I typically do is, as a non-root user, podman run --rm -ti --privileged ....

  1. The problem is not that container has no right to mount, since I get the same error for the both privileged and unprivileged containers. The problem is only gone if I install and configure selinux on the host.
  2. Why would mock need to mount /sys/fs/selinux in container at all? That looks completely wrong for me. Can you explain that?