Open dreibh opened 1 month ago
dreibh
commented
1 month ago Using the "fedora:39" container works fine, i.e. the issue is related to Fedora 40. The version of Mock in Fedora 39 is the same:
[root@ecb8a5f27055 /]# cat /etc/fedora-release
Fedora release 39 (Thirty Nine)
[root@ecb8a5f27055 /]# rpm -q mock
mock-5.9-1.fc39.noarch
[root@ecb8a5f27055 /]# mock -h
usage:
mock [options] {--init|--clean|--scrub=[all,chroot,cache,root-cache,c-cache,yum-cache,dnf-cache,lvm,overlayfs]}
This is the end of the strace output of the Mock run on Fedora 40. It may help to locate the problem:
newfstatat(AT_FDCWD, "/etc/login.defs", {st_mode=S_IFREG|0644, st_size=8888, ...}, AT_SYMLINK_NOFOLLOW) = 0
openat(AT_FDCWD, "/etc/login.defs", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=8888, ...}) = 0
read(3, "#\n# Please note that the paramet"..., 4096) = 4096
read(3, "ID_MIN 1000\nUID"..., 4096) = 4096
brk(0x597831d81000) = 0x597831d81000
read(3, " line length in the\n# group file"..., 4096) = 696
read(3, "", 4096) = 0
close(3) = 0
newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=639, ...}, 0) = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1033, ...}) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "root:x:0:0:Super User:/root:/bin"..., 4096) = 1033
close(3) = 0
pipe2([3, 4], 0) = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7244fb985710}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7244fb6c7b10) = 315
close(4) = 0
wait4(315, [{WIFEXITED(s) && WEXITSTATUS(s) == 9}], 0, NULL) = 315
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=315, si_uid=0, si_status=9, si_utime=0, si_stime=0} ---
read(3, "-1\n", 31) = 3
read(3, "", 28) = 0
close(3) = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7244fb985710}, NULL, 8) = 0
socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_AUDIT) = 3
sendto(3, [{nlmsg_len=140, nlmsg_type=0x44d /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=2, nlmsg_pid=0}, "\x6f\x70\x3d\x50\x41\x4d\x3a\x61\x63\x63\x6f\x75\x6e\x74\x69\x6e\x67\x20\x67\x72\x61\x6e\x74\x6f\x72\x73\x3d\x3f\x20\x61\x63\x63"...], 140, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 140
poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=2, nlmsg_pid=314}, {error=0, msg={nlmsg_len=140, nlmsg_type=0x44d /* AUDIT_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=2, nlmsg_pid=0}}], 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, [12]) = 36
recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=2, nlmsg_pid=314}, {error=0, msg={nlmsg_len=140, nlmsg_type=0x44d /* AUDIT_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=2, nlmsg_pid=0}}], 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, [12]) = 36
close(3) = 0
munmap(0x7244fb660000, 16392) = 0
munmap(0x7244fb65a000, 20488) = 0
munmap(0x7244fb652000, 28680) = 0
munmap(0x7244fb64d000, 16392) = 0
munmap(0x7244fb63d000, 61480) = 0
munmap(0x7244fb632000, 29864) = 0
munmap(0x7244fb602000, 195416) = 0
munmap(0x7244fb5ae000, 342832) = 0
munmap(0x7244fb4e6000, 815888) = 0
munmap(0x7244fb4cf000, 90160) = 0
munmap(0x7244fb4c8000, 24640) = 0
munmap(0x7244fb4b8000, 62096) = 0
munmap(0x7244fb4b1000, 24584) = 0
munmap(0x7244faff3000, 71816) = 0
munmap(0x7244fafcd000, 16392) = 0
munmap(0x7244fafc8000, 16392) = 0
munmap(0x7244fafc0000, 28960) = 0
munmap(0x7244fafb5000, 40968) = 0
munmap(0x7244fafb0000, 16392) = 0
munmap(0x7244fafa8000, 28680) = 0
munmap(0x7244faf1e000, 562072) = 0
munmap(0x7244faedc000, 28680) = 0
write(2, "Insufficient rights.\n", 21Insufficient rights.
) = 21
exit_group(6) = ?
+++ exited with 6 +++
praiskup
commented
1 month ago Thank you for the report. But I can not reproduce this with moby-engine-27.3.1-2.fc41.src.rpm.
Is this a failure of consolehelper? Can you check if it is an SUID binary?
[root@a0ff81e77885 /]# ls -alh /usr/sbin/userhelper
-rws--x--x. 1 root root 48K Jul 20 00:00 /usr/sbin/userhelper
yrashk
commented
1 month ago I have the same issue – worked a few days before.
ls -alh /usr/sbin/userhelper
-rws--x--x 1 root root 48K Jul 20 00:00 /usr/sbin/userhelperI may have found an answer: this was a new cluster/node and it had AppArmor enabled. Disabling it on the node and rebooting it cleared the problem. I am not very well-oriented in AppArmor, but I wonder if there's a less radical solution (tuning vs turning it off).
Either way, doesn't seem to be a mock problem, at least in my case.
Short description of the problem
Running "mock -h" inside a "fedora:40" or "fedora:latest" Docker container (with --privileged/--cap-add=SYS_ADMIN) since a few days just prints "Insufficient rights.", without any further useful information. Mock worked before, also in GitHub Actions. There is probably a recent change, or a recent configuration update of Fedora, breaking Mock in containers.
Output of
rpm -q mockmock-5.9-1.fc40.noarch
Steps to reproduce issue
Any additional notes
Output of
mock --debug-config:Insufficient rights.