cp: cannot access '/home/<user>/.cache/mkosi/ubuntu~noble~x86-64/lib/apt/lists/partial': Permission denied

[gritelli]

mkosi commit the issue has been seen with

main

Used host distribution

Ubuntu 24.04

Used target distribution

Ubuntu 22.04

Linux kernel version used

6.8.0-31-generic

CPU architectures issue was seen on

x86_64

Unexpected behaviour you saw

Running from source and it just fails to build.

Used mkosi config

[Distribution]
Distribution=ubuntu
Release=jammy
Repositories=main,universe

[Content]
Bootable=yes
Hostname=talos
WithNetwork=true
Packages=
  apt
  bash
  ca-certificates
  curl
  dbus
  less
  linux-image-generic
  nano
  ssh
  sudo
  systemd
  udev
  wget

#[Validation]
# root password
#Password=solat

[Partitions]
RootSize=5G

[Host]
ToolsTree=default

mkosi output

‣ Including configuration file /home/talos/Desktop/mkosi.conf
‣ + timedatectl show -p Timezone --value
‣ + timedatectl show -p Timezone --value
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/grub.conf
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/systemd-boot.conf
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/ubuntu-keyring.conf
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/virtiofsd.conf
‣ + timedatectl show -p Timezone --value
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/grub.conf
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/systemd-boot.conf
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/ubuntu-keyring.conf
‣ Including configuration file /tmp/tmpt141ee3q/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/virtiofsd.conf
‣ + timedatectl show -p Timezone --value
‣ + stat --file-system --format %T /home/talos/.cache/mkosi/mkosi-workspace-ureli1fz
‣ Syncing package manager metadata for ubuntu-tools image
‣ Acquiring lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt
‣ Acquired lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt
‣ Acquiring lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt
‣ Acquired lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt
‣ + apt-get -o APT::Architecture=amd64 -o APT::Architectures=amd64 -o APT::Install-Recommends=false -o APT::Immediate-Configure=off -o APT::Get::Assume-Yes=true -o APT::Get::AutomaticRemove=true -o APT::Get::Allow-Change-Held-Packages=true -o APT::Get::Allow-Remove-Essential=true -o APT::Sandbox::User=root -o Acquire::AllowReleaseInfoChange=true -o Dir::Cache=/var/cache/apt -o Dir::State=/var/lib/apt -o Dir::Log=/var/log/apt -o Dir::State::Status=/buildroot/var/lib/dpkg/status -o Dir::Bin::DPkg=/usr/bin/dpkg -o Debug::NoLocking=true -o DPkg::Options::=--root=/buildroot -o DPkg::Options::=--force-unsafe-io -o DPkg::Options::=--force-architecture -o DPkg::Options::=--force-depends -o DPkg::Options::=--no-debsig -o DPkg::Use-Pty=false -o DPkg::Install::Recursive::Minimum=1000 -o pkgCacheGen::ForceEssential=, update
Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
Hit:2 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:3 http://security.ubuntu.com/ubuntu noble-security InRelease
Reading package lists... Done                        
‣ + rm -rf -- /home/talos/.cache/mkosi/mkosi-workspace-ureli1fz
‣ + mount --make-rslave /
‣ + mount --rbind /etc /etc --options ro,nosuid,nodev,noexec
‣ + mount --rbind /opt /opt --options ro
‣ + mount --rbind /boot /boot --options ro,nosuid,nodev,noexec
‣ + mount --rbind /media /media --options ro,nosuid,nodev,noexec
‣ + mount --rbind /usr /usr --options ro
‣ Building ubuntu-tools image
‣ + stat --file-system --format %T /home/talos/.cache/mkosi/mkosi-workspace-990ipdz9
‣ Acquiring lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt
‣ Acquired lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt
‣ Acquiring lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt
‣ Acquired lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt
‣ + cp --version
‣ + cp --recursive --no-dereference --preserve=mode,links --reflink=auto --copy-contents '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt' /home/talos/.cache/mkosi/mkosi-workspace-990ipdz9/root/var/cache/apt --no-target-directory
‣ + cp --version
‣ + cp --recursive --no-dereference --preserve=mode,links --reflink=auto --copy-contents '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' /home/talos/.cache/mkosi/mkosi-workspace-990ipdz9/root/var/lib/apt --no-target-directory
cp: cannot access '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt/lists/partial': Permission denied
‣ "bwrap --unshare-net --die-with-parent --proc /proc --setenv SYSTEMD_OFFLINE 0 --unsetenv TMPDIR --dir /tmp --dir /var/tmp --unshare-ipc --dev /dev --symlink usr/bin /bin --symlink usr/sbin /sbin --symlink usr/lib /lib --symlink usr/lib64 /lib64 --setenv PATH /scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin --uid 0 --gid 0 --cap-add ALL --bind /home/talos/.cache/mkosi/mkosi-workspace-990ipdz9/pkgmngr/etc /etc --ro-bind /etc/alternatives /etc/alternatives --bind /home/talos/.cache/mkosi/mkosi-workspace-990ipdz9/root/var/lib /home/talos/.cache/mkosi/mkosi-workspace-990ipdz9/root/var/lib --ro-bind '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' --ro-bind /etc/ssl/certs/ca-certificates.crt /proxy.cacert --ro-bind /usr /usr --bind /home/talos/.cache/mkosi/mkosi-workspace-990ipdz9/pkgmngr/var/log /var/log sh -c 'chmod 1777 /tmp && chmod 1777 /dev/shm && chmod 755 /etc && exec $0 "$@"' cp --recursive --no-dereference --preserve=mode,links --reflink=auto --copy-contents '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' /home/talos/.cache/mkosi/mkosi-workspace-990ipdz9/root/var/lib/apt --no-target-directory" returned non-zero exit code 1.
‣ + rm -rf -- /home/talos/.cache/mkosi/mkosi-workspace-990ipdz9
rm: cannot remove '/home/talos/.cache/mkosi/mkosi-workspace-990ipdz9': Permission denied
‣ "bwrap --unshare-net --die-with-parent --proc /proc --setenv SYSTEMD_OFFLINE 0 --unsetenv TMPDIR --dir /tmp --dir /var/tmp --unshare-ipc --dev /dev --symlink usr/bin /bin --symlink usr/sbin /sbin --symlink usr/lib /lib --symlink usr/lib64 /lib64 --setenv PATH /scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin --ro-bind /etc/alternatives /etc/alternatives --bind /home/talos/.cache/mkosi /home/talos/.cache/mkosi --ro-bind /etc/ssl/certs/ca-certificates.crt /proxy.cacert --ro-bind /usr /usr --symlink ../proc/self/mounts /etc/mtab sh -c 'chmod 1777 /tmp && chmod 1777 /dev/shm && chmod 755 /etc && exec $0 "$@"' rm -rf -- /home/talos/.cache/mkosi/mkosi-workspace-990ipdz9" returned non-zero exit code 1.
‣  (Fixing ownership of package manager cache directory)
‣ + chown --recursive 1000:1000 '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt'
‣ + chown --recursive 1000:1000 '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt'
Traceback (most recent call last):
  File "/home/talos/Desktop/mkosi/mkosi/__init__.py", line 3780, in setup_workspace
    yield Path(workspace)
  File "/home/talos/Desktop/mkosi/mkosi/__init__.py", line 4747, in run_build
    build_image(Context(args, config, workspace=workspace, resources=resources, package_dir=package_dir))
  File "/home/talos/Desktop/mkosi/mkosi/__init__.py", line 3888, in build_image
    copy_repository_metadata(context)
  File "/home/talos/Desktop/mkosi/mkosi/__init__.py", line 3849, in copy_repository_metadata
    copy_tree(
  File "/home/talos/Desktop/mkosi/mkosi/tree.py", line 124, in copy_tree
    run(copy, sandbox=sandbox(binary="cp", mounts=mounts))
  File "/home/talos/Desktop/mkosi/mkosi/run.py", line 150, in run
    with spawn(
  File "/usr/lib/python3.12/contextlib.py", line 144, in __exit__
    next(self.gen)
  File "/home/talos/Desktop/mkosi/mkosi/run.py", line 352, in spawn
    raise subprocess.CalledProcessError(returncode, cmdline)
subprocess.CalledProcessError: Command '['cp', '--recursive', '--no-dereference', '--preserve=mode,links', '--reflink=auto', '--copy-contents', '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt', '/home/talos/.cache/mkosi/mkosi-workspace-990ipdz9/root/var/lib/apt', '--no-target-directory']' returned non-zero exit status 1.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/talos/Desktop/mkosi/mkosi/run.py", line 60, in uncaught_exception_handler
    yield
  File "/home/talos/Desktop/mkosi/mkosi/run.py", line 101, in fork_and_wait
    target(*args, **kwargs)
  File "/home/talos/Desktop/mkosi/mkosi/__init__.py", line 4742, in run_build
    with (
  File "/usr/lib/python3.12/contextlib.py", line 158, in __exit__
    self.gen.throw(value)
  File "/home/talos/Desktop/mkosi/mkosi/__init__.py", line 3771, in setup_workspace
    with contextlib.ExitStack() as stack:
  File "/usr/lib/python3.12/contextlib.py", line 610, in __exit__
    raise exc_details[1]
  File "/usr/lib/python3.12/contextlib.py", line 595, in __exit__
    if cb(*exc_details):
       ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/contextlib.py", line 478, in _exit_wrapper
    callback(*args, **kwds)
  File "/home/talos/Desktop/mkosi/mkosi/__init__.py", line 3775, in <lambda>
    stack.callback(lambda: rmtree(workspace, sandbox=config.sandbox))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/talos/Desktop/mkosi/mkosi/tree.py", line 163, in rmtree
    run(["rm", "-rf", "--", *filtered],
  File "/home/talos/Desktop/mkosi/mkosi/run.py", line 150, in run
    with spawn(
  File "/usr/lib/python3.12/contextlib.py", line 144, in __exit__
    next(self.gen)
  File "/home/talos/Desktop/mkosi/mkosi/run.py", line 352, in spawn
    raise subprocess.CalledProcessError(returncode, cmdline)
subprocess.CalledProcessError: Command '['rm', '-rf', '--', '/home/talos/.cache/mkosi/mkosi-workspace-990ipdz9']' returned non-zero exit status 1.
‣ + tput cnorm
‣ + tput smam

[DaanDeMeyer]

@gritelli I need the full command line that you are running as well. I'm guessing you ran mkosi with sudo first and are now running it without sudo, of course that means that there will be files owned by root that we can't access. I would removed ~/.cache/mkosi and try again

[gritelli]

I did run everything with sudo Here is the output from a fresh Ubuntu 24.04 and mkosi source pull:

talos@talos-pc-001:~$ git clone https://github.com/systemd/mkosi
Cloning into 'mkosi'...
remote: Enumerating objects: 21882, done.
remote: Counting objects: 100% (176/176), done.
remote: Compressing objects: 100% (120/120), done.
remote: Total 21882 (delta 90), reused 90 (delta 54), pack-reused 21706
Receiving objects: 100% (21882/21882), 6.29 MiB | 2.08 MiB/s, done.
Resolving deltas: 100% (15088/15088), done.

talos@talos-pc-001:~$ sudo ln -s $PWD/mkosi/bin/mkosi /usr/local/bin/mkosi

talos@talos-pc-001:~$ mkosi --version
mkosi 24~devel

talos@talos-pc-001:~$ sudo mkosi --tools-tree --debug build
‣ + timedatectl show -p Timezone --value
‣ + timedatectl show -p Timezone --value
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/grub.conf
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/systemd-boot.conf
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/ubuntu-keyring.conf
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/virtiofsd.conf
‣ + timedatectl show -p Timezone --value
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/grub.conf
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/systemd-boot.conf
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/ubuntu-keyring.conf
‣ Including configuration file /tmp/tmpv5_2qpa6/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/virtiofsd.conf
‣ + timedatectl show -p Timezone --value
‣ + stat --file-system --format %T /home/talos/.cache/mkosi/mkosi-workspace-cvd2nguu
bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted
‣ "bwrap --unshare-net --die-with-parent --proc /proc --setenv SYSTEMD_OFFLINE 0 --unsetenv TMPDIR --dir /tmp --dir /var/tmp --unshare-ipc --dev /dev --symlink usr/bin /bin --symlink usr/sbin /sbin --symlink usr/lib /lib --symlink usr/lib64 /lib64 --setenv PATH /scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin --ro-bind /etc/alternatives /etc/alternatives --ro-bind /home/talos/.cache/mkosi/mkosi-workspace-cvd2nguu /home/talos/.cache/mkosi/mkosi-workspace-cvd2nguu --ro-bind /etc/ssl/certs/ca-certificates.crt /proxy.cacert --ro-bind /usr /usr --symlink ../proc/self/mounts /etc/mtab sh -c 'chmod 1777 /tmp && chmod 1777 /dev/shm && chmod 755 /etc && exec $0 "$@"' stat --file-system --format %T /home/talos/.cache/mkosi/mkosi-workspace-cvd2nguu" returned non-zero exit code 1.
‣ + rm -rf -- /home/talos/.cache/mkosi/mkosi-workspace-cvd2nguu
bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted
‣ "bwrap --unshare-net --die-with-parent --proc /proc --setenv SYSTEMD_OFFLINE 0 --unsetenv TMPDIR --dir /tmp --dir /var/tmp --unshare-ipc --dev /dev --symlink usr/bin /bin --symlink usr/sbin /sbin --symlink usr/lib /lib --symlink usr/lib64 /lib64 --setenv PATH /scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin --ro-bind /etc/alternatives /etc/alternatives --bind /home/talos/.cache/mkosi /home/talos/.cache/mkosi --ro-bind /etc/ssl/certs/ca-certificates.crt /proxy.cacert --ro-bind /usr /usr --symlink ../proc/self/mounts /etc/mtab sh -c 'chmod 1777 /tmp && chmod 1777 /dev/shm && chmod 755 /etc && exec $0 "$@"' rm -rf -- /home/talos/.cache/mkosi/mkosi-workspace-cvd2nguu" returned non-zero exit code 1.
Traceback (most recent call last):
  File "/home/talos/mkosi/mkosi/__init__.py", line 3780, in setup_workspace
    yield Path(workspace)
  File "/home/talos/mkosi/mkosi/__init__.py", line 4676, in run_sync
    context = Context(
              ^^^^^^^^
  File "/home/talos/mkosi/mkosi/context.py", line 42, in __init__
    make_tree(
  File "/home/talos/mkosi/mkosi/tree.py", line 48, in make_tree
    if statfs(path.parent, sandbox=sandbox) != "btrfs":
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/talos/mkosi/mkosi/tree.py", line 21, in statfs
    return run(
           ^^^^
  File "/home/talos/mkosi/mkosi/run.py", line 150, in run
    with spawn(
  File "/usr/lib/python3.12/contextlib.py", line 137, in __enter__
    return next(self.gen)
           ^^^^^^^^^^^^^^
  File "/home/talos/mkosi/mkosi/run.py", line 265, in spawn
    raise subprocess.CalledProcessError(rc, prefix + cmdline)
subprocess.CalledProcessError: Command '['bwrap', '--unshare-net', '--die-with-parent', '--proc', '/proc', '--setenv', 'SYSTEMD_OFFLINE', '0', '--unsetenv', 'TMPDIR', '--dir', '/tmp', '--dir', '/var/tmp', '--unshare-ipc', '--dev', '/dev', '--symlink', 'usr/bin', '/bin', '--symlink', 'usr/sbin', '/sbin', '--symlink', 'usr/lib', '/lib', '--symlink', 'usr/lib64', '/lib64', '--setenv', 'PATH', '/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin', '--ro-bind', '/etc/alternatives', '/etc/alternatives', '--ro-bind', '/home/talos/.cache/mkosi/mkosi-workspace-cvd2nguu', '/home/talos/.cache/mkosi/mkosi-workspace-cvd2nguu', '--ro-bind', '/etc/ssl/certs/ca-certificates.crt', '/proxy.cacert', '--ro-bind', '/usr', '/usr', '--symlink', '../proc/self/mounts', '/etc/mtab', 'sh', '-c', 'chmod 1777 /tmp && chmod 1777 /dev/shm && chmod 755 /etc && exec $0 "$@"', 'stat', '--file-system', '--format', '%T', '/home/talos/.cache/mkosi/mkosi-workspace-cvd2nguu']' returned non-zero exit status 1.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/talos/mkosi/mkosi/run.py", line 60, in uncaught_exception_handler
    yield
  File "/home/talos/mkosi/mkosi/run.py", line 101, in fork_and_wait
    target(*args, **kwargs)
  File "/home/talos/mkosi/mkosi/__init__.py", line 4672, in run_sync
    with (
  File "/usr/lib/python3.12/contextlib.py", line 158, in __exit__
    self.gen.throw(value)
  File "/home/talos/mkosi/mkosi/__init__.py", line 3771, in setup_workspace
    with contextlib.ExitStack() as stack:
  File "/usr/lib/python3.12/contextlib.py", line 610, in __exit__
    raise exc_details[1]
  File "/usr/lib/python3.12/contextlib.py", line 595, in __exit__
    if cb(*exc_details):
       ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/contextlib.py", line 478, in _exit_wrapper
    callback(*args, **kwds)
  File "/home/talos/mkosi/mkosi/__init__.py", line 3775, in <lambda>
    stack.callback(lambda: rmtree(workspace, sandbox=config.sandbox))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/talos/mkosi/mkosi/tree.py", line 163, in rmtree
    run(["rm", "-rf", "--", *filtered],
  File "/home/talos/mkosi/mkosi/run.py", line 150, in run
    with spawn(
  File "/usr/lib/python3.12/contextlib.py", line 137, in __enter__
    return next(self.gen)
           ^^^^^^^^^^^^^^
  File "/home/talos/mkosi/mkosi/run.py", line 265, in spawn
    raise subprocess.CalledProcessError(rc, prefix + cmdline)
subprocess.CalledProcessError: Command '['bwrap', '--unshare-net', '--die-with-parent', '--proc', '/proc', '--setenv', 'SYSTEMD_OFFLINE', '0', '--unsetenv', 'TMPDIR', '--dir', '/tmp', '--dir', '/var/tmp', '--unshare-ipc', '--dev', '/dev', '--symlink', 'usr/bin', '/bin', '--symlink', 'usr/sbin', '/sbin', '--symlink', 'usr/lib', '/lib', '--symlink', 'usr/lib64', '/lib64', '--setenv', 'PATH', '/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin', '--ro-bind', '/etc/alternatives', '/etc/alternatives', '--bind', '/home/talos/.cache/mkosi', '/home/talos/.cache/mkosi', '--ro-bind', '/etc/ssl/certs/ca-certificates.crt', '/proxy.cacert', '--ro-bind', '/usr', '/usr', '--symlink', '../proc/self/mounts', '/etc/mtab', 'sh', '-c', 'chmod 1777 /tmp && chmod 1777 /dev/shm && chmod 755 /etc && exec $0 "$@"', 'rm', '-rf', '--', '/home/talos/.cache/mkosi/mkosi-workspace-cvd2nguu']' returned non-zero exit status 1.
‣ + tput cnorm
‣ + tput smam

[DaanDeMeyer]

@gritelli With kind of sandbox are you running in? I'm guessing you're running from a container? Can you tell me a little more on how that container is set up?

[DaanDeMeyer]

The output of sudo aa-status would also help, also can you check if there's any messages in dmesg from apparmor and if so, list them here?

[gritelli]

No, I'm not running it from a container. Just bare metal. Here is the output of sudo aa-status:

talos@talos-pc-001:~/Downloads$ sudo aa-status
apparmor module is loaded.
160 profiles are loaded.
62 profiles are in enforce mode.
   /snap/snapd/21465/usr/lib/snapd/snap-confine
   /snap/snapd/21465/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/evince//snap_browsers
   /usr/bin/man
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   bwrap
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   plasmashell
   plasmashell//QtWebEngineProcess
   rsyslogd
   snap-update-ns.firefox
   snap-update-ns.firmware-updater
   snap-update-ns.snap-store
   snap-update-ns.snapd-desktop-integration
   snap-update-ns.thunderbird
   snap.firefox.firefox
   snap.firefox.geckodriver
   snap.firefox.hook.configure
   snap.firefox.hook.connect-plug-host-hunspell
   snap.firefox.hook.disconnect-plug-host-hunspell
   snap.firefox.hook.post-refresh
   snap.firmware-updater.firmware-notifier
   snap.firmware-updater.firmware-updater
   snap.firmware-updater.firmware-updater-app
   snap.firmware-updater.hook.configure
   snap.snap-store.hook.configure
   snap.snap-store.snap-store
   snap.snapd-desktop-integration.hook.configure
   snap.snapd-desktop-integration.snapd-desktop-integration
   snap.thunderbird.hook.configure
   snap.thunderbird.thunderbird
   tcpdump
   ubuntu_pro_apt_news
   ubuntu_pro_esm_cache
   ubuntu_pro_esm_cache//apt_methods
   ubuntu_pro_esm_cache//apt_methods_gpgv
   ubuntu_pro_esm_cache//cloud_id
   ubuntu_pro_esm_cache//dpkg
   ubuntu_pro_esm_cache//ps
   ubuntu_pro_esm_cache//ubuntu_distro_info
   ubuntu_pro_esm_cache_systemctl
   ubuntu_pro_esm_cache_systemd_detect_virt
   unix-chkpwd
   unpriv_bwrap
   unprivileged_userns
7 profiles are in complain mode.
   /usr/sbin/sssd
   libreoffice-oosplash
   libreoffice-soffice
   transmission-cli
   transmission-daemon
   transmission-gtk
   transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
91 profiles are in unconfined mode.
   1password
   Discord
   MongoDB Compass
   QtWebEngineProcess
   balena-etcher
   brave
   buildah
   busybox
   cam
   ch-checkns
   ch-run
   chrome
   crun
   devhelp
   element-desktop
   epiphany
   evolution
   firefox
   flatpak
   foliate
   geary
   github-desktop
   goldendict
   ipa_verify
   kchmviewer
   keybase
   lc-compliance
   libcamerify
   linux-sandbox
   loupe
   lxc-attach
   lxc-create
   lxc-destroy
   lxc-execute
   lxc-stop
   lxc-unshare
   lxc-usernsexec
   mmdebstrap
   msedge
   nautilus
   notepadqq
   obsidian
   opam
   opera
   pageedit
   podman
   polypane
   privacybrowser
   qcam
   qmapshack
   qutebrowser
   rootlesskit
   rpm
   rssguard
   runc
   sbuild
   sbuild-abort
   sbuild-adduser
   sbuild-apt
   sbuild-checkpackages
   sbuild-clean
   sbuild-createchroot
   sbuild-destroychroot
   sbuild-distupgrade
   sbuild-hold
   sbuild-shell
   sbuild-unhold
   sbuild-update
   sbuild-upgrade
   scide
   signal-desktop
   slack
   slirp4netns
   steam
   stress-ng
   surfshark
   systemd-coredump
   thunderbird
   toybox
   trinity
   tup
   tuxedo-control-center
   userbindmount
   uwsgi-core
   vdens
   virtiofsd
   vivaldi-bin
   vpnns
   vscode
   wike
   wpcom
16 processes have profiles defined.
15 processes are in enforce mode.
   /usr/sbin/cups-browsed (17163) 
   /usr/sbin/cupsd (17160) 
   /usr/sbin/rsyslogd (20748) rsyslogd
   /snap/firefox/4173/usr/lib/firefox/firefox (4976) snap.firefox.firefox
   /snap/firefox/4173/usr/lib/firefox/firefox (5199) snap.firefox.firefox
   /snap/firefox/4173/usr/lib/firefox/firefox (5287) snap.firefox.firefox
   /snap/firefox/4173/usr/lib/firefox/firefox (5312) snap.firefox.firefox
   /snap/firefox/4173/usr/lib/firefox/firefox (5867) snap.firefox.firefox
   /snap/firefox/4173/usr/lib/firefox/firefox (6034) snap.firefox.firefox
   /snap/firefox/4173/usr/lib/firefox/firefox (6052) snap.firefox.firefox
   /snap/firefox/4173/usr/lib/firefox/firefox (33932) snap.firefox.firefox
   /snap/firefox/4173/usr/lib/firefox/firefox (33935) snap.firefox.firefox
   /snap/firefox/4173/usr/lib/firefox/firefox (33993) snap.firefox.firefox
   /snap/snapd-desktop-integration/157/usr/bin/snapd-desktop-integration (3869) snap.snapd-desktop-integration.snapd-desktop-integration
   /snap/snapd-desktop-integration/157/usr/bin/snapd-desktop-integration (4034) snap.snapd-desktop-integration.snapd-desktop-integration
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
1 processes are unconfined but have a profile defined.
   /usr/bin/nautilus (6660) nautilus
0 processes are in mixed mode.

and I do something about apparmor in dmesg:

[ 1601.290027] audit: type=1400 audit(1721133496.275:451): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=29517 comm="cp" capability=2  capname="dac_read_search"
[ 1601.290033] audit: type=1400 audit(1721133496.275:452): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=29517 comm="cp" capability=1  capname="dac_override"
[ 1601.403898] audit: type=1400 audit(1721133496.389:453): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=29537 comm="rm" capability=1  capname="dac_override"
[ 1874.919171] audit: type=1107 audit(1721133769.930:454): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.200" pid=4976 label="snap.firefox.firefox" peer_pid=29680 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 1875.059904] audit: type=1400 audit(1721133770.072:455): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=29688 comm="python3" requested="userns_create" target="unprivileged_userns"
[ 1975.811458] audit: type=1107 audit(1721133870.828:456): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.205" pid=4976 label="snap.firefox.firefox" peer_pid=29746 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 1975.933683] audit: type=1400 audit(1721133870.950:457): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=29754 comm="python3" requested="userns_create" target="unprivileged_userns"
[ 2026.717888] audit: type=1107 audit(1721133921.735:458): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.210" pid=4976 label="snap.firefox.firefox" peer_pid=30186 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 2176.579094] audit: type=1107 audit(1721134071.602:459): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.215" pid=4976 label="snap.firefox.firefox" peer_pid=30567 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 2178.176090] audit: type=1400 audit(1721134073.199:460): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=30844 comm="cp" capability=2  capname="dac_read_search"
[ 2178.176098] audit: type=1400 audit(1721134073.199:461): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=30844 comm="cp" capability=1  capname="dac_override"
[ 2210.352362] audit: type=1107 audit(1721134105.378:462): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.220" pid=4976 label="snap.firefox.firefox" peer_pid=30899 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 2211.721294] audit: type=1400 audit(1721134106.747:463): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=31175 comm="cp" capability=2  capname="dac_read_search"
[ 2211.721298] audit: type=1400 audit(1721134106.747:464): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=31175 comm="cp" capability=1  capname="dac_override"
[ 2308.778232] audit: type=1107 audit(1721134203.809:465): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.225" pid=4976 label="snap.firefox.firefox" peer_pid=31256 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 2310.027294] audit: type=1400 audit(1721134205.058:466): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=31532 comm="cp" capability=2  capname="dac_read_search"
[ 2310.027298] audit: type=1400 audit(1721134205.058:467): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=31532 comm="cp" capability=1  capname="dac_override"
[ 2385.472358] audit: type=1107 audit(1721134280.508:468): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.232" pid=4976 label="snap.firefox.firefox" peer_pid=31622 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 2711.761466] audit: type=1107 audit(1721134606.821:469): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" name=":1.13" mask="receive" pid=4976 label="snap.firefox.firefox" peer_pid=1163 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 2718.569002] audit: type=1107 audit(1721134613.631:470): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" name=":1.13" mask="receive" pid=4976 label="snap.firefox.firefox" peer_pid=1163 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 2860.282776] audit: type=1107 audit(1721134755.355:471): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" name=":1.13" mask="receive" pid=4976 label="snap.firefox.firefox" peer_pid=1163 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 2862.749818] audit: type=1107 audit(1721134757.822:472): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" name=":1.13" mask="receive" pid=4976 label="snap.firefox.firefox" peer_pid=1163 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 2953.067012] audit: type=1400 audit(1721134848.148:473): apparmor="DENIED" operation="capable" class="cap" profile="/usr/lib/snapd/snap-confine" pid=33316 comm="snap-confine" capability=12  capname="net_admin"
[ 2953.067020] audit: type=1400 audit(1721134848.148:474): apparmor="DENIED" operation="capable" class="cap" profile="/usr/lib/snapd/snap-confine" pid=33316 comm="snap-confine" capability=38  capname="perfmon"
[ 2953.071448] audit: type=1400 audit(1721134848.152:475): apparmor="DENIED" operation="open" class="file" profile="snap-update-ns.firmware-updater" name="/proc/33332/maps" pid=33332 comm="5" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 2953.270576] audit: type=1400 audit(1721134848.351:476): apparmor="DENIED" operation="open" class="file" profile="snap.firmware-updater.firmware-notifier" name="/proc/sys/vm/max_map_count" pid=33316 comm="firmware-notifi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 2956.274132] audit: type=1107 audit(1721134851.354:477): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.246" pid=4976 label="snap.firefox.firefox" peer_pid=33461 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 2956.326636] audit: type=1400 audit(1721134851.406:478): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=33464 comm="mkosi" requested="userns_create" target="unprivileged_userns"
[ 2973.052749] audit: type=1400 audit(1721134868.133:479): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=33788 comm="cp" capability=2  capname="dac_read_search"
[ 2973.052754] audit: type=1400 audit(1721134868.133:480): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=33788 comm="cp" capability=1  capname="dac_override"
[ 2989.960347] audit: type=1400 audit(1721134885.041:481): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=33835 comm="mkosi" requested="userns_create" target="unprivileged_userns"
[ 3177.297788] audit: type=1107 audit(1721135072.380:482): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.262" pid=4976 label="snap.firefox.firefox" peer_pid=34046 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 3177.353607] audit: type=1400 audit(1721135072.435:483): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=34049 comm="mkosi" requested="userns_create" target="unprivileged_userns"
[ 3242.188437] audit: type=1107 audit(1721135137.273:484): pid=1143 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.265" pid=4976 label="snap.firefox.firefox" peer_pid=34103 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
[ 3244.020308] audit: type=1400 audit(1721135139.105:485): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=34382 comm="cp" capability=2  capname="dac_read_search"
[ 3244.020325] audit: type=1400 audit(1721135139.105:486): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=34382 comm="cp" capability=1  capname="dac_override"

[DaanDeMeyer]

You can try running:

sudo systemctl stop apparmor.service

and see if the problem still happens

[gritelli]

That didn't work:

talos@talos-pc-001:~/Downloads$ sudo systemctl stop apparmor.service
talos@talos-pc-001:~/Downloads$ sudo ./mkosi/bin/mkosi --tools-tree --debug build
‣ + timedatectl show -p Timezone --value
‣ + timedatectl show -p Timezone --value
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/grub.conf
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/systemd-boot.conf
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/ubuntu-keyring.conf
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/virtiofsd.conf
‣ + timedatectl show -p Timezone --value
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/grub.conf
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/systemd-boot.conf
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/ubuntu-keyring.conf
‣ Including configuration file /tmp/tmpzb42pzxw/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/virtiofsd.conf
‣ + timedatectl show -p Timezone --value
‣ + stat --file-system --format %T /home/talos/.cache/mkosi/mkosi-workspace-oc4_p8ny
‣ Syncing package manager metadata for ubuntu-tools image
‣ Acquiring lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt
‣ Acquired lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt
‣ Acquiring lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt
‣ Acquired lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt
‣ + apt-get -o APT::Architecture=amd64 -o APT::Architectures=amd64 -o APT::Install-Recommends=false -o APT::Immediate-Configure=off -o APT::Get::Assume-Yes=true -o APT::Get::AutomaticRemove=true -o APT::Get::Allow-Change-Held-Packages=true -o APT::Get::Allow-Remove-Essential=true -o APT::Sandbox::User=root -o Acquire::AllowReleaseInfoChange=true -o Dir::Cache=/var/cache/apt -o Dir::State=/var/lib/apt -o Dir::Log=/var/log/apt -o Dir::State::Status=/buildroot/var/lib/dpkg/status -o Dir::Bin::DPkg=/usr/bin/dpkg -o Debug::NoLocking=true -o DPkg::Options::=--root=/buildroot -o DPkg::Options::=--force-unsafe-io -o DPkg::Options::=--force-architecture -o DPkg::Options::=--force-depends -o DPkg::Options::=--no-debsig -o DPkg::Use-Pty=false -o DPkg::Install::Recursive::Minimum=1000 -o pkgCacheGen::ForceEssential=, update
Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
Hit:2 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:3 http://security.ubuntu.com/ubuntu noble-security InRelease
Reading package lists... Done
‣ + rm -rf -- /home/talos/.cache/mkosi/mkosi-workspace-oc4_p8ny
‣ + mount --make-rslave /
‣ + mount --rbind /etc /etc --options ro,nosuid,nodev,noexec
‣ + mount --rbind /opt /opt --options ro
‣ + mount --rbind /boot /boot --options ro,nosuid,nodev,noexec
‣ + mount --rbind /media /media --options ro,nosuid,nodev,noexec
‣ + mount --rbind /usr /usr --options ro
‣ Building ubuntu-tools image
‣ + stat --file-system --format %T /home/talos/.cache/mkosi/mkosi-workspace-b1pvmy2k
‣ Acquiring lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt
‣ Acquired lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt
‣ Acquiring lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt
‣ Acquired lock on /home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt
‣ + cp --version
‣ + cp --recursive --no-dereference --preserve=mode,links --reflink=auto --copy-contents '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt' /home/talos/.cache/mkosi/mkosi-workspace-b1pvmy2k/root/var/cache/apt --no-target-directory
‣ + cp --version
‣ + cp --recursive --no-dereference --preserve=mode,links --reflink=auto --copy-contents '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' /home/talos/.cache/mkosi/mkosi-workspace-b1pvmy2k/root/var/lib/apt --no-target-directory
cp: cannot access '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt/lists/partial': Permission denied
‣ "bwrap --unshare-net --die-with-parent --proc /proc --setenv SYSTEMD_OFFLINE 0 --unsetenv TMPDIR --dir /tmp --dir /var/tmp --unshare-ipc --dev /dev --symlink usr/bin /bin --symlink usr/sbin /sbin --symlink usr/lib /lib --symlink usr/lib64 /lib64 --setenv PATH /scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin --uid 0 --gid 0 --cap-add ALL --bind /home/talos/.cache/mkosi/mkosi-workspace-b1pvmy2k/pkgmngr/etc /etc --ro-bind /etc/alternatives /etc/alternatives --bind /home/talos/.cache/mkosi/mkosi-workspace-b1pvmy2k/root/var/lib /home/talos/.cache/mkosi/mkosi-workspace-b1pvmy2k/root/var/lib --ro-bind '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' --ro-bind /etc/ssl/certs/ca-certificates.crt /proxy.cacert --ro-bind /usr /usr --bind /home/talos/.cache/mkosi/mkosi-workspace-b1pvmy2k/pkgmngr/var/log /var/log sh -c 'chmod 1777 /tmp && chmod 1777 /dev/shm && chmod 755 /etc && exec $0 "$@"' cp --recursive --no-dereference --preserve=mode,links --reflink=auto --copy-contents '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' /home/talos/.cache/mkosi/mkosi-workspace-b1pvmy2k/root/var/lib/apt --no-target-directory" returned non-zero exit code 1.
‣ + rm -rf -- /home/talos/.cache/mkosi/mkosi-workspace-b1pvmy2k
‣  (Fixing ownership of package manager cache directory)
‣ + chown --recursive 1000:1000 '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/cache/apt'
‣ + chown --recursive 1000:1000 '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt'
Traceback (most recent call last):
  File "/home/talos/Downloads/mkosi/mkosi/run.py", line 60, in uncaught_exception_handler
    yield
  File "/home/talos/Downloads/mkosi/mkosi/run.py", line 101, in fork_and_wait
    target(*args, **kwargs)
  File "/home/talos/Downloads/mkosi/mkosi/__init__.py", line 4747, in run_build
    build_image(Context(args, config, workspace=workspace, resources=resources, package_dir=package_dir))
  File "/home/talos/Downloads/mkosi/mkosi/__init__.py", line 3888, in build_image
    copy_repository_metadata(context)
  File "/home/talos/Downloads/mkosi/mkosi/__init__.py", line 3849, in copy_repository_metadata
    copy_tree(
  File "/home/talos/Downloads/mkosi/mkosi/tree.py", line 124, in copy_tree
    run(copy, sandbox=sandbox(binary="cp", mounts=mounts))
  File "/home/talos/Downloads/mkosi/mkosi/run.py", line 150, in run
    with spawn(
  File "/usr/lib/python3.12/contextlib.py", line 144, in __exit__
    next(self.gen)
  File "/home/talos/Downloads/mkosi/mkosi/run.py", line 352, in spawn
    raise subprocess.CalledProcessError(returncode, cmdline)
subprocess.CalledProcessError: Command '['cp', '--recursive', '--no-dereference', '--preserve=mode,links', '--reflink=auto', '--copy-contents', '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt', '/home/talos/.cache/mkosi/mkosi-workspace-b1pvmy2k/root/var/lib/apt', '--no-target-directory']' returned non-zero exit status 1.
‣ + tput cnorm
‣ + tput smam

[gritelli]

@DaanDeMeyer should I just try to run it from a container and share the Dockerfile here so you can reproduce the issue?

[DaanDeMeyer]

@gritelli I think a container will be sufficiently different from your baremetal system that it might not reproduce. I've been trying all kinds of things in a Ubuntu Noble virtual machine but I just cannot seem to reproduce the issue.

You can try to debug the issue yourself by trying to run cp --recursive --no-dereference --preserve=mode,links --reflink=auto --copy-contents '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' abc --no-target-directory yourself as root and seeing if that still fails.

[septatrix]

I am not sure if this is related but Ubuntu rolled out new apparmor profiles a few days ago which broke bubblewrap. You could update your system and check that your apparmor version is 4.0.1really4.0.0-beta3-0ubuntu0.1 which rolled back that change to make sure that it is not the cause

[gritelli]

@DaanDeMeyer I tried the cp command and it was successful with and without sudo:

talos@talos-pc-001:~/Downloads$ sudo cp --recursive --no-dereference --preserve=mode,links --reflink=auto --copy-contents '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' abc --no-target-directory
talos@talos-pc-001:~/Downloads$ cp --recursive --no-dereference --preserve=mode,links --reflink=auto --copy-contents '/home/talos/.cache/mkosi/ubuntu~noble~x86-64/lib/apt' abc --no-target-directory

@septatrix I also updated app armor but I'm getting the same permission error

talos@talos-pc-001:~/Downloads$ apt list --installed | grep apparmor
apparmor/noble-updates,now 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 [installed,automatic]
libapparmor1/noble-updates,now 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64 [installed,automatic]

@DaanDeMeyer while I'd love to figure out this problem, I really just need mkosi to run. Is there any way you could share your VM setup so I can reproduce a working environment?

[DaanDeMeyer]

@gritelli I use mkosi to build the VM :p so I'm afraid that won't work for you.