Make the /proc and /sys %ghost

When working in rootless container environment with user namespaces, those directories are pre-populated by the container runtime as bind-mounts from host. Such bind-mounts though naturally inherit ownership/permissions from the host's filesystem.rpm, and non-privileged "root" inside container can not be allowed to touch files owned by host's UID=0. Those directories are then shown as owned by 'nobody:nobody'. When filesystem.rpm holds those /proc and /sys in payload, rpm tries to re-chown the file to root:root on every package update transaction. This operation can not succeed because 'root:root' inside container maps to some large UID/GID on host -- and so the RPM transaction fails. As a workaround (there's no better way currently), remove /proc and /sys from the packaged payload, mark those directories %ghost and create them by scriptlet. Resolves: rhbz#1548403 Version: 3.14-4
2020-08-07 09:58:37 +02:00 · 2020-08-07 09:58:37 +02:00 · bceee1afe1
commit bceee1afe1
parent b42fd207a1
1 changed files with 12 additions and 4 deletions
--- a/filesystem.spec
+++ b/filesystem.spec
@ -1,7 +1,7 @@
 Summary: The basic directory layout for a Linux system
 Name: filesystem
 Version: 3.14
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: Public Domain
 URL: https://pagure.io/filesystem
 Group: System Environment/Base
@ -50,7 +50,7 @@ cd %{buildroot}

 mkdir -p afs boot dev \
        etc/{X11/{applnk,fontpath.d,xinit/{xinitrc,xinput}.d},xdg/autostart,opt,pm/{config.d,power.d,sleep.d},skel,sysconfig,pki,bash_completion.d,rwtab.d,statetab.d} \
-        home media mnt opt proc root run srv sys tmp \
+        home media mnt opt root run srv tmp \
        usr/{bin,games,include,%{_lib}/{bpf,games,X11,pm-utils/{module.d,power.d,sleep.d}},lib/{debug/{.dwz,usr},games,locale,modules,sysimage},libexec,local/{bin,etc,games,lib,%{_lib}/bpf,sbin,src,share/{applications,man/man{1,2,3,4,5,6,7,8,9,n,1x,2x,3x,4x,5x,6x,7x,8x,9x},info},libexec,include,},sbin,share/{aclocal,appdata,applications,augeas/lenses,backgrounds,bash-completion{,/completions,/helpers},desktop-directories,dict,doc,empty,games,gnome,help,icons,idl,info,licenses,man/man{1,2,3,4,5,6,7,8,9,n,1x,2x,3x,4x,5x,6x,7x,8x,9x,0p,1p,3p},metainfo,mime-info,misc,omf,pixmaps,sounds,themes,xsessions,X11,wayland-sessions},src,src/kernels,src/debug} \
        var/{adm,empty,ftp,lib/{games,misc,rpm-state},local,log,nis,preserve,spool/{mail,lpd},tmp,db,cache/bpf,opt,games,yp}

@ -158,6 +158,10 @@ posix.symlink("../.dwz", "/usr/lib/debug/usr/.dwz")
 posix.symlink("usr/sbin", "/usr/lib/debug/sbin")
 posix.symlink("usr/%{_lib}", "/%{_lib}")
 posix.mkdir("/run")
+posix.mkdir("/proc")
+posix.mkdir("/sys")
+posix.chmod("/proc", 0555)
+posix.chmod("/sys", 0555)
 st = posix.stat("/media")
 if st and st.type == "link" then
  os.remove("/media")
@ -213,12 +217,12 @@ restorecon /afs 2>/dev/null >/dev/null || :
 /media
 %dir /mnt
 %dir /opt
-%attr(555,root,root) /proc
+%ghost %attr(555,root,root) /proc
 %attr(550,root,root) /root
 /run
 /sbin
 /srv
-%attr(555,root,root) /sys
+%ghost %attr(555,root,root) /sys
 %attr(1777,root,root) /tmp
 %dir /usr
 %attr(555,root,root) /usr/bin
@ -309,6 +313,10 @@ restorecon /afs 2>/dev/null >/dev/null || :
 /var/yp

 %changelog
+* Fri Aug 07 2020 Pavel Raiskup <praiskup@redhat.com> - 3.14-4
+- /proc and /sys made %%ghost to allow filesystem package updates in rootless
+  container environments (rhbz#1548403)
+
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild