Make the /proc and /sys %ghost
When working in rootless container environment with user namespaces, those directories are pre-populated by the container runtime as bind-mounts from host. Such bind-mounts though naturally inherit ownership/permissions from the host's filesystem.rpm, and non-privileged "root" inside container can not be allowed to touch files owned by host's UID=0. Those directories are then shown as owned by 'nobody:nobody'. When filesystem.rpm holds those /proc and /sys in payload, rpm tries to re-chown the file to root:root on every package update transaction. This operation can not succeed because 'root:root' inside container maps to some large UID/GID on host -- and so the RPM transaction fails. As a workaround (there's no better way currently), remove /proc and /sys from the packaged payload, mark those directories %ghost and create them by scriptlet. Resolves: rhbz#1548403 Version: 3.14-4
This commit is contained in:
Pavel Raiskup
parent
b42fd207a1
commit
bceee1afe1
@ -1,7 +1,7 @@
|
|||||||
Summary: The basic directory layout for a Linux system
|
Summary: The basic directory layout for a Linux system
|
||||||
Name: filesystem
|
Name: filesystem
|
||||||
Version: 3.14
|
Version: 3.14
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: Public Domain
|
License: Public Domain
|
||||||
URL: https://pagure.io/filesystem
|
URL: https://pagure.io/filesystem
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
@ -50,7 +50,7 @@ cd %{buildroot}
|
|||||||
|
|
||||||
mkdir -p afs boot dev \
|
mkdir -p afs boot dev \
|
||||||
etc/{X11/{applnk,fontpath.d,xinit/{xinitrc,xinput}.d},xdg/autostart,opt,pm/{config.d,power.d,sleep.d},skel,sysconfig,pki,bash_completion.d,rwtab.d,statetab.d} \
|
etc/{X11/{applnk,fontpath.d,xinit/{xinitrc,xinput}.d},xdg/autostart,opt,pm/{config.d,power.d,sleep.d},skel,sysconfig,pki,bash_completion.d,rwtab.d,statetab.d} \
|
||||||
home media mnt opt proc root run srv sys tmp \
|
home media mnt opt root run srv tmp \
|
||||||
usr/{bin,games,include,%{_lib}/{bpf,games,X11,pm-utils/{module.d,power.d,sleep.d}},lib/{debug/{.dwz,usr},games,locale,modules,sysimage},libexec,local/{bin,etc,games,lib,%{_lib}/bpf,sbin,src,share/{applications,man/man{1,2,3,4,5,6,7,8,9,n,1x,2x,3x,4x,5x,6x,7x,8x,9x},info},libexec,include,},sbin,share/{aclocal,appdata,applications,augeas/lenses,backgrounds,bash-completion{,/completions,/helpers},desktop-directories,dict,doc,empty,games,gnome,help,icons,idl,info,licenses,man/man{1,2,3,4,5,6,7,8,9,n,1x,2x,3x,4x,5x,6x,7x,8x,9x,0p,1p,3p},metainfo,mime-info,misc,omf,pixmaps,sounds,themes,xsessions,X11,wayland-sessions},src,src/kernels,src/debug} \
|
usr/{bin,games,include,%{_lib}/{bpf,games,X11,pm-utils/{module.d,power.d,sleep.d}},lib/{debug/{.dwz,usr},games,locale,modules,sysimage},libexec,local/{bin,etc,games,lib,%{_lib}/bpf,sbin,src,share/{applications,man/man{1,2,3,4,5,6,7,8,9,n,1x,2x,3x,4x,5x,6x,7x,8x,9x},info},libexec,include,},sbin,share/{aclocal,appdata,applications,augeas/lenses,backgrounds,bash-completion{,/completions,/helpers},desktop-directories,dict,doc,empty,games,gnome,help,icons,idl,info,licenses,man/man{1,2,3,4,5,6,7,8,9,n,1x,2x,3x,4x,5x,6x,7x,8x,9x,0p,1p,3p},metainfo,mime-info,misc,omf,pixmaps,sounds,themes,xsessions,X11,wayland-sessions},src,src/kernels,src/debug} \
|
||||||
var/{adm,empty,ftp,lib/{games,misc,rpm-state},local,log,nis,preserve,spool/{mail,lpd},tmp,db,cache/bpf,opt,games,yp}
|
var/{adm,empty,ftp,lib/{games,misc,rpm-state},local,log,nis,preserve,spool/{mail,lpd},tmp,db,cache/bpf,opt,games,yp}
|
||||||
|
|
||||||
@ -158,6 +158,10 @@ posix.symlink("../.dwz", "/usr/lib/debug/usr/.dwz")
|
|||||||
posix.symlink("usr/sbin", "/usr/lib/debug/sbin")
|
posix.symlink("usr/sbin", "/usr/lib/debug/sbin")
|
||||||
posix.symlink("usr/%{_lib}", "/%{_lib}")
|
posix.symlink("usr/%{_lib}", "/%{_lib}")
|
||||||
posix.mkdir("/run")
|
posix.mkdir("/run")
|
||||||
|
posix.mkdir("/proc")
|
||||||
|
posix.mkdir("/sys")
|
||||||
|
posix.chmod("/proc", 0555)
|
||||||
|
posix.chmod("/sys", 0555)
|
||||||
st = posix.stat("/media")
|
st = posix.stat("/media")
|
||||||
if st and st.type == "link" then
|
if st and st.type == "link" then
|
||||||
os.remove("/media")
|
os.remove("/media")
|
||||||
@ -213,12 +217,12 @@ restorecon /afs 2>/dev/null >/dev/null || :
|
|||||||
/media
|
/media
|
||||||
%dir /mnt
|
%dir /mnt
|
||||||
%dir /opt
|
%dir /opt
|
||||||
%attr(555,root,root) /proc
|
%ghost %attr(555,root,root) /proc
|
||||||
%attr(550,root,root) /root
|
%attr(550,root,root) /root
|
||||||
/run
|
/run
|
||||||
/sbin
|
/sbin
|
||||||
/srv
|
/srv
|
||||||
%attr(555,root,root) /sys
|
%ghost %attr(555,root,root) /sys
|
||||||
%attr(1777,root,root) /tmp
|
%attr(1777,root,root) /tmp
|
||||||
%dir /usr
|
%dir /usr
|
||||||
%attr(555,root,root) /usr/bin
|
%attr(555,root,root) /usr/bin
|
||||||
@ -309,6 +313,10 @@ restorecon /afs 2>/dev/null >/dev/null || :
|
|||||||
/var/yp
|
/var/yp
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Aug 07 2020 Pavel Raiskup <praiskup@redhat.com> - 3.14-4
|
||||||
|
- /proc and /sys made %%ghost to allow filesystem package updates in rootless
|
||||||
|
container environments (rhbz#1548403)
|
||||||
|
|
||||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14-3
|
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14-3
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user