[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1031222: mounting /proc silently fails and thus systemd-tmpfiles is skipped with unshared mount namespace on privileged docker (like salsaci)

Package: debootstrap
Version: 1.0.128+nmu2
Severity: normal
Tags: patch
Control: affects -1 + mmdebstrap

Hi,

steps to reproduce:

runuser -u debci -- mmdebstrap --variant=custom --mode=unshare --setup-hook='container=lxc debootstrap unstable "$1"' - chroot.tar

Run this inside a privileged docker container (like in a salsaci autopkgtest)
and observe how the following files are missing from chroot.tar:

/etc/mtab
/root/.ssh
/run/lock/subsys
/var/cache/private
/var/lib/private
/var/lib/systemd/coredump
/var/lib/systemd/pstore
/var/log/README
/var/log/private

All of these would be created by systemd-tmpfiles. They are not created because
(after setting SYSTEMD_LOG_LEVEL=debug):

/proc/ is not mounted, but required for successful operation of systemd-tmpfiles. Please mount /proc/. Alternatively, consider using the --root= or --image= switches.

This is because debootstrap runs "mount -t proc proc /proc". This does not work
inside an unshared mount namespace inside privileged docker (like salsaci). See
this other bug for a handy table about how to mount /proc:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030625#16

As shown in that table, this can be resolved by falling back to bind-mounting
/proc if mounting it normally didn't work. I implemented that in this merge request:

https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/91

Thanks!

cheers, josch
Reply to: