selinux error in lxd/lxc: Could not create dir /var/lib/mock/rocky+epel-9-x86_64-bootstrap/root/sys/fs/selinux. Error: [Errno 30] Read-only file system
Opened this issue · 2 comments
Short description of the problem
If I start mock in lxc or lxd container (rocky9/8, centos8/9), I get error 'Could not create dir /var/lib/mock/rocky+epel-9-x86_64-bootstrap/root/sys/fs/selinux. Error: [Errno 30] Read-only file system'
Currently the only way to workaround this problem is to install and configure selinux on the host system (which is Debian 12). Then the problem is gone, but I do not want that. Selinux is not working well on Debian and pollutes all logs, slows down the system.
I found old issue 258, which is similar but was not inside container...
Output of rpm -q mock
mock-5.5-1.el9.noarch
Steps to reproduce issue
- Try to build rpm using mock inside lxc or lxd container with CentOS 8/9 or Rocky 8/9 inside Debian 12
mock --rebuild packagename.el9.src.rpm
ERROR: Could not create dir /var/lib/mock/rocky+epel-9-x86_64-bootstrap/root/sys/fs/selinux. Error: [Errno 30] Read-only file system: '/var/lib/mock/rocky+epel-9-x86_64-bootstrap/root/sys/fs/selinux'
Full error message
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/mockbuild/file_util.py", line 20, in mkdirIfAbsent
os.makedirs(dirName)
File "/usr/lib64/python3.9/os.py", line 225, in makedirs
mkdir(name, mode)
OSError: [Errno 30] Read-only file system: '/var/lib/mock/rocky+epel-9-x86_64-bootstrap/root/sys/fs/selinux'
Any additional notes
Output of `mock --debug-config`
You need to have the rights to for mounting in container (typically CAP_SYS_ADMIN), then you can use Mock properly. I don't know how to achieve this using lxc/lxd, we have this doc file that would appreciate your help if you can provide a better guidance.
What I typically do is, as a non-root user, podman run --rm -ti --privileged ...
.
You need to have the rights to for mounting in container (typically CAP_SYS_ADMIN), then you can use Mock properly. I don't know how to achieve this using lxc/lxd, we have this doc file that would appreciate your help if you can provide a better guidance.
What I typically do is, as a non-root user,
podman run --rm -ti --privileged ...
.
- The problem is not that container has no right to mount, since I get the same error for the both privileged and unprivileged containers. The problem is only gone if I install and configure selinux on the host.
- Why would mock need to mount /sys/fs/selinux in container at all? That looks completely wrong for me. Can you explain that?