Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627374 - sys-apps/portage: native-extensions optimized copyfile failed with EPERM inside docker container with overlay2
Summary: sys-apps/portage: native-extensions optimized copyfile failed with EPERM insi...
Status: UNCONFIRMED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords:
: 645462 (view as bug list)
Depends on:
Blocks: 635020
  Show dependency tree
 
Reported: 2017-08-09 07:31 UTC by Harry Lee
Modified: 2019-01-04 01:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
file copy error when emerge in a docker container (file_copy_error.txt,3.68 KB, text/plain)
2017-08-09 07:31 UTC, Harry Lee
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Harry Lee 2017-08-09 07:31:21 UTC
Created attachment 488378 [details]
file copy error when emerge in a docker container

The optimized copyfile was introduced by [8ab5c88](https://github.com/gentoo/portage/commit/8ab5c8835931fd9ec098dbf4c5f416eb32e4a3a4#diff-477fdccf8e17062916b5e671ab688ed6R297), but it will cause error when I do emerge in a docker container.

Like below(see the attachment for full output),

```
!!! copy /usr/portage/packages/net-misc/curl-7.54.1.tbz2.partial -> /usr/portage/packages/net-misc/curl-7.54.1.tbz2 failed.
!!! [Errno 1] Operation not permitted
```
Comment 1 Harry Lee 2017-08-09 07:33:13 UTC
docker version app-emulation/docker-17.04.9,
`--storage-driver=overlay2` enabled for docker daemon.
Comment 2 Zac Medico gentoo-dev 2017-08-09 07:46:34 UTC
We've experienced this EPERM problem at my workplace with docker-1.10.x. Through experimentation, I found that the problem was suppressed by adding --security-opt seccomp:unconfined to the docker run options (--privileged also worked). There's some related documentation available here:

https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

In docker-1.13.x, the default secomp configuration has been adjusted such that this problem no longer exists, so you won't need any special options to avoid the EPERM error. With docker-1.12.x, you'll want to use --cap-add SYS_PTRACE in order for sandbox to work correctly.
Comment 3 Zac Medico gentoo-dev 2017-08-09 07:50:28 UTC
If you need a workaround for older versions of docker, you can use a package.use setting like this:

sys-apps/portage -native-extensions

And remove these files if the currently installed portage is not working:

rm /usr/lib64/python*/site-packages/portage/util/file_copy/reflink_linux*
Comment 4 Zac Medico gentoo-dev 2017-08-09 07:53:49 UTC
(In reply to Harry Lee from comment #1)
> docker version app-emulation/docker-17.04.9,
> `--storage-driver=overlay2` enabled for docker daemon.

Oh, I assumed you had and older docker. Anyway, does --security-opt seccomp:unconfined help?
Comment 5 Harry Lee 2017-08-09 09:16:56 UTC
(In reply to Zac Medico from comment #4)
> (In reply to Harry Lee from comment #1)
> > docker version app-emulation/docker-17.04.9,
> > `--storage-driver=overlay2` enabled for docker daemon.
> 
> Oh, I assumed you had and older docker. Anyway, does --security-opt
> seccomp:unconfined help?

Yes, add `--security-opt seccomp:unconfined` it helped. But, only add `--cap-add SYS_PTRACE` seems not enough, do you know which capability should also be enable?

And, use -native-extensions seems not good enough, because there're other c extensions like libc tolower/toupper?
Comment 6 Zac Medico gentoo-dev 2018-01-23 18:50:06 UTC
*** Bug 645462 has been marked as a duplicate of this bug. ***
Comment 7 Zac Medico gentoo-dev 2019-01-04 01:28:24 UTC
(In reply to Harry Lee from comment #5)
> (In reply to Zac Medico from comment #4)
> > (In reply to Harry Lee from comment #1)
> > > docker version app-emulation/docker-17.04.9,
> > > `--storage-driver=overlay2` enabled for docker daemon.
> > 
> > Oh, I assumed you had and older docker. Anyway, does --security-opt
> > seccomp:unconfined help?
> 
> Yes, add `--security-opt seccomp:unconfined` it helped. But, only add
> `--cap-add SYS_PTRACE` seems not enough, do you know which capability should
> also be enable?

`--security-opt seccomp:unconfined` is intended to solve the "operation not permitted" (EPERM) error for copying files.

`--cap-add SYS_PTRACE` is intended to suppress sandbox problems involving ptrace, and if there are no error messages about ptrace then it's working.

If you have an error that still occurs with these settings, what is the specific error?

> And, use -native-extensions seems not good enough, because there're other c
> extensions like libc tolower/toupper?

Those extensions are not really essential. There's always a sane fallback with -native-extensions.