Created attachment 488378 [details] file copy error when emerge in a docker container The optimized copyfile was introduced by [8ab5c88](https://github.com/gentoo/portage/commit/8ab5c8835931fd9ec098dbf4c5f416eb32e4a3a4#diff-477fdccf8e17062916b5e671ab688ed6R297), but it will cause error when I do emerge in a docker container. Like below(see the attachment for full output), ``` !!! copy /usr/portage/packages/net-misc/curl-7.54.1.tbz2.partial -> /usr/portage/packages/net-misc/curl-7.54.1.tbz2 failed. !!! [Errno 1] Operation not permitted ```
docker version app-emulation/docker-17.04.9, `--storage-driver=overlay2` enabled for docker daemon.
We've experienced this EPERM problem at my workplace with docker-1.10.x. Through experimentation, I found that the problem was suppressed by adding --security-opt seccomp:unconfined to the docker run options (--privileged also worked). There's some related documentation available here: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities In docker-1.13.x, the default secomp configuration has been adjusted such that this problem no longer exists, so you won't need any special options to avoid the EPERM error. With docker-1.12.x, you'll want to use --cap-add SYS_PTRACE in order for sandbox to work correctly.
If you need a workaround for older versions of docker, you can use a package.use setting like this: sys-apps/portage -native-extensions And remove these files if the currently installed portage is not working: rm /usr/lib64/python*/site-packages/portage/util/file_copy/reflink_linux*
(In reply to Harry Lee from comment #1) > docker version app-emulation/docker-17.04.9, > `--storage-driver=overlay2` enabled for docker daemon. Oh, I assumed you had and older docker. Anyway, does --security-opt seccomp:unconfined help?
(In reply to Zac Medico from comment #4) > (In reply to Harry Lee from comment #1) > > docker version app-emulation/docker-17.04.9, > > `--storage-driver=overlay2` enabled for docker daemon. > > Oh, I assumed you had and older docker. Anyway, does --security-opt > seccomp:unconfined help? Yes, add `--security-opt seccomp:unconfined` it helped. But, only add `--cap-add SYS_PTRACE` seems not enough, do you know which capability should also be enable? And, use -native-extensions seems not good enough, because there're other c extensions like libc tolower/toupper?
*** Bug 645462 has been marked as a duplicate of this bug. ***
(In reply to Harry Lee from comment #5) > (In reply to Zac Medico from comment #4) > > (In reply to Harry Lee from comment #1) > > > docker version app-emulation/docker-17.04.9, > > > `--storage-driver=overlay2` enabled for docker daemon. > > > > Oh, I assumed you had and older docker. Anyway, does --security-opt > > seccomp:unconfined help? > > Yes, add `--security-opt seccomp:unconfined` it helped. But, only add > `--cap-add SYS_PTRACE` seems not enough, do you know which capability should > also be enable? `--security-opt seccomp:unconfined` is intended to solve the "operation not permitted" (EPERM) error for copying files. `--cap-add SYS_PTRACE` is intended to suppress sandbox problems involving ptrace, and if there are no error messages about ptrace then it's working. If you have an error that still occurs with these settings, what is the specific error? > And, use -native-extensions seems not good enough, because there're other c > extensions like libc tolower/toupper? Those extensions are not really essential. There's always a sane fallback with -native-extensions.
