On Wed, 27 Oct 2021 at 21:24, Iain Buclaw <ibuc...@mailbox.org> wrote:

> Installing a package that runs sysctl -p in its postinst script fails
> with a non-zero exit status.
>
That is probably what is supposed to happen. However, it looks like
read-only /sys filesystems are a thing. Leaving aside what a container
should or shouldn't do, there are some issues with the patches, mainly they
don't say what they actually are doing.

https://git.launchpad.net/ubuntu/+source/procps/tree/debian/patches/ignore_eaccess.patch?h=applied/ubuntu/focal-devel

This patch states that it ignores EACCESS however it also ignores EROFS and
EPERM as well. Was this the intent of the patch?

https://git.launchpad.net/ubuntu/+source/procps/tree/debian/patches/ignore_erofs.patch?h=applied/ubuntu/focal-devel

This patch states that it ignores EROFS. It actually doesn't do this but
changes the error message only.

In a case statement, if there is no break then the program falls through to
the next line, so putting ignore_failure after EACESS also means we have
ignore_failure for EROFS and EPERM as well.
I'm not sure why you would change the error message (patch #2).

So, looks like there was a bit of just try it until it works going on, with
the added bonus sysctl says permission denied for 3 different error
messages. Mixed in with this is referenced bug #1157643 also mentions the
issue is EINVAL and not the other two or three error codes we have already
discussed.

It doesn't look like the patches were tested that well beyond fixing the
issue and completely ignoring the return code for fprocopen would do the
same thing.
I think that the real problem is that LXC has a read-only /sys and
fprocopen returns EROFS and this is the only one that needs to be bypassed
but I'm not sure. That would be a much simpler thing to check and ignore.

Running a strace on the sysctl program in an LXC container and finding the
return code of the open (it might be a fopencookie() or an openat()
instead) on the offending key should clear it up pretty quickly.

 - Craig

Reply via email to