On Wed, 27 Oct 2021 at 21:24, Iain Buclaw <ibuc...@mailbox.org> wrote:
> Installing a package that runs sysctl -p in its postinst script fails > with a non-zero exit status. > That is probably what is supposed to happen. However, it looks like read-only /sys filesystems are a thing. Leaving aside what a container should or shouldn't do, there are some issues with the patches, mainly they don't say what they actually are doing. https://git.launchpad.net/ubuntu/+source/procps/tree/debian/patches/ignore_eaccess.patch?h=applied/ubuntu/focal-devel This patch states that it ignores EACCESS however it also ignores EROFS and EPERM as well. Was this the intent of the patch? https://git.launchpad.net/ubuntu/+source/procps/tree/debian/patches/ignore_erofs.patch?h=applied/ubuntu/focal-devel This patch states that it ignores EROFS. It actually doesn't do this but changes the error message only. In a case statement, if there is no break then the program falls through to the next line, so putting ignore_failure after EACESS also means we have ignore_failure for EROFS and EPERM as well. I'm not sure why you would change the error message (patch #2). So, looks like there was a bit of just try it until it works going on, with the added bonus sysctl says permission denied for 3 different error messages. Mixed in with this is referenced bug #1157643 also mentions the issue is EINVAL and not the other two or three error codes we have already discussed. It doesn't look like the patches were tested that well beyond fixing the issue and completely ignoring the return code for fprocopen would do the same thing. I think that the real problem is that LXC has a read-only /sys and fprocopen returns EROFS and this is the only one that needs to be bypassed but I'm not sure. That would be a much simpler thing to check and ignore. Running a strace on the sysctl program in an LXC container and finding the return code of the open (it might be a fopencookie() or an openat() instead) on the offending key should clear it up pretty quickly. - Craig