I start a new user namespace as follows: (The special bashrc is just because there are some things in my default one that (expectedly) don't work in the lxc user namespace)
lxc-usernsexec -m b:0:689824:65536 -- /bin/bash --rcfile ~/.bashrc.lxc Inside there I mount a squash fs image that includes the normal tools for building packages squashfuse bookworm.amd64.build-deb.sqfs lower I then mount an overlayfs on top of that: fuse-overlayfs -o lowerdir=lower,upperdir=overlay,workdir=work mount I bind mount /dev/null into there cd mount touch dev/null mount -o bind /dev/null dev/null and then I chroot: /sbin/chroot . This all appears to be working perfectly on both bookworm and bullseye hosts. But in bookworm, apt-get update fails in a weird way: root@dirac:/# apt-get update Get:1 http://aptmirror.home.woodall.me.uk/local bookworm InRelease [18.9 kB] Get:2 http://deb.debian.org/debian bookworm InRelease [151 kB] Err:1 http://aptmirror.home.woodall.me.uk/local bookworm InRelease Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/aptmirror.home.woodall.me.uk_local_dists_bookworm_InRelease Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB] Err:2 http://deb.debian.org/debian bookworm InRelease Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bookworm_InRelease Err:3 http://deb.debian.org/debian-security bookworm-security InRelease Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/deb.debian.org_debian-security_dists_bookworm-security_InRelease Notice that "Couldn't execute /usr/bin/apt-key" Running exactly the same on a bullseye host and this "just works" Running: strace -f apt-get update |& less [pid 6619] execve("/usr/bin/apt-key", ["/usr/bin/apt-key", "--quiet", "--readonly", "verify", "--status-fd", "3", "/tmp/apt.sig.xWh7oI", "/tmp/apt.data.JpfP2n"], 0x5566c9baafc0 /* 48 vars */) = -1 EOPNOTSUPP (Operation not supported) This is my problem! If I unpack the squashfs image but otherwise follow the same steps (i.e. lower is a normal directory) then this works. When I compare other things I see this in the working one: [pid 6701] openat(AT_FDCWD, "/proc/self/fd", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) while I see this in the non-working one: [pid 6701] openat(AT_FDCWD, "/proc/self/fd", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 EOPNOTSUPP (Operation not supported) ENOENT is expected as I don't have /proc mounted in the namespace. execve works for other tasks: [pid 6693] execve("/usr/bin/dpkg", ["/usr/bin/dpkg", "--print-foreign-architectures"], 0x7ffe96e5ffa0 /* 42 vars */) = 0 works on both the bullseye and bookworm hosts, there's something special about apt-key. Weirdly, copying dpkg over apt-key and I still get this EOPNOTSUPP error. But deleting it completely and I get ENOENT from the execve call. Does anyone have any ideas what might be be wrong here, what I could try to get this working again? Tim.
