Sbuild in a privledged lxd container

Hey folks, I’m trying to setup sbuild in a privileged lxd container and hitting an issue mounting /proc resulting in an unmountable filesystem.

Forgive me for being too verbose with my steps but here are the steps I’ve taken to setup the container and create the sbuild chroot.

1. Create the container and make it privileged (or else mk-sbuild fails and dmesg is unreadable for troubleshooting)

heather@fenrir:~$ lxc launch ubuntu-daily:mantic/amd64 mantic-pkg-build
heather@fenrir:~$ lxc shell mantic-pkg-build
heather@fenrir:~$ lxc config set mantic-pkg-build security.privileged true
heather@fenrir:~$ lxc stop mantic-pkg-build
heather@fenrir:~$ lxc start mantic-pkg-build
heather@fenrir:~$ lxc shell mantic-pkg-build
root@mantic-pkg-build:~# apt update && apt dist-upgrade
root@mantic-pkg-build:~# apt install debhelper sbuild schroot devscripts ubuntu-dev-tools
root@mantic-pkg-build:~# adduser heather
root@mantic-pkg-build:~# usermod -aG sudo heather
root@mantic-pkg-build:~# usermod -aG sbuild heather
root@mantic-pkg-build:~# reboot

2. When the system comes back up, reconnect and login as our new non-root user

heather@fenrir:~$ lxc shell mantic-pkg-build
root@mantic-pkg-build:~# su - heather

3. Make an .sbuildrc file with the following contents

heather@mantic-pkg-build:~$ cat .sbuildrc
# Name to use as override in .changes files for the Maintainer: field
# (mandatory, no default!).
$maintainer_name='Heather Ellsworth <heather.ellsworth@canonical.com>';
# Default distribution to build.
$distribution = "mantic";
# Build arch-all by default.
$build_arch_all = 1;
# When to purge the build directory afterwards; possible values are "never",
# "successful", and "always". "always" is the default. It can be helpful
# to preserve failing builds for debugging purposes. Switch these comments
# if you want to preserve even successful builds, and then use
# "schroot -e --all-sessions" to clean them up manually.
$purge_build_directory = 'successful';
$purge_session = 'successful';
$purge_build_deps = 'successful';
# $purge_build_directory = 'never';
# $purge_session = 'never';
# $purge_build_deps = 'never';
# Directory for writing build logs to
$log_dir=$ENV{HOME}."/ubuntu/logs";
# don't remove this, Perl needs it:
1;

4. Create sbuild chroot

heather@mantic-pkg-build:~$ mk-sbuild mantic
...
I: Extracting zlib1g...
W: Failure trying to run: chroot "/var/lib/schroot/chroots/mantic-amd64" mount -t proc proc /proc
W: See /var/lib/schroot/chroots/mantic-amd64/debootstrap/debootstrap.log for details
W: Failure trying to run: chroot "/var/lib/schroot/chroots/mantic-amd64" mount -t sysfs sysfs /sys
W: See /var/lib/schroot/chroots/mantic-amd64/debootstrap/debootstrap.log for details
I: Installing core packages...
...
I: Configuring libc-bin...
I: Base system installed successfully.
E: 10mount: mount: /run/schroot/mount/mantic-amd64-60b461b4-3a34-4913-9e0b-fda32dbfa47d: cannot mount none read-only.
E: 10mount: dmesg(1) may have more information after failed mount system call.
E: mantic-amd64-60b461b4-3a34-4913-9e0b-fda32dbfa47d: Chroot setup failed: stage=setup-start

Note: /var/lib/schroot/chroots/mantic-amd64/debootstrap/debootstrap.log doesn’t exist but /var/lib/schroot/chroots/mantic-amd64/var/log/bootstrap.log does and seems to have the actual log info
from the bootstrap.log, the first problem we see (and many others like this) is:

dpkg: regarding .../login_1%3a4.13+dfsg1-1ubuntu1_amd64.deb containing login, pre-dependency problem:
login pre-depends on libaudit1 (>= 1:2.2.1)
libaudit1:amd64 is unpacked, but has never been configured.

but /var/lib/dpkg/status has libaudit1 showing as being “install ok installed”, instead of “install ok unpacked”. In fact there is no mention of unpacked except in one package’s description. dpkg -l | grep libaudit shows it installed too

sudo dpkg --configure --pending did nothing (didn’t error though). So I reinstalled the login package, removed the chroot, and am trying mk-sbuild again and I still get the same failure.

I tried installing piuparts, remove the chroot, mk-sbuild again - still same failure
I tried adding this to /etc/schroot/sbuild/fstab

/home/<username> /home/<username> none rw,bind 0 0

removed the chroot, rebooted (so fstab changes are in effect), and tried mk-sbuild again and still get the same failure.

I added a .mk-sbuild.rc file:

SCHROOT_CONF_SUFFIX="source-root-users=root,sbuild,admin
source-root-groups=root,sbuild,admin
preserve-environment=true"
# you will want to undo the below for stable releases, read `man mk-sbuild` for details
# during the development cycle, these pockets are not used, but will contain important
# updates after each release of Ubuntu
SKIP_UPDATES="1"
SKIP_PROPOSED="1"
# if you have e.g. apt-cacher-ng around
# DEBOOTSTRAP_PROXY=http://127.0.0.1:3142/

and still get the same failure.

Thanks so much for your time and any thoughts and suggestions are welcome!

Can you try enabling security.nesting using lxc config set <instance> security.nesting=true and restarting the instance.

Combining security.privileged and security.nesting is a bad idea from a security perspective, but it might allow you to achieve what you’re trying to do.

BTW, what is the reason for needing to use a privileged container?

Thank you, yes this was what was needed to get the image mounted after creation!

If I try this in an unprivileged container, then I get the following error:

heather@mantic-pkg-build-unprivileged:~$ mk-sbuild mantic
[sudo] password for heather: 
mknod: /var/lib/schroot/chroots/mantic-amd64/test-dev-null: Operation not permitted
E: Cannot install into target '/var/lib/schroot/chroots/mantic-amd64' mounted with noexec or nodev

After googling around, I found a suggestion that the mounted with noexec or nodev was because of the container restrictions. However, I would rather do all of this in an unprivileged lxd container if there is a way to do so.

If I have to use an unprivileged container, then does the container provide any value (ie. isolation) at all? Or is it exactly the same as running the sbuild chroot on my host?