Am 18.11.21 um 15:41 Uhr schrieb Dario Faggioli:
On Mon, 2021-11-15 at 21:06 +0100, Ignaz Forster wrote:
In transactional-update 3.6 I indeed changed the mount behaviour;
Right.
[...]
I'll have to take a look at what bwrap is trying to do here and see what I can do to fix this.
That would be great. :-)
The problem is that it tries to recursively mount everything from the root file system, and it stumbles over the fact that /tmp/transactional-update-xxx is mounted as "unbindable" (to prevent those recursive mounts). Now one could argue that this is wrong behavior and would fail on other systems, too, but I'm trying to fix this on the transactional-update side due to the next problem you mentioned.
As a further data point, it apparently is not only flatpak:
Error: unable to start container "16271fd6f71b3e0a2e0b392a5eaf2b000faf29656f2e4c3c32aebf0b0f2066ad": container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/tmp" to rootfs at "/tmp" caused: mount through procfd: operation not permitted: OCI permission denied /usr/bin/toolbox: failed to start container 'toolbox-test-user'
It's also toolbox, which basically means this is a problem for podman containers in general.
Yes, Richard also noticed and told me already.
Which in turn means this is no MicroOS _Desktop_ only any longer, I guess, and we probably want to fix it for MicroOS, Kubic, SLE-Micro and whatever. :-)
Tumbleweed. Just Tumbleweed. I've revoked my submissions for SLE* already.
Given this new info, let me know if you prefer me to open a bug, for better tracking, or do anything else.
I'll never complain about a bug report - then I don't have to create it ;-) Cheers, Ignaz