[SOLVED] upgrading systemd-nspawn container from host

GasparVardanyan · 2025-09-06 10:51:24

Hi!

I have a systemd-nspawn container in a separate btrfs subvolume mounted on /var/lib/machines/git. I try to upgrade the container from host via pacman --sysroot but it fails:

-> [ nspawn ] :: _ btrfs subvolume list / | rg /var/lib
ID 258 gen 12 top level 257 path systems/archlinux-base/var/lib/portables
ID 259 gen 12 top level 257 path systems/archlinux-base/var/lib/machines
-> [ nspawn ] :: mount | rg /var/lib | rg git
/dev/nvme0n1p2 on /var/lib/machines/git type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=411,subvol=/containers/git)
-> [ nspawn ] :: _ pacman -Syyuu --sysroot /var/lib/machines/git
:: Synchronizing package databases...
error: could not open file /var/lib/machines/git/var/lib/pacman/sync/download-RS1k27/core.db.part: Permission denied
error: failed to setup a download payload for core.db
error: failed to synchronize all databases (failed to retrieve some files)
-> [ nspawn ] :: _ \ls -l /var/lib/machines/git/var/lib/pacman
[sudo] password for gaspar:
total 0
drwxr-xr-x 1 root root 5148 Sep 4 14:35 local
drwxr-xr-x 1 root root 30 Sep 6 14:37 sync
-> [ nspawn ] :: _ \ls -l /var/lib/machines/git/var/lib/pacman/sync
total 8172
-rw-r--r-- 1 root root 125056 Sep 2 17:46 core.db
-rw-r--r-- 1 root root 8239555 Sep 4 14:02 extra.db
-> [ nspawn ] :: _ \ls -l /var/lib/machines/git/var/lib/pacman/sync
total 8172
-rw-r--r-- 1 root root 125056 Sep 2 17:46 core.db
-rw-r--r-- 1 root root 8239555 Sep 4 14:02 extra.db
-> [ nspawn ] :: _ machinectl shell git
Connected to machine git. Press ^] three times within 1s to exit session.
[root@git ~]# ls -l /var/lib/pacman/
total 0
drwxr-xr-x 1 root root 5148 Sep 4 14:35 local
drwxr-xr-x 1 root root 30 Sep 6 14:37 sync
[root@git ~]# ls -l /var/lib/pacman/sync/
total 8172
-rw-r--r-- 1 root root 125056 Sep 2 17:46 core.db
-rw-r--r-- 1 root root 8239555 Sep 4 14:02 extra.db
[root@git ~]# pacman -Syyuu
:: Synchronizing package databases...
core 122.4 KiB 140 KiB/s 00:01 [#########################################] 100%
extra 7.9 MiB 2.23 MiB/s 00:04 [#########################################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (5) hwdata-0.399-1 libnghttp2-1.67.0-1 systemd-257.9-1 systemd-libs-257.9-1 systemd-sysvcompat-257.9-1

Total Download Size: 11.78 MiB
Total Installed Size: 46.97 MiB
Net Upgrade Size: 0.02 MiB

:: Proceed with installation? [Y/n] ^C
Interrupt signal received

[root@git ~]#

What I'm doing wrong? I have a lot of containers and I'm trying to upgrade them all with one simple script without "chrooting" and using the same package cache.
I'm not using namespacing for this container.

Last edited by GasparVardanyan (Yesterday 12:40:47)

Head_on_a_Stick · 2025-09-06 11:02:51

Try

systemd-nspawn -D /var/lib/machines/git /usr/bin/pacman -Syu

EDIT: untested (I don't use systemd).

Last edited by Head_on_a_Stick (2025-09-06 11:32:40)

GasparVardanyan · 2025-09-10 09:09:12

Thanks for clue, sorry for replying late.

This worked:
machinectl shell machine /usr/bin/pacman -Syu

GasparVardanyan · 2025-09-10 09:13:07

But this way I use containers' pacman and container's cache, and I have 7 containers + host, so it'll be better to use host's pacman and host's cache to download common packages once. Idk, probably mounting host's cache is a security risk? I don't think it'll work on unprevilidged containers.

nl6720 · 2025-09-10 10:31:09

GasparVardanyan wrote:

Idk, probably mounting host's cache is a security risk?

I don't think it should be. The sync db files are kept separate from /var/cache/pacman/pkg/ and pacman verifies the signatures of packages when it installs them.
I don't know how secure it is, but I use this in /etc/systemd/nspawn/*.nspawn:

[Files]
Bind=/var/cache/pacman/pkg:/var/cache/pacman/pkg:idmap

Lone_Wolf · 2025-09-10 10:41:34

clean chroots for building packages (like those used by devtools/pkgctl) also use local package cache for updates .

https://wiki.archlinux.org/title/Package_Proxy_Cache lists alternative methods .

GasparVardanyan · Yesterday 12:38:47

My main problem was that I didn't wanted to give write access to containers to the shared cache directory, yet upgrade all containers and host without downloading the same common package multiple times.

Seems I've found a soIution. Something like this:

(pacman -Q; pacman -Q --sysroot /var/lib/machines/work; pacman -Q --sysroot /var/lib/machines/git; pacman -Q --sysroot=....; ...) | cut -f 1 -d ' ' | sort | uniq | paste -s -d ' '

My bad. This was simple, but when you think it should be complex because it seems to be a big dial, you don't see the simplest solutions.

This way I can get the list of all packages needed to download to upgrade all containers and host.

Then I can download them all with pacman -Sw, read-only mount the cache directory to all containers and upgrade them all, then host.

But I prefer to find a better solution here: https://wiki.archlinux.org/title/Package_proxy_cache , or maybe I can combine some methods used there with my approach.

Thanks a lot.

xerxes_ · Yesterday 17:47:47

Maybe you may combine some solution from this:
machinectl bind, copy-to, copy-from, clone --read-only, --mkdir, etc. ... details: man machinectl

Last edited by xerxes_ (Yesterday 20:50:26)

GasparVardanyan · Yesterday 19:17:01

Yes, thanks a lot ))

Arch Linux

#1 2025-09-06 10:51:24

[SOLVED] upgrading systemd-nspawn container from host

#2 2025-09-06 11:02:51

Re: [SOLVED] upgrading systemd-nspawn container from host

#3 2025-09-10 09:09:12

Re: [SOLVED] upgrading systemd-nspawn container from host

#4 2025-09-10 09:13:07

Re: [SOLVED] upgrading systemd-nspawn container from host

#5 2025-09-10 10:31:09

Re: [SOLVED] upgrading systemd-nspawn container from host

#6 2025-09-10 10:41:34

Re: [SOLVED] upgrading systemd-nspawn container from host

#7 Yesterday 12:38:47

Re: [SOLVED] upgrading systemd-nspawn container from host

#8 Yesterday 17:47:47

Re: [SOLVED] upgrading systemd-nspawn container from host

#9 Yesterday 19:17:01

Re: [SOLVED] upgrading systemd-nspawn container from host

Board footer