You are not logged in.
Hello,
After updating pacman to 7.0.0.r3.g7736133-1 I get an error message when trying to update.
# pacman -Sy
:: Synchronizing package databases...
core 117.7 KiB 1471 KiB/s 00:00 [#######################################################] 100%
extra 7.4 MiB 11.3 MiB/s 00:01 [#######################################################] 100%
error: restricting filesystem access failed because landlock is not supported by the kernel!
After downgrading to previous version pacman-6.1.0-3 this error goes away.
What is landlock and why is it not supported by my kernel?
--
Br / David
Last edited by mr-andersson (2024-09-14 17:46:05)
Offline
What is your kernel? Pacman 7 added a sandbox for the downloaduser, read the current news item, or pass --disable-sandbox or configure the DisableSandbox option if you really need to use a kernel without landlock.
See https://gitlab.archlinux.org/pacman/pac … type=heads as well
Last edited by V1del (2024-09-14 16:59:54)
Offline
Ah, I'm running arch in a container under Proxmox. That's why it was missing landlock in my kernel.
Running pacman with --disable-sandbox mitigated the issue. Thanks!
The work around solution, while not having recompile your kernel with landlock support.
If you want to continue to run pacman without the above switch each time, you can just uncomment line 39: DisableSandbox in /etc/pacman.conf like so
Last edited by mr-andersson (2024-09-22 14:03:10)
Offline
Where are packages temporarily downloaded in this sandbox? I hope it is not /tmp dir or RAM, because I have to many packages.
Offline
In the same location as before (/var/cache/pacman/pkg by default) ?
From what I understand of the MRs that added this, the sandbox uses a dedicated user to restrict downloads to the designated areas.
Until pacman 7 downloads where done with root rights so could potentially overwrite stuff anywhere on the system.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
Yeah, I've faced the same problem and I am here, in proxmox containers where you are running everything with root user it's safe to disable this option either way.
Offline
I got the same message as the OP because I am running kernel 6.1 from AUR.
I have the setting:
DownloadUser = alpm
If I do:
ls -l /var/cache/pacman/pkg
I was expecting recently downloaded packages to be owned by alpm but that is not the case, all are owned by root.
Any ideas?
Offline
If you don't have landlock V3, the download sandbox will not work and the DownloadUser will not be used at all.
Online
If you don't have landlock V3, the download sandbox will not work and the DownloadUser will not be used at all.
Thanks, I think I will have to read up on landlock.
Running the command below it seems that landlock is on in the kernel I am using.
zcat /proc/config.gz | grep -i landlock
CONFIG_SECURITY_LANDLOCK=y
CONFIG_LSM="landlock,lockdown,yama,integrity,bpf"
However according to the landlock man page, LANDLOCK_ACCESS_FS_TRUNCATE is only available with landlock ABI v3 in linux version 6.2 even if the 6.1 kernel has a bunch of other landlock features. Perhaps DownloadUser uses the only feature not present in 6.1 (LANDLOCK_ACCESS_FS_TRUNCATE).
https://man.archlinux.org/man/landlock.7
I commented out "DownloadUser = alpm" in /etc/pacman.conf even if most likely doing so is redundant in my case.
Thanks again for your help. I think I will stop here.
Last edited by archdub (2024-10-26 22:10:23)
Offline
If you don't have landlock V3, the download sandbox will not work and the DownloadUser will not be used at all.
Are you sure?
Offline
Scimmia wrote:If you don't have landlock V3, the download sandbox will not work and the DownloadUser will not be used at all.
Are you sure?
That is a question that I asked myself earlier.
Quite clearly the feature does not work with the 6.1 kernel, that is the kernel that I am using, also came across a post in the Manjaro forum in which someone said that he had the problem with 6.1 and when upgraded to 6.6 the problem disappeared.
I took a 30 seconds look at the gitlab review where this feature in pacman v. 7 is discussed. It was not immediately obvious to me that LANDLOCK_ACCESS_FS_TRUNCATE is used or needed to implement the new feature. It would take me much longer to understand how it works.
As an aside, in hindsight the news item could have mentioned old kernels from the AUR. I read the news item even before it was published in the dev-public mailing list but because it mentioned only local repos it did not occur to me that I would have a problem with an AUR kernel. This was a lesson learned for me, my PC having AUR packages is a local repo even if it is not what I normally understood by the term!
Note: I have already changed this post several times to correct errors!
Last edited by archdub (2024-10-27 08:54:33)
Offline
Ah, I'm running arch in a container under Proxmox. That's why it was missing landlock in my kernel.
Running pacman with --disable-sandbox mitigated the issue. Thanks!
The work around solution, while not having recompile your kernel with landlock support.
If you want to continue to run pacman without the above switch each time, you can just uncomment line 39: DisableSandbox in /etc/pacman.conf like so
what terminal is this ? (sorry
Offline