unprivileged enroot start with fuse-overlayfs stuck because of 10-shadow.sh running cp -Lpr #245
Description
Stumbled upon this multiple times: 10-shadow.sh will run cp -Lpr "${ENROOT_ROOTFS}${skel}/." "${ENROOT_ROOTFS}${home}".
to reproduce:
# enroot import -o debian-12.6-slim.squashfs docker://debian:12.6-slim
# sudo -u elelay enroot start ./debian-12.6-slim.squashfs
(stuck forever)
ps faux:
root 2028977 0.0 0.0 30756 588 pts/1 Ss+ 12:05 0:00 | \_ sudo -u elelay enroot start ./debian-12.6-slim.squashfs
elelay 2028978 0.5 0.0 7984 3620 pts/1 S 12:05 0:00 | \_ /usr/bin/bash --norc -o braceexpand -o errexit -o hashall -o interactive-comments -o nounset -o pipefail -O checkwinsize -O cmdhist -O complete_fullquote -O extquote -O force_fignore -O globasciiranges -O globskipdots -O hostc
elelay 2029014 0.0 0.0 17428 3328 pts/1 T 12:05 0:00 | \_ fuse-shim
elelay 2029017 0.6 0.0 5828 2448 pts/1 S 12:05 0:00 | | \_ squashfuse -f -o uid=10099,gid=10001 /tmp/debian-12.6-slim.squashfs /run/enroot/elelay/overlay/lower
elelay 2029023 0.9 0.0 5396 2040 pts/1 S 12:05 0:00 | | \_ fuse-overlayfs -f -o lowerdir=/run/enroot/elelay/overlay/lower,upperdir=/run/enroot/elelay/overlay/upper,workdir=/run/enroot/elelay/overlay/work /run/enroot/elelay/overlay
elelay 2029036 0.0 0.0 7468 2244 pts/1 S 12:05 0:00 | \_ /usr/bin/bash --norc -o braceexpand -o errexit -o hashall -o interactive-comments -o nounset -o pipefail -O checkwinsize -O cmdhist -O complete_fullquote -O extquote -O force_fignore -O globasciiranges -O globskipdots -O h
elelay 2029075 0.0 0.0 7072 2756 pts/1 S 12:05 0:00 | \_ bash /etc/enroot/hooks.d/10-shadow.sh
elelay 2029110 0.0 0.0 6456 1628 pts/1 S 12:05 0:00 | \_ cp -Lpr /run/enroot/elelay/overlay/etc/skel/. /run/enroot/elelay/overlay/home/elelay
I have to kill the bash /etc/enroot/hooks.d/10-shadow.sh to stop the container.
Inserting a find $skel -exec ls -alnd '{}' ';' 1>&2 just before the cp -Lpr "${ENROOT_ROOTFS}${skel}/." "${ENROOT_ROOTFS}${home}" in 10-shadow.sh:
drwxr-xr-x 2 65534 65534 5 Aug 21 16:47 /etc/skel
-rw-r--r-- 1 65534 65534 220 Apr 19 00:47 /etc/skel/.bash_logout
-rw-r--r-- 1 65534 65534 75 Aug 21 16:47 /etc/skel/.bashrc
-rw-r--r-- 1 65534 65534 807 Apr 19 00:47 /etc/skel/.profile
Is it something specific to my config?
ENROOT_GZIP_PROGRAM pigz
# See https://github.com/NVIDIA/pyxis/wiki/Setup for following options
ENROOT_SQUASH_OPTIONS -noI -noD -noF -noX -no-duplicates
ENROOT_RESTRICT_DEV y
ENROOT_ROOTFS_WRITABLE y
I guess this can be disabled by tweaking the image: have CREATE_HOME no in /etc/login.defs or /etc/default/useradd, or remove /etc/skel, but it requires modifying every image to be run by enroot.
I've succeeded in mounting /home early (needs the -1 pass to be mounted before hooks), adding /etc/enroot/mounts.d/30-home.fstab
/home /home none x-create=dir,rbind,rw,nosuid,nodev 0 -1
But it is not necessarily what I want because it mounts ALL user homes in the container (or a predefined one if I use /home/myuser instead).
Is there a better workaround? When does the script make sense?