Authority problem when chroot to a file system in docker

changev · August 24, 2016, 9:22am

Env:

 Docker version 1.12.0, build 8eab29e
 Host: ubuntu14.04
 Image:based on ubuntu14.04
 part of docker-compose.yml:
       net: "host"
       security_opt:
           - apparmor:unconfined
       privileged: true
 ```
**Background:**
 I'm trying to build a "overlay" in docker.
 *1. create a minimal os using debootstrap tools, store it in /tmp folder.
 *2. create overlay folder upper lower ...... and mount the minimal os folder to overlay lower layer
 *3. mount -t overlay -o rw,upperdir={{ overlayfs_upper_dir }},lowerdir={{ overlayfs_lower_dir }},workdir={{ overlayfs_work_dir }} overlay {{ overlayfs_build_root }} to build a overlay file system.
 *4. chroot to the os and install some package.

**And then error occurs:**
"ndpkg: error: error removing old backup file '/var/lib/dpkg/available-old': Operation not permitted”
I entered the minimal os folder, and checked this file permission and user group, it’s “-rw-r--r-- 1 root root” same with a usual Ubuntu OS.

But this doesn’t happen when we do that in VMs or physical PC.

**Solution:**
  I mapping a host folder to docker using docker volume, and store the minimal os in this folder.
 Then issue fixed.

**Question:**
 I don't understand why a docker root user can't delete or edit a “-rw-r--r-- 1 root root”  file.
 So who can help me to answer this question ?

Thanks!

dmaze · August 24, 2016, 11:30am

changev:

I'm trying to build a "overlay" in docker.
*1. create a minimal os using debootstrap tools, store it in /tmp folder.
*2. create overlay folder upper lower ...... and mount the minimal os folder to overlay lower layer
*3. mount -t overlay -o rw,upperdir={{ overlayfs_upper_dir }},lowerdir={{ overlayfs_lower_dir }},workdir={{ overlayfs_work_dir }} overlay {{ overlayfs_build_root }} to build a overlay file system.
*4. chroot to the os and install some package.

I feel like I’m missing something important about your use case. Almost everything you describe here are things Docker does on its own, as part of its very basic container setup. If I wanted a bare Ubuntu image, with one additional package installed, in an overlayfs-type environment, I’d just run

host$ sudo docker run --rm -it ubuntu:16.04 bash
container# apt-get install python2.7

In particular I’d never chroot(2) inside a container: since a container is so much like a chroot environment anyways, if it seemed like I needed something chrootish, I’d build a new image.

What are you trying to accomplish with this sequence?

changev · August 25, 2016, 1:44am

I want to build a common “overlay”.
In step *3 base lower layer is a minimal ubuntu os, in overlay all the changes is on the upper layer, so when the package install and other operation finished, I archive the upper layer to a package, and then I can apply this package to another similar ubuntu os with “mount -t overlay…”. I don’t want a new image, I just want a upper layer of overlay file systems.

And I want to do this in docker.

Then I met the Authority problem and I even can’t image how it happens.