Bug 218159 - ports-mgmt/pkg: pkg -r fails to run post install script.
Summary: ports-mgmt/pkg: pkg -r fails to run post install script.
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Some People
Assignee: freebsd-pkg (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-27 08:55 UTC by Josef Karthauser
Modified: 2020-05-11 19:44 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Josef Karthauser 2017-03-27 08:55:13 UTC
The pkg command has a --chroot flag enabling it to chroot to a directory before installing a package.

We are seeing a failure to run a post install script in this context, suggesting that the chroot isn't being used in all contexts:

root@:/usr/home/joe/true-services/ansible-plays # iocage list
JID   UUID                                  BOOT  STATE  TAG                   IP
3     befbcff3-1123-11e7-8380-080027ca2b91  on    up     smtp-relay   192.168.1.30
5     beffa259-1123-11e7-8380-080027ca2b91  on    up     influxdb   192.168.1.30
4     bf04a45c-1123-11e7-8380-080027ca2b91  on    up     smtp-relay2   192.168.1.31
root@:/usr/home/joe/true-services/ansible-plays # pkg -r /iocage/jails/beffa259-1123-11e7-8380-080027ca2b91/root/ install influxdb
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01    
Fetching packagesite.txz: 100%    6 MiB   5.9MB/s    00:01    
Processing entries: 100%
FreeBSD repository update completed. 25859 packages processed.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	influxdb: 1.1.0

Number of packages to be installed: 1

The process will require 40 MiB more space.
8 MiB to be downloaded.

Proceed with this action? [y/N]: y
Fetching influxdb-1.1.0.txz: 100%    8 MiB   8.8MB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing influxdb-1.1.0...
===> Creating groups.
Creating group 'influxd' with gid '907'.
===> Creating users
Creating user 'influxd' with uid '907'.
[1/1] Extracting influxdb-1.1.0: 100%
cp: /usr/local/etc/influxd.conf.sample: No such file or directory
pkg: POST-INSTALL script failed
root@:/usr/home/joe/true-services/ansible-plays #
Comment 1 Baptiste Daroussin freebsd_committer 2017-03-28 14:17:25 UTC
you state --chroot but actually use -r which is not a chroot but a rootdir.

btw do you know there is -j ?
Comment 2 Josef Karthauser 2017-03-28 21:02:59 UTC
Sorry - you are right I wrongly reported it was a chroot option problem. Mea culpa. I was trying lots of things and it was late when I raise the bug.

However, the install still fails with rootdir which is what I was reporting (although I thought it was a chroot issue):

   [1/1] Extracting influxdb-1.1.0: 100%
   cp: /usr/local/etc/influxd.conf.sample: No such file or directory
   pkg: POST-INSTALL script failed

It looks like the POST-INSTALL script isn't being run in the context of the rootdir, which looks like an issue to me.

(p.s. the reason I can't run -j is that the jail doesn't have network connectivity to the outside world - it's a vimage jail. Similarly running chromed doesn't work because it switches to using the resolv.conf within the chromed environment which isn't configured for the public network).
Comment 3 lumiwa 2017-03-30 00:02:56 UTC
I have a problem with pkg on FreeBSD 11-RELEASE  too. I am using Synth and I update 745 ports and when start updateing it stopped at:
Installing sndio-1.2.0_2...
===> Creating groups.
Using existing group '_sndio'.
===> Creating users
Creating user '_sndio' with uid '702'.
pw: user '_sndio' disappeared during update
pkg: PRE-INSTALL script failed
Unfortunately, the system upgraded failed.

It happened today March 29th.
Comment 4 Jeff Kletsky 2020-05-11 18:04:15 UTC
Confirming that -r / --rotdir does not appear to run the package scripts in a "sae" manner, resulting in failures and potentially corruption of the system, in general.

Expected behavior:

* Running `pkg -r /path/to/jail/root` would only impact files under /path/to/jail/root
* With the possible exception of the pkg cache on the host file system

Observed behavior:

* Package scripts attempt to modify files relative to the host file system that are outside of the specified root

Impact:

* Host file system can be put into an inconsistent state

Steps to replicate at the end of this comment.

---

Observed that, as a repeatable example, `php74-xmlwriter-7.4.5` results in

/bin/sh: cannot create /usr/local/include/php/ext/php_config.h: No such file or directory
pkg: POST-INSTALL script failed

This appears to be due to the post-install script using absolute path names. From `+MANIFEST`

"scripts":{"post-install":"echo \\#include \\\"ext/xmlwriter/config.h\\\" >> /usr/local/include/php/ext/php_config.h","pre-deinstall":"cp /usr/local/include/php/ext/php_config.h /usr/local/include/php/ext/php_config.h.orig\ngrep -v ext/xmlwriter/config.h /usr/local/include/php/ext/php_config.h.orig > /usr/local/include/php/ext/php_config.h || true\n/bin/rm -f /usr/local/include/php/ext/php_config.h.orig"}

Thankfully, my host system does not have /usr/local/include/php/ or I suspect the script would have corrupted the host system.

While one can argue that this is also an error in the packages, installing a package to a target filesystem shouldn't overwrite the host system's data (with the potential exception of the package caches).

There does not seem to be a workaround that I can find as the application is installing ports on jail filesystems for jails that intentionally do not have general network access.

`pkg -j` is not an option as the jail needs to be running and the jail does not have access to the repos over the network. Running `pkg` from within the jail with `jexec` has the same issues.

`pkg -c` first fails due to lack of `/etc/resolv.conf`. While `/etc/resolv.conf` could be overwritten, this would then allow a running jail access to DNS records that it ordinarily would not have (the jails also have no DNS access or restricted DNS views). Even adding an "unrestricted" `/etc/resolv.conf` still results in problems, with a lack of `/dev/null` being the next problem.


TO REPLICATE
============

# create an empty file system, extract the base system

sudo zfs create zroot-js-front-2020-05/var/jail/pkg-r
cd /var/jail/pkg-r/
sudo tar xvf ~/FreeBSD/12.1/base.txz 

# Update it to current

sudo freebsd-update -b /var/jail/pkg-c fetch
sudo freebsd-update -b /var/jail/pkg-c install

# Update the package data

sudo pkg -r /var/jail/pkg-r update

# Install a package that brings in some php modules

sudo pkg -r /var/jail/pkg-r install nextcloud-php74  # It looks like php74 alone would work

# Observe that the POST-INSTALL scripts are trying to access paths outside of the specified root
# and that, had the directories and files been present on the host,
# would have resulted the "wrong" files being copied, as well as changing the host's configuration

[14/55] Extracting php74-7.4.5: 100%
cp: /usr/local/etc/php-fpm.conf.default: No such file or directory
cp: /usr/local/etc/php-fpm.d/www.conf.default: No such file or directory
touch: /usr/local/include/php/ext/php_config.h: No such file or directory
pkg: POST-INSTALL script failed
Comment 5 Jeff Kletsky 2020-05-11 18:12:27 UTC
(In reply to Jeff Kletsky from comment #4)

A few typos in the previous comment

* `-r` was used, `--rotdir` is a typo

* In TO REPLICATE, it is typo that `freebsd-update` is shown for `/var/jail/pkg-c` rather than for `/var/jail/pkg-r`

The tests were self-consistent, with `-c` being consistently tested in `/var/jail/pkg-c` and `-r` being consistently tested in `/var/jail/pkg-r`.
Comment 6 Jeff Kletsky 2020-05-11 19:44:42 UTC
(In reply to Jeff Kletsky from comment #4)

WORK AROUND
===========

sudo zfs create zroot-js-front-2020-05/var/jail/pkg-c

cd /var/jail/pkg-c/
sudo tar xf ~/FreeBSD/12.1/base.txz

sudo freebsd-update -b /var/jail/pkg-c/ fetch
sudo freebsd-update -b /var/jail/pkg-c/ install
env ROOT=/var/jail/pkg-c /var/jail/pkg-c/bin/freebsd-version

# If devfs is not already mounted in the chroot

sudo mount -t devfs devfs /var/jail/pkg-c/dev/

# pkg [-C <configuration file>] [-R <repository configuration directory>]
# may be helpful if the jail's pkg/repo configuration is different than the host's

sudo env NAMESERVER=<nameserver IP> pkg -c /var/jail/pkg-c update
sudo env NAMESERVER=<nameserver IP> pkg -c /var/jail/pkg-c install php74

sudo umount /var/jail/pkg-c/dev