Bug#966621: Make /tmp/ a tmpfs and cleanup /var/tmp/ on a timer by default [was: Re: systemd: tmpfiles.d not cleaning /var/tmp by default]
Simon McVittie
smcv at debian.org
Thu May 30 15:39:14 BST 2024
On Thu, 30 May 2024 at 15:41:50 +0200, Johannes Schauer Marin Rodrigues wrote:
> I also found another issue with this change in systemd. After the upload to
> unstable, 76 out of 264 mmdebstrap tests on jenkins.debian.net started to fail:
>
> https://jenkins.debian.net/job/mmdebstrap-jenkins-worker/692/consoleText
>
> The problem is, that debootstrap wants to mknod which will not work on a tmpfs
> mounted with nodev:
>
> + debootstrap --no-merged-usr --variant=buildd oldstable /tmp/tmp.nWmx8YeAh3 http://127.0.0.1/debian
> /usr/sbin/debootstrap: 1840: cannot create /tmp/tmp.nWmx8YeAh3/test-dev-null: Permission denied
> E: Cannot install into target '/tmp/tmp.nWmx8YeAh3' mounted with noexec or nodev
>
> Maybe this affects more CI scripts and test setups which attempt to create a
> temporary chroot with debootstrap in /tmp.
I believe this arrangement would also fail if a separate on-disk /tmp
was mounted nodev (which is somewhat common security hardening advice,
although I don't know whether d-i sets this up if asked for a separate
/tmp).
In principle, even the root filesystem could probably be mounted nodev
these days, since /dev is typically a devtmpfs; but I've never tried it,
and I don't know whether anyone really does that.
> The fix which is documented in systemd NEWS makes everything work again:
>
> --customize-hook='touch "$1/etc/systemd/system/tmp.mount"'
Alternatively, you could consider using somewhere like /var/tmp or
/var/cache/mmdebstrap that is less likely to be mounted nodev?
(As a bonus, those locations are normally on-disk and therefore less
likely to run out of space for chroots/filesystem images/etc. than /tmp.)
smcv
More information about the Pkg-systemd-maintainers
mailing list