--user installs broken on tmpfs $HOME due to missing xattr support

[probonopd]

Trying to follow the instructions from https://wiki.gnome.org/Projects/SandboxedApps/NightlyBuilds on Fedora 23, I get:

xdg-app install-runtime --user gnome org.gnome.Platform 3.18
...
error: While pulling runtime/org.gnome.Platform/x86_64/3.18 from remote gnome: Operation not supported

[alexlarsson]

What distro are you on, and where did you get your build of xdg-app?

[alexlarsson]

Oh, f23. So are you using the xdg-app distro package? Do you use that standard F23 kernel?

[probonopd]

I am using Fedora-Live-Workstation-x86_64-23-10.iso (slightly changed to use overlayfs rather than device-mapper) loop-mounted with GRUB2 with its stock kernel. I followed ste steps from https://wiki.gnome.org/Projects/SandboxedApps/NightlyBuilds for getting xdg-app.

[alexlarsson]

Can you do something like:

strace -o log -f xdg-app install-runtime --user gnome org.gnome.Platform 3.18

And attach "log" here?

[probonopd]

Lots of EBADF (Bad file descriptor), might be related?
log.txt

[alexlarsson]

Here is the failure:
3248 fsetxattr(14, "user.ostreemeta", "\0\0\0\0\0\0\0\0\0\0\201\244", 12, 0) = -1 EOPNOTSUPP (Operation not supported)

I guess overlayfs does not support xattrs?

[alexlarsson]

(The EBADF are just from trying to close all possible fds before execing a child process).

[alexlarsson]

If you just want to test this, you can try to install without the --user. Then you need to run it as root and it will install stuff in /var/xdg-app/, but it will not use xattrs.

[probonopd]

All I could find on https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt is "On a file opened with O_RDONLY fchmod(2), fchown(2), futimesat(2) and fsetxattr(2) will fail with EROFS.".

I do not know how to test setxattr, but

[root@host me]# touch test
[root@host me]# strace -f setfattr -n foo -v bar test 2>&1 | grep attrexecve("/bin/setfattr", ["setfattr", "-n", "foo", "-v", "bar", "test"], [/* 35 vars */]) = 0
open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3
setxattr("test", "foo", "bar", 3, 0)    = -1 EOPNOTSUPP (Operation not supported)
write(2, "setfattr: test: Operation not su"..., 40setfattr: test: Operation not supported

These are my relevant mounts:

/dev/sdb1 /run/initramfs/isoscan vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro 0 0
/dev/loop0 /run/initramfs/live iso9660 ro,relatime 0 0
/dev/loop6 /run/initramfs/squashfs squashfs ro,relatime 0 0
/dev/loop7 /run/sysroot ext4 ro,relatime,data=ordered 0 0
overlay / overlay rw,noatime,lowerdir=/run/sysroot,upperdir=/run/upper,workdir=/run/work 0 0

[probonopd]

Thanks, testing without --user nor now, no longer getting the error, but needing no root rights is key for me.

[alexlarsson]

What is /run/upper on?
Also, could you not mount (e.g. a bind mount) ~/.local/share/xdg-app (or even ~/) directly to a ext4 directory somewhere. I.e. there is no need for the user homedir to be overlayed, no?

[probonopd]

run is a tmpfs.

Yes, that would be doable if I wanted a persistent system (which is not my use case though).

[alexlarsson]

Yeah, tmpfs has no xattrs support unfortunately

[probonopd]

That probably means that this solution is not going to work for Fedora live systems out-of-the-box then.

[alexlarsson]

Yeah, i'll think some about it.

[probonopd]

@alexlarsson do you still consider making this usable for Live systems?

[alexlarsson]

It would be nice to have, but i can't really think of a good solution. Maybe one could create an ostree repo mode similar to bare-user that doesn't use xattrs, or one could look at adding xattrs to tmpfs.

[hamr]

Unfortunately, I have the same problem with nfs $HOME. Do you recommend the bind mounting workaround for people in that situation as well?

[alexlarsson]

Symlink should work too. Or, install the apps in the system repo (/var/lib/xdg-app), althought that requires you to be root to install them. The later is the long-term plan for most xdg-app installs actually. I want to add a polkit enabled helper that lets users update/install signed apps from trusted remotes.

[hamr]

Cool, thanks! That sounds like a good plan.

[alexlarsson]

This issue was moved to flatpak/flatpak#17