[GH-ISSUE #5230] /etc is unwritable on --chroot on debootstrap system #2928

New issue

Closed

opened 2026-05-05 09:35:27 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented 2026-05-05 09:35:27 -06:00

Owner

Copy link

Originally created by @rayment on GitHub (Jul 4, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5230

Description

Following the documentation at https://firejail.wordpress.com/documentation-2/basic-usage/ concerning the usage of firejail for creating an isolated debootstrap system, I am unable to create a user account and installing packages via. apt result in errors when attempting write to /etc.

Steps to Reproduce

(as root)

1. emerge -qv firejail
2. echo "force-nonewprivs yes" >> /etc/firejail/firejail.config
3. mkdir /jail
4. debootstrap --arch=amd64 stable /jail
5. LC_ALL=C TERM=xterm-color firejail --noprofile --chroot=/jail --shell=/bin/bash (note this already deviates from the documentation as the provided command will actually fail without setting --shell)
6. adduser foo

Expected behavior

$ adduser foo
Adding user `foo' ...
Adding new group `foo' (1000) ...
etc. etc.

Actual behavior

$ adduser foo
Adding user `foo' ...
Adding new group `foo' (1000) ...
groupadd: failure while writing changes to /etc/group
adduser: `/sbin/groupadd -g 1000 foo' returned error code 10. Exiting.

Additional context

I'm not sure if this is really a bug or merely a configuration error or a lack of concise documentation, but this occurs using the default firejail v0.9.68 as it comes on Gentoo with the only change in configuration being force-nonewprivs yes as suggested by the documentation.

Similar commands such as useradd or unrelated commands like calling apt are also failing:

$ useradd foo
useradd: failure while writing changes to /etc/passwd

$ apt install htop
...
ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: Device or resource busy
dkpg: error processing package libc-bin (--configure):
  installed libc-bin package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
  libc-bin
E: Sub-process /usr/bin/dpkg returned an error code (1)

Environment

• Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")

Linux home 5.15.41-gentoo-x86_64 #1 SMP Thu Jun 30 20:08:43 UTC 2022 x86_64 AMD Ryzen 7 PRO 5850U with Radeon Graphics AuthenticAMD GNU/Linux

• Gentoo USE flags

X chroot dbusproxy file-transfer globalcfg network private-home userns -apparmor -contrib -test

• Firejail version (firejail --version).

firejail version 0.9.68

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is disabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • Yes, a regular chroot lets me interact with my Debian installation as normal, but that defeats the purpose.
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • --noprofile as per the docs.
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail --debug /path/to/program

$ LC_ALL=C TERM=xterm-color firejail --noprofile --chroot=/jail --shell=/bin/bash --debug
Command name #/bin/bash#
Enabling IPC namespace
Using the local network stack
Command name #/bin/bash#
Enabling IPC namespace
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /dev on chroot /dev
Updating chroot /etc/resolv.conf
Chrooting into /jail
Mounting /proc filesystem representing the PID namespace
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /boot
Disable /dev/port
Disable /mnt
Disable /media
Disable /run/mount
Disable /sys/fs
Disable /sys/module
rebuilding /etc directory
Creating empty /run/firejail/mnt/dns-etc/rc2.d directory
Creating empty /run/firejail/mnt/dns-etc/xattr.conf file
Creating empty /run/firejail/mnt/dns-etc/selinux directory
Creating empty /run/firejail/mnt/dns-etc/fstab file
Creating empty /run/firejail/mnt/dns-etc/group- file
Creating empty /run/firejail/mnt/dns-etc/apt directory
Creating empty /run/firejail/mnt/dns-etc/ca-certificates.conf file
Creating empty /run/firejail/mnt/dns-etc/resolv.conf file
Creating empty /run/firejail/mnt/dns-etc/rcS.d directory
Creating empty /run/firejail/mnt/dns-etc/kernel directory
Creating empty /run/firejail/mnt/dns-etc/timezone file
Creating empty /run/firejail/mnt/dns-etc/passwd file
Creating empty /run/firejail/mnt/dns-etc/ld.so.cache file
Creating empty /run/firejail/mnt/dns-etc/ld.so.conf file
Creating empty /run/firejail/mnt/dns-etc/rc0.d directory
Creating empty /run/firejail/mnt/dns-etc/host.conf file
Creating empty /run/firejail/mnt/dns-etc/gshadow file
Creating empty /run/firejail/mnt/dns-etc/adduser.conf file
Creating empty /run/firejail/mnt/dns-etc/systemd directory
Creating empty /run/firejail/mnt/dns-etc/nsswitch.conf file
Creating empty /run/firejail/mnt/dns-etc/ld.so.conf.d directory
Creating empty /run/firejail/mnt/dns-etc/debian_version file
Creating empty /run/firejail/mnt/dns-etc/subgid file
Creating empty /run/firejail/mnt/dns-etc/cron.d directory
Creating empty /run/firejail/mnt/dns-etc/rc6.d directory
Creating empty /run/firejail/mnt/dns-etc/mke2fs.conf file
Creating empty /run/firejail/mnt/dns-etc/default directory
Creating empty /run/firejail/mnt/dns-etc/deluser.conf file
Creating empty /run/firejail/mnt/dns-etc/dpkg directory
Creating empty /run/firejail/mnt/dns-etc/pam.d directory
Creating empty /run/firejail/mnt/dns-etc/subuid file
Creating empty /run/firejail/mnt/dns-etc/rc3.d directory
Creating empty /run/firejail/mnt/dns-etc/issue.net file
Creating empty /run/firejail/mnt/dns-etc/bash.bashrc file
Creating empty /run/firejail/mnt/dns-etc/profile.d directory
Creating empty /run/firejail/mnt/dns-etc/netconfig file
Creating empty /run/firejail/mnt/dns-etc/rc5.d directory
Creating empty /run/firejail/mnt/dns-etc/shells file
Creating empty /run/firejail/mnt/dns-etc/ca-certificates directory
Creating empty /run/firejail/mnt/dns-etc/.pwd.lock file
Creating empty /run/firejail/mnt/dns-etc/update-motd.d directory
Creating empty /run/firejail/mnt/dns-etc/shadow- file
Creating empty /run/firejail/mnt/dns-etc/hostname file
Creating empty /run/firejail/mnt/dns-etc/debconf.conf file
Creating empty /run/firejail/mnt/dns-etc/passwd- file
Creating empty /run/firejail/mnt/dns-etc/environment file
Creating empty /run/firejail/mnt/dns-etc/logrotate.d directory
Creating empty /run/firejail/mnt/dns-etc/e2scrub.conf file
Creating empty /run/firejail/mnt/dns-etc/opt directory
Creating empty /run/firejail/mnt/dns-etc/rc1.d directory
Creating empty /run/firejail/mnt/dns-etc/libaudit.conf file
Creating empty /run/firejail/mnt/dns-etc/ssl directory
Creating empty /run/firejail/mnt/dns-etc/gai.conf file
Creating empty /run/firejail/mnt/dns-etc/bindresvport.blacklist file
Creating empty /run/firejail/mnt/dns-etc/cron.daily directory
Creating empty /run/firejail/mnt/dns-etc/gss directory
Creating empty /run/firejail/mnt/dns-etc/profile file
Creating empty /run/firejail/mnt/dns-etc/motd file
Creating empty /run/firejail/mnt/dns-etc/shadow file
Creating empty /run/firejail/mnt/dns-etc/skel directory
Creating empty /run/firejail/mnt/dns-etc/pam.conf file
Creating empty /run/firejail/mnt/dns-etc/group file
Creating empty /run/firejail/mnt/dns-etc/terminfo directory
Creating empty /run/firejail/mnt/dns-etc/issue file
Creating empty /run/firejail/mnt/dns-etc/security directory
Creating empty /run/firejail/mnt/dns-etc/login.defs file
Creating empty /run/firejail/mnt/dns-etc/init.d directory
Creating empty /run/firejail/mnt/dns-etc/rc4.d directory
Creating empty /run/firejail/mnt/dns-etc/alternatives directory
Mount-bind /run/firejail/mnt/dns-etc on top of /etc
Current directory: /root
Mounting read-only /run/firejail/mnt/seccomp
279 109 0:50 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=279 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             180 ..
-rw-r--r-- root     root             568 seccomp
-rw-r--r-- root     root             432 seccomp.32
-rw-r--r-- root     root               0 seccomp.postexec
-rw-r--r-- root     root               0 seccomp.postexec32
No active seccomp files
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 0, gid 0, force_nogroups 0
No supplementary groups
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
Starting /bin/bash shell
execvp argument 0: /bin/bash
The new log directory is /proc/14520/root/var/log

Originally created by @rayment on GitHub (Jul 4, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5230 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description Following the documentation at https://firejail.wordpress.com/documentation-2/basic-usage/ concerning the usage of firejail for creating an isolated debootstrap system, I am unable to create a user account and installing packages via. `apt` result in errors when attempting write to /etc. ### Steps to Reproduce (as root) 1. `emerge -qv firejail` 2. `echo "force-nonewprivs yes" >> /etc/firejail/firejail.config` 3. `mkdir /jail` 4. `debootstrap --arch=amd64 stable /jail` 5. `LC_ALL=C TERM=xterm-color firejail --noprofile --chroot=/jail --shell=/bin/bash` (note this already deviates from the documentation as the provided command will actually fail without setting `--shell`) 6. `adduser foo` ### Expected behavior ``` $ adduser foo Adding user `foo' ... Adding new group `foo' (1000) ... etc. etc. ``` ### Actual behavior ``` $ adduser foo Adding user `foo' ... Adding new group `foo' (1000) ... groupadd: failure while writing changes to /etc/group adduser: `/sbin/groupadd -g 1000 foo' returned error code 10. Exiting. ``` ### Additional context I'm not sure if this is really a bug or merely a configuration error or a lack of concise documentation, but this occurs using the default firejail v0.9.68 as it comes on Gentoo with the only change in configuration being `force-nonewprivs yes` as suggested by the documentation. Similar commands such as `useradd` or unrelated commands like calling `apt` are also failing: ``` $ useradd foo useradd: failure while writing changes to /etc/passwd ``` ``` $ apt install htop ... ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: Device or resource busy dkpg: error processing package libc-bin (--configure): installed libc-bin package post-installation script subprocess returned error exit status 1 Errors were encountered while processing: libc-bin E: Sub-process /usr/bin/dpkg returned an error code (1) ``` ### Environment - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") ``` Linux home 5.15.41-gentoo-x86_64 #1 SMP Thu Jun 30 20:08:43 UTC 2022 x86_64 AMD Ryzen 7 PRO 5850U with Radeon Graphics AuthenticAMD GNU/Linux ``` - Gentoo USE flags ``` X chroot dbusproxy file-transfer globalcfg network private-home userns -apparmor -contrib -test ``` - Firejail version (`firejail --version`). ``` firejail version 0.9.68 Compile time support: - always force nonewprivs support is disabled - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - Yes, a regular chroot lets me interact with my Debian installation as normal, but that defeats the purpose. - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - `--noprofile` as per the docs. - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` $ LC_ALL=C TERM=xterm-color firejail --noprofile --chroot=/jail --shell=/bin/bash --debug Command name #/bin/bash# Enabling IPC namespace Using the local network stack Command name #/bin/bash# Enabling IPC namespace Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /dev on chroot /dev Updating chroot /etc/resolv.conf Chrooting into /jail Mounting /proc filesystem representing the PID namespace Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /boot Disable /dev/port Disable /mnt Disable /media Disable /run/mount Disable /sys/fs Disable /sys/module rebuilding /etc directory Creating empty /run/firejail/mnt/dns-etc/rc2.d directory Creating empty /run/firejail/mnt/dns-etc/xattr.conf file Creating empty /run/firejail/mnt/dns-etc/selinux directory Creating empty /run/firejail/mnt/dns-etc/fstab file Creating empty /run/firejail/mnt/dns-etc/group- file Creating empty /run/firejail/mnt/dns-etc/apt directory Creating empty /run/firejail/mnt/dns-etc/ca-certificates.conf file Creating empty /run/firejail/mnt/dns-etc/resolv.conf file Creating empty /run/firejail/mnt/dns-etc/rcS.d directory Creating empty /run/firejail/mnt/dns-etc/kernel directory Creating empty /run/firejail/mnt/dns-etc/timezone file Creating empty /run/firejail/mnt/dns-etc/passwd file Creating empty /run/firejail/mnt/dns-etc/ld.so.cache file Creating empty /run/firejail/mnt/dns-etc/ld.so.conf file Creating empty /run/firejail/mnt/dns-etc/rc0.d directory Creating empty /run/firejail/mnt/dns-etc/host.conf file Creating empty /run/firejail/mnt/dns-etc/gshadow file Creating empty /run/firejail/mnt/dns-etc/adduser.conf file Creating empty /run/firejail/mnt/dns-etc/systemd directory Creating empty /run/firejail/mnt/dns-etc/nsswitch.conf file Creating empty /run/firejail/mnt/dns-etc/ld.so.conf.d directory Creating empty /run/firejail/mnt/dns-etc/debian_version file Creating empty /run/firejail/mnt/dns-etc/subgid file Creating empty /run/firejail/mnt/dns-etc/cron.d directory Creating empty /run/firejail/mnt/dns-etc/rc6.d directory Creating empty /run/firejail/mnt/dns-etc/mke2fs.conf file Creating empty /run/firejail/mnt/dns-etc/default directory Creating empty /run/firejail/mnt/dns-etc/deluser.conf file Creating empty /run/firejail/mnt/dns-etc/dpkg directory Creating empty /run/firejail/mnt/dns-etc/pam.d directory Creating empty /run/firejail/mnt/dns-etc/subuid file Creating empty /run/firejail/mnt/dns-etc/rc3.d directory Creating empty /run/firejail/mnt/dns-etc/issue.net file Creating empty /run/firejail/mnt/dns-etc/bash.bashrc file Creating empty /run/firejail/mnt/dns-etc/profile.d directory Creating empty /run/firejail/mnt/dns-etc/netconfig file Creating empty /run/firejail/mnt/dns-etc/rc5.d directory Creating empty /run/firejail/mnt/dns-etc/shells file Creating empty /run/firejail/mnt/dns-etc/ca-certificates directory Creating empty /run/firejail/mnt/dns-etc/.pwd.lock file Creating empty /run/firejail/mnt/dns-etc/update-motd.d directory Creating empty /run/firejail/mnt/dns-etc/shadow- file Creating empty /run/firejail/mnt/dns-etc/hostname file Creating empty /run/firejail/mnt/dns-etc/debconf.conf file Creating empty /run/firejail/mnt/dns-etc/passwd- file Creating empty /run/firejail/mnt/dns-etc/environment file Creating empty /run/firejail/mnt/dns-etc/logrotate.d directory Creating empty /run/firejail/mnt/dns-etc/e2scrub.conf file Creating empty /run/firejail/mnt/dns-etc/opt directory Creating empty /run/firejail/mnt/dns-etc/rc1.d directory Creating empty /run/firejail/mnt/dns-etc/libaudit.conf file Creating empty /run/firejail/mnt/dns-etc/ssl directory Creating empty /run/firejail/mnt/dns-etc/gai.conf file Creating empty /run/firejail/mnt/dns-etc/bindresvport.blacklist file Creating empty /run/firejail/mnt/dns-etc/cron.daily directory Creating empty /run/firejail/mnt/dns-etc/gss directory Creating empty /run/firejail/mnt/dns-etc/profile file Creating empty /run/firejail/mnt/dns-etc/motd file Creating empty /run/firejail/mnt/dns-etc/shadow file Creating empty /run/firejail/mnt/dns-etc/skel directory Creating empty /run/firejail/mnt/dns-etc/pam.conf file Creating empty /run/firejail/mnt/dns-etc/group file Creating empty /run/firejail/mnt/dns-etc/terminfo directory Creating empty /run/firejail/mnt/dns-etc/issue file Creating empty /run/firejail/mnt/dns-etc/security directory Creating empty /run/firejail/mnt/dns-etc/login.defs file Creating empty /run/firejail/mnt/dns-etc/init.d directory Creating empty /run/firejail/mnt/dns-etc/rc4.d directory Creating empty /run/firejail/mnt/dns-etc/alternatives directory Mount-bind /run/firejail/mnt/dns-etc on top of /etc Current directory: /root Mounting read-only /run/firejail/mnt/seccomp 279 109 0:50 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=279 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 180 .. -rw-r--r-- root root 568 seccomp -rw-r--r-- root root 432 seccomp.32 -rw-r--r-- root root 0 seccomp.postexec -rw-r--r-- root root 0 seccomp.postexec32 No active seccomp files NO_NEW_PRIVS set Drop privileges: pid 1, uid 0, gid 0, force_nogroups 0 No supplementary groups Closing non-standard file descriptors Starting application LD_PRELOAD=(null) Starting /bin/bash shell execvp argument 0: /bin/bash The new log directory is /proc/14520/root/var/log ``` </p> </details>

gitea-mirror 2026-05-05 09:35:27 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 09:35:30 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 4, 2022):

Can you try with --writable-etc.

note this already deviates from the documentation as the provided command will actually fail without setting --shell)

There were recent changes to --shell but it should be investigated what --chroot changes on it.

<!-- gh-comment-id:1173928109 --> @rusty-snake commented on GitHub (Jul 4, 2022): Can you try with `--writable-etc`. > note this already deviates from the documentation as the provided command will actually fail without setting --shell) There were recent changes to `--shell` but it should be investigated what `--chroot` changes on it.

gitea-mirror commented 2026-05-05 09:35:31 -06:00

Author

Owner

Copy link

@rayment commented on GitHub (Jul 4, 2022):

Can you try with --writable-etc.

Unfortunately it seems to change nothing, that is, exact same errors.

<!-- gh-comment-id:1174022041 --> @rayment commented on GitHub (Jul 4, 2022): > Can you try with `--writable-etc`. Unfortunately it seems to change nothing, that is, exact same errors.

gitea-mirror commented 2026-05-05 09:35:32 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jul 12, 2022):

The reason is probably that nowadays Firejail creates lots of mount points in /etc, and kernel doesn't allow us to rename a mount point.

@rayment Just for me to clarify, do you use any of --dns or --ip=dhcp or --ip6=dhcp?

<!-- gh-comment-id:1181920140 --> @smitsohu commented on GitHub (Jul 12, 2022): The reason is probably that nowadays Firejail creates lots of mount points in /etc, and kernel doesn't allow us to rename a mount point. @rayment Just for me to clarify, do you use any of `--dns` or `--ip=dhcp` or `--ip6=dhcp`?

gitea-mirror commented 2026-05-05 09:35:33 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 12, 2022):

The reason is probably that nowadays Firejail creates lots of mount points in /etc,

https://github.com/netblue30/firejail/issues/5010#issuecomment-1098700858

<!-- gh-comment-id:1181932578 --> @rusty-snake commented on GitHub (Jul 12, 2022): > The reason is probably that nowadays Firejail creates lots of mount points in /etc, https://github.com/netblue30/firejail/issues/5010#issuecomment-1098700858

gitea-mirror commented 2026-05-05 09:35:33 -06:00

Author

Owner

Copy link

@rayment commented on GitHub (Jul 13, 2022):

The reason is probably that nowadays Firejail creates lots of mount points in /etc, and kernel doesn't allow us to rename a mount point.

@rayment Just for me to clarify, do you use any of --dns or --ip=dhcp or --ip6=dhcp?

No I wasn't - only as shown in the bug report.

$ LC_ALL=C TERM=xterm-color firejail --noprofile --ip=dhcp --chroot=/jail --shell=/bin/bash
Error: No network device configured

$ LC_ALL=C TERM=xterm-color firejail --noprofile --ip6=dhcp --chroot=/jail --shell=/bin/bash
Error: No network device configured

$ LC_ALL=C TERM=xterm-color firejail --noprofile --dns=8.8.8.8 --chroot=/jail --shell=/bin/bash
&c &c

DNS server 8.8.8.8

&c &c
Child process initialized in 5.45 ms
# useradd foo
useradd: failed while writing changes to /etc/passwd

<!-- gh-comment-id:1182767744 --> @rayment commented on GitHub (Jul 13, 2022): > The reason is probably that nowadays Firejail creates lots of mount points in /etc, and kernel doesn't allow us to rename a mount point. > > @rayment Just for me to clarify, do you use any of `--dns` or `--ip=dhcp` or `--ip6=dhcp`? No I wasn't - only as shown in the bug report. ``` $ LC_ALL=C TERM=xterm-color firejail --noprofile --ip=dhcp --chroot=/jail --shell=/bin/bash Error: No network device configured $ LC_ALL=C TERM=xterm-color firejail --noprofile --ip6=dhcp --chroot=/jail --shell=/bin/bash Error: No network device configured $ LC_ALL=C TERM=xterm-color firejail --noprofile --dns=8.8.8.8 --chroot=/jail --shell=/bin/bash &c &c DNS server 8.8.8.8 &c &c Child process initialized in 5.45 ms # useradd foo useradd: failed while writing changes to /etc/passwd ```

gitea-mirror commented 2026-05-05 09:35:33 -06:00

Author

Owner

Copy link

@rayment commented on GitHub (Jul 13, 2022):

For what it's worth, I've tried the --writable-etc flag with --read-write on a combination of files and folders including /etc and /etc/passwd with no success.

<!-- gh-comment-id:1182770223 --> @rayment commented on GitHub (Jul 13, 2022): For what it's worth, I've tried the `--writable-etc` flag with `--read-write` on a combination of files and folders including `/etc` and `/etc/passwd` with no success.

gitea-mirror commented 2026-05-05 09:35:34 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jul 17, 2022):

If the conclusion from #5010 is to revert the offending commit, then that would obviously solve this issue as well.

Otherwise, would it make sense to add a hotfix in master?

chroot-hotfix.patch.txt

<!-- gh-comment-id:1186630489 --> @smitsohu commented on GitHub (Jul 17, 2022): If the conclusion from #5010 is to revert the offending commit, then that would obviously solve this issue as well. Otherwise, would it make sense to add a hotfix in master? [chroot-hotfix.patch.txt](https://github.com/netblue30/firejail/files/9128748/chroot-hotfix.patch.txt)

gitea-mirror commented 2026-05-05 09:35:34 -06:00

Author

Owner

Copy link

@rayment commented on GitHub (Jul 18, 2022):

If the conclusion from #5010 is to revert the offending commit, then that would obviously solve this issue as well.

Otherwise, would it make sense to add a hotfix in master?

chroot-hotfix.patch.txt

I can confirm that this completely fixes my issue by using a custom ebuild on Gentoo with this patch compiled with 0.9.70.

While I wait for an update I'll use this solution, thank you very much.

<!-- gh-comment-id:1186966203 --> @rayment commented on GitHub (Jul 18, 2022): > If the conclusion from #5010 is to revert the offending commit, then that would obviously solve this issue as well. > > Otherwise, would it make sense to add a hotfix in master? > > [chroot-hotfix.patch.txt](https://github.com/netblue30/firejail/files/9128748/chroot-hotfix.patch.txt) I can confirm that this completely fixes my issue by using a custom ebuild on Gentoo with this patch compiled with 0.9.70. While I wait for an update I'll use this solution, thank you very much.

gitea-mirror referenced this issue 2026-05-05 10:22:56 -06:00

[PR #2928] [MERGED] Add further seccomp groups #4588

gitea-mirror referenced this issue 2026-05-05 10:23:02 -06:00

[PR #2939] [MERGED] Revert changes in #2928 to seccomp group @default #4594

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2928

No description provided.