In the past I used python scripts to fix up partially-shifted containers (below). This mostly worked, but I found the permissions for systemd journal files still needed fixing up manually, as they use ACLs. I think this could be the same problem you’re seeing.
Check using:
getfacl -Rsp /mnt/var/log/journal
(replace /mnt as appropriate)
For me, the issue was around group ‘adm’ which needed changing from 1000004 to 4. I used a hairy script (don’t copy this blindly, use at your own risk!!)
getfacl -Rsp /mnt/var/log/journal | grep '^# file:' |
while read a b f; do getfacl "$f" | sed 's/:1000004:/:4:/g' | setfacl --set-file=- "$f"; done
HTH,
Brian.
Here are the scripts I recorded in my notes. I used one for shifting upwards:
#!/usr/bin/python3
import os
for root, dirnames, filenames in os.walk('/var/lib/incus/storage-pools/default/containers/nfsen/rootfs'):
for name in dirnames + filenames:
fullpath = os.path.join(root, name)
st = os.lstat(fullpath)
uid = st.st_uid
uid = (1000000 + uid) if (uid >= 0 and uid <= 65535) else -1
gid = st.st_gid
gid = (1000000 + gid) if (gid >= 0 and gid <= 65535) else -1
if uid != -1 or gid != -1:
os.chown(fullpath, uid, gid, follow_symlinks=False)
And one for shifting downward, although in this one I can’t remember how or why I mounted the container filesystem onto /mnt, or why I had to skip sys/proc/dev.
#!/usr/bin/python3
import os
for root, dirnames, filenames in os.walk('/mnt'):
if root[0:9] == '/mnt/sys/':
continue
if root[0:10] == '/mnt/proc/':
continue
if root in ['/mnt/dev', '/mnt/sys', '/mnt/proc']:
continue
for name in dirnames + filenames:
fullpath = os.path.join(root, name)
st = os.lstat(fullpath)
uid = st.st_uid
uid = (uid - 1000000) if (uid >= 1000000 and uid <= 1065535) else -1
gid = st.st_gid
gid = (gid - 1000000) if (gid >= 1000000 and gid <= 1065535) else -1
if uid != -1 or gid != -1:
os.chown(fullpath, uid, gid, follow_symlinks=False)
More detail here: Incus Container Wont stop or allow itself to be deleted - #10 by candlerb