Pacstrap inside unprivileged container

I’d like to run pacstrap*, which is Arch linux’s offline installation wrapper around their package manager. One of the steps it takes is to setup a new root before chrooting and installing packages. This step is failing with an error while mounting. I understand that the root inside the container is just a regular unprivileged user on the host, but lxc has exposed a portion of /dev to the container so shouldn’t the container’s root user at least be able to remount the part of /dev that is visible to it?

$ sudo mkarchiso -v -w work/ -o out/ /usr/share/archiso/configs/releng/
...
[mkarchiso] INFO: Installing packages to '/home/ansible/archiso/work/x86_64/airootfs/'...
==> Creating install root at /home/ansible/archiso/work/x86_64/airootfs
mount: /home/ansible/archiso/work/x86_64/airootfs/dev: permission denied.
==> ERROR: failed to setup chroot /home/ansible/archiso/work/x86_64/airootfs
$ sudo bash -x pacstrap -C /home/ansible/archiso/work/pacman.conf -c -G -M -- /home/ansible/archiso/work/x86_64/airootfs ....
...
+ chroot_add_mount udev /home/ansible/archiso/work/x86_64/airootfs/dev -t devtmpfs -o mode=0755,nosuid
+ mount udev /home/ansible/archiso/work/x86_64/airootfs/dev -t devtmpfs -o mode=0755,nosuid
mount: /home/ansible/archiso/work/x86_64/airootfs/dev: permission denied.
+ die 'failed to setup chroot %s' /home/ansible/archiso/work/x86_64/airootfs

* (actually mkarchiso, but it transitively calls pacstrap)

devtmpfs cannot be mounted in unprivileged containers.

1 Like