Can't install on fedora silverblue

[JeremiahSecrist]

Pre-Submit Checklist:

• Check applicable sources for existing issues:
  • [x] Windows Known Issues
  • [x] Linux Known Issues
  • [x] Github Issues
  • [x] New issue

What happened: Program failed to install. After install the prerequisites needed for protmaster and rebooted I downloaded the rpm and run rpm-ostree install /path/to/rpm During the installation it failed giving the following error. I understand silver-blue is more edge case scenario. That being said I'm willing to help test an any way possible.

What did you expect to happen?: The program to install properly.

How did you reproduce it?: Simply by downloading and installing into fedora silver-blue

Debug Information: error: Running %post for portmaster: bwrap(/bin/sh): Child process killed by signal 1; run journalctl -t 'rpm-ostree(portmaster.post)' for more information

Portmaster.log

[dhaavi]

Hey @arouzing, thanks for reporting this.

I think the problem is this line: chcon: failed to change context of '/opt/safing/portmaster/portmaster-start'

I believe this is similar, possibly a duplicate of https://github.com/safing/portmaster/issues/465.

We will look into this. Internall tracked with CC#2168.

[JeremiahSecrist]

Thanks! Silverblue works a bit differently then normal fedora. it may require slightly different packaging in order to get it to work. If you would like I could link you to the information and limitation of packaging for fedora Silverblue.

[dhaavi]

I see. Yes, a couple references would definitely be nice.

[JeremiahSecrist]

https://docs.fedoraproject.org/en-US/fedora-silverblue/troubleshooting/ Here in the FAQ is a section mentioning issues when installing into opt or local. It points to here If you need a tester for installing onto silverblue I'd be happy to test packages. As I would love to use postmaster on this machine!

[JeremiahSecrist]

As silver blue is mostly immutable certain most areas can not have dynamic data stored in them. The areas where mutable information is stored is located here

[dhaavi]

Thanks for the pointers!

silver blue is mostly immutable

Ah, yes. That would be a problem. But /opt seems to linked to /var/opt now, so maybe this isn't a problem after all.

[JeremiahSecrist]

chcon: failed to change context of '/opt/safing/portmaster/portmaster-start'

Does port-master make changes to /opt over time (I think you answered this before)? Do you think it would be possible to have the package detect silverblue and change directories? The github issue I linked before only works for chrome currently.

[dhaavi]

Does port-master make changes to /opt over time

Yes. All data is there: config, databases, updates, logs.

Do you think it would be possible to have the package detect silverblue and change directories?

Maybe. Does silverblue have a special system for this in place? Eg. to query if silverblue is there and ways to interact?

But if /opt is really linked to /var/opt, then this shouldn't be a problem, should it?

[JeremiahSecrist]

Yes. All data is there: config, databases, updates, logs. I'll have to look around more and see how different project accomplish this on fedora and still work with silverblue

But if /opt is really linked to /var/opt, then this shouldn't be a problem, should it? It should with the current workaround in place but something seams off with the current configuration that the patch cant handle. I did some testing on my system and found some packages that accomplished patching into /var/opt with no issue.

I am asking around for some guidelines to see if I can help further! I do have some packages that I have used that store in opt and work, let me link them here: Tabby vagrant

other information: https://www.pathname.com/fhs/pub/fhs-2.3.pdf

Thanks so much for taking the time to read all this I know you guys are busy!

[dhaavi]

I've looked into Tabby and Vagrant a bit and it seems they don't do automatic updates, which I think is causing the trouble here.

Another app I know does automatic updates and installs to /opt, is Google Chrome. Don't know if they have support for Silverblue.

https://www.pathname.com/fhs/pub/fhs-2.3.pdf

This is interesting. I haven't yet encountered such a detailed description yet.

I can say that we do not fully follow the definitions laid out here. Well, except if Silverblue really just links /opt to /var/opt - then we should be ok.

Can you find out how exactly Silverblue handles /opt and /var/opt?

Thanks so much for taking the time to read all this I know you guys are busy!

Thanks for the appreciation. It's always nice when someone understands.

[JeremiahSecrist]

I think I found a Potential fix to the issue. It might be worth trying on a fedora silverblue vm. change the paths and install the compiled rpm with rpm-ostree install custom-package.rpm

The solution may not even apply in this situation. Maybe I'll see if I can find someone working on the silverblue team to take a look at this project and give some guidance?

I noticed they have a community section where you could reach out: https://discussion.fedoraproject.org/tag/silverblue

[JayDoubleu]

This issue is caused by https://github.com/safing/portmaster-packaging/blob/0284b11d5f68efca0a108d689d934d88391e2b6d/linux/templates/snippets/post-install.sh#L18..L20

chcon: failed to change context of '/opt/safing/portmaster/portmaster-start' to ‘system_u:object_r:bin_t:s0’: Operation not supported

Removing lines mentioned above makes it install with rpm-ostree just fine.

I'm not sure if chcon should be in postinstall. Perhaps you could try something like below instead:

if command -V getenforce >/dev/null 2>&1; then
    semanage fcontext -a -t bin_t /opt/safing/portmaster/portmaster-start
    restorecon -v /opt/safing/portmaster/portmaster-start
fi

[cjao]

Thanks for the pointers!

silver blue is mostly immutable

Ah, yes. That would be a problem. But /opt seems to linked to /var/opt now, so maybe this isn't a problem after all.

While /opt is ordinarily linked to /var/opt, rpm-ostree install actually redirects files in /opt to /usr/lib/opt. This is because rpm-ostree expects all system code tracked by rpm to live under /usr and reserves /opt strictly for programs with custom (non-rpm) installers.

[JeremiahSecrist]

This issue is caused by https://github.com/safing/portmaster-packaging/blob/0284b11d5f68efca0a108d689d934d88391e2b6d/linux/templates/snippets/post-install.sh#L18..L20

chcon: failed to change context of '/opt/safing/portmaster/portmaster-start' to ‘system_u:object_r:bin_t:s0’: Operation not supported

Removing lines mentioned above makes it install with rpm-ostree just fine.

I'm not sure if chcon should be in postinstall. Perhaps you could try something like below instead:

if command -V getenforce >/dev/null 2>&1; then
    semanage fcontext -a -t bin_t /opt/safing/portmaster/portmaster-start
    restorecon -v /opt/safing/portmaster/portmaster-start
fi

Would it be alright if I ask how you modified the rpm? Did you recompile or just modify the rpm? If the latter, how did you go about that. Thanks in advance!

[JayDoubleu]

This issue is caused by https://github.com/safing/portmaster-packaging/blob/0284b11d5f68efca0a108d689d934d88391e2b6d/linux/templates/snippets/post-install.sh#L18..L20 chcon: failed to change context of '/opt/safing/portmaster/portmaster-start' to ‘system_u:object_r:bin_t:s0’: Operation not supported Removing lines mentioned above makes it install with rpm-ostree just fine. I'm not sure if chcon should be in postinstall. Perhaps you could try something like below instead:

if command -V getenforce >/dev/null 2>&1; then
    semanage fcontext -a -t bin_t /opt/safing/portmaster/portmaster-start
    restorecon -v /opt/safing/portmaster/portmaster-start
fi

Would it be alright if I ask how you modified the rpm? Did you recompile or just modify the rpm? If the latter, how did you go about that. Thanks in advance!

@arouzing I cloned this repo, modified the mentioned lines and ran make rpm command. Before that would work I had to install bunch of weird golang deps as it looks like this RPM is being built by some lazy do it all magical go app.

FROM fedora:35
RUN dnf -y install '@Development tools'

RUN mkdir /tmp/build
RUN git clone https://github.com/JayDoubleu/portmaster-packaging.git /tmp/build

WORKDIR /tmp/build/linux

RUN dnf -y install ImageMagick

ADD https://github.com/hairyhenderson/gomplate/releases/download/v3.10.0/gomplate_linux-amd64 /usr/bin/gomplate
RUN chmod +x /usr/bin/gomplate

RUN echo [goreleaser] > /etc/yum.repos.d/goreleaser.repo
RUN echo name=GoReleaser >> /etc/yum.repos.d/goreleaser.repo
RUN echo baseurl=https://repo.goreleaser.com/yum/ >> /etc/yum.repos.d/goreleaser.repo 
RUN echo enabled=1 >> /etc/yum.repos.d/goreleaser.repo 
RUN echo gpgcheck=0 >> /etc/yum.repos.d/goreleaser.repo 

RUN dnf -y install nfpm

RUN make rpm

Add above to Containerfile

then run podman build -t portmaster . It will build you an rpm. Then you can extract it from container with : podman run -it -v $(pwd):/tmp/pwd:Z portmaster cp dist/portmaster-0.7.0~2.x86_64.rpm /tmp/pwd

You will end up with portmaster-0.7.0~2.x86_64.rpm in your current working directory. Then just simply install it with rpm-ostree install portmaster-0.7.0~2.x86_64.rpm

[JeremiahSecrist]

@JayDoubleu thankyou very much!

[JeremiahSecrist]

After a successful install and a reboot, it is however unable to startup. The desktop file is misconfigured, since it is trying to write data on startup. /opt/safing/portmaster/portmaster-start app --data=/opt/safing/portmaster (is the default command for portmaster.desktop) changing it to /var/opt does not seam to be the solution either. Error log

[JayDoubleu]

After a successful install and a reboot, it is however unable to startup. The desktop file is misconfigured, since it is trying to write data on startup. /opt/safing/portmaster/portmaster-start app --data=/opt/safing/portmaster (is the default command for portmaster.desktop) changing it to /var/opt does not seam to be the solution either. Error log

I would try getting fedora workstation in gnome boxes and see if it works at all in fedora.

Perks of being an early adopter for alpha software ;)

[JeremiahSecrist]

Perks of being an early adopter for alpha software ;) It certainly is. I came across this project and really want to see it work on silver blue. A worthy price to pay.

I have a vm up and running, let me give it a shot. edit: I know un-modded portmaster works just fine on fedora workstation.

[JayDoubleu]

I also noticed this :

Feb 06 00:27:26  rpm-ostree(portmaster.post)[12328]: portmaster: Failed to download modules
Feb 06 00:27:26  rpm-ostree(portmaster.post)[12328]: portmaster: Please run '/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update' manually.\n

So you could try running sudo /opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update

[JeremiahSecrist]

That was attempted:

220205 19:29:58.159 ▶ BOF
220205 19:29:58.310 r/updating:099 ▶ WARN 001 updates: failed to save updated index stable.json: open /opt/safing/portmaster/updates/stable.json: permission denied
220205 19:29:58.310 r/updating:102 ▶ INFO 003 updates: updated index stable.json
220205 19:29:58.456 r/updating:092 ▶ WARN 004 updates: failed to ensure directory for updated index all/intel/intel.json: could not create dir /opt/safing/portmaster/updates/all: mkdir /opt/safing/portmaster/updates/all: permission denied
220205 19:29:58.456 r/updating:099 ▶ WARN 006 updates: failed to save updated index all/intel/intel.json: open /opt/safing/portmaster/updates/all/intel/intel.json: no such file or directory
220205 19:29:58.456 r/updating:102 ▶ INFO 008 updates: updated index all/intel/intel.json
220205 19:29:58.456 r/updating:144 ▶ INFO 009 updates: starting to download 12 updates
220205 19:30:03.457 r/updating:155 ▶ WARN 010 updates: failed to download all/ui/modules/assets.zip version 0.2.4: could not create updates folder: /opt/safing/portmaster/updates/all/ui/modules

[JayDoubleu]

Did you run it with sudo ?

[JeremiahSecrist]

I forgot sudo !! (I feel a bit stupid ) That being said, it does seam to hang at this phase, I'll let it set for a bit.

[JeremiahSecrist]

Currently hanging here:

220205 19:32:23.319 ▶ BOF
220205 19:32:23.448 r/updating:102 ▶ INFO 001 updates: updated index stable.json
220205 19:32:23.582 r/updating:102 ▶ INFO 002 updates: updated index all/intel/intel.json
220205 19:32:23.582 r/updating:144 ▶ INFO 003 updates: starting to download 12 updates

[JeremiahSecrist]

Update: workstation vm behaves almost the same way. Seems it may have been broken during compile or I / we are using the unstable branch during compile time? did you fork from master or https://github.com/safing/portmaster-packaging/releases/tag/v0.7.0 ?

[JayDoubleu]

Looks like it installs into read only part of system safing -> /usr/lib/opt/safing

[JayDoubleu]

Update: workstation vm behaves almost the same way. Seems it may have been broken during compile or I / we are using the unstable branch during compile time? did you fork from master or https://github.com/safing/portmaster-packaging/releases/tag/v0.7.0 ?

master

[JeremiahSecrist]

Would it be possible to revert your fork back to that release? Or shall I make a new fork from that release?

[JayDoubleu]

I've just rebased it to 0.7.0

[JeremiahSecrist]

Awesome, I'll recompile and see how it goes.