0

I pulled a nixos container and now want to remove it.

I enter:

sudo machinectl remove nixos-21-tar

But the return message is:

Could not remove image: Access denied

If I list the images I get:

$ machinectl list-images
  NAME         TYPE      RO USAGE CREATED MODIFIED
  debian       directory no   n/a n/a     n/a     
  nixos-21-tar directory no   n/a n/a     n/a

EDIT:

I think the image has been corrupted and the owner/group is wrong:

sudo tree /var/lib/machines/nixos-21-tar/
/var/lib/machines/nixos-21-tar/
└── var
    └── empty

sudo ls -alR /var/lib/machines/nixos-21-tar/
/var/lib/machines/nixos-21-tar:
total 12
drwxrwxrwx 3 699334656 699334656 4096 Apr 18 18:38 .
drwxrwxrwx 4 root      root      4096 Apr 21 17:23 ..
drwxrwxrwx 3 699334656 699334656 4096 Apr 18 18:38 var

/var/lib/machines/nixos-21-tar/var: 
total 12
drwxrwxrwx 3 699334656 699334656 4096 Apr 18 18:38 .
drwxrwxrwx 3 699334656 699334656 4096 Apr 18 18:38 ..
dr-xr-xr-x 2 root      root      4096 Mar 11 17:29 empty

/var/lib/machines/nixos-21-tar/var/empty:
total 8
dr-xr-xr-x 2 root      root      4096 Mar 11 17:29 .
drwxrwxrwx 3 699334656 699334656 4096 Apr 18 18:38 ..
potong
  • 55,640
  • 6
  • 51
  • 83
  • The big numeric owner/group is not corrupt. By default (at least under certain conditions? check the docs) `systemd-nspawn` containers will use user/group namespacing; this is a kernel feature that translates the UIDs/GIDs seen by the host into different UIDs/GIDs inside the container. `699334656` is probably the container's `root`. It *is* weird that there's a directory owned by the "real" `root` in there. – HTNW Apr 21 '22 at 22:47
  • @HTNW thanks, I've just tried `sudo chown 699334656 /var/lib/machines/nixos-21-tar/var/empty/chown: changing ownership of '/var/lib/machines/nixos-21-tar/var/empty/': Operation not permitted` but as you see no luck. – potong Apr 21 '22 at 23:08

1 Answers1

1

In my Fedora 38 environment with SELinux enabled, I also get the same message.

I temporarily disable SELinux then I can successfully remove the container.

[user@fedora-workstation ~]$ machinectl remove f38
Could not remove image: Access denied
[user@fedora-workstation ~]$ sudo machinectl remove f38
Could not remove image: Access denied
[user@fedora-workstation ~]$ sudo setenforce 0
[user@fedora-workstation ~]$ sudo machinectl remove f38
[user@fedora-workstation ~]$ sudo setenforce 1
[user@fedora-workstation ~]$
C.C. Hsu
  • 169
  • 2
  • Thank you C.C. Hsu for following up on this. I will now have an inkling how to resolve the matter. – potong Apr 30 '23 at 13:40