unable to make backup link of `./usr/sbin/uuidd' before installing new version: Operation not permitted

That is a very strange error. What if you try this:

sudo -s
cd /usr/sbin
ln uuidd uuidd.bak
rm uuidd.bak

chris@devel:~⟫ sudo -s
root@devel:~# cd /usr/sbin
root@devel:/usr/sbin# ln uuidd uuidd.bak
ln: failed to create hard link ‘uuidd.bak’ => ‘uuidd’: Operation not permitted

Is there maybe already a /usr/sbin/uuidd.bak with read-only permissions? Or a non-writable /usr/sbin? Please show the output of

  ls -ld /usr/sbin/
  ls -l /usr/sbin/uuidd*

root@devel:~# ls -ld /usr/sbin/
drwxr-xr-x 2 root root 4096 Sep 24 18:11 /usr/sbin/
root@devel:~# ls -l /usr/sbin/uuidd*
-rwsr-sr-x 1 libuuid libuuid 18904 Aug 5 02:20 /usr/sbin/uuidd

That sounds a bit like fs corruption then. Can you please do

  cd /usr/bin; sudo strace -fvvs1024 -o /tmp/trace ln uuidd uuidd.bak

and attach /tmp/trace? I guess it really fails in link(2) with EPERM ("old name is a directory") or EACCESS ("new path directory is not writable"), but let's make double-sure. Can you please also run an fsck?

Yes, seems to be a broken filesystem. What type of filesystem is this? Check dmesg/syslog for errors. Also can you touch somenewfile in that directory?

Unless... do you have SELinux enabled or something?

I've seen this pretty consistently too across a few hundred containers. My guess so far was that it had to do with filesystem capabilities or something similar.

So things are set properly when the image is unpacked by real root on the host, but the extended attribute then can't be modified from within the container, leading to the failure. It's just a guess though.

Marking confirmed based on stgraber's comment.

It's the setuid and setgid bits with user namespace.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1498162

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

You can work around this by doing

echo 0 | sudo tee -a /proc/sys/fs/protected_hardlinks

on the host.

I have a fix, but I will want to run it by upstream before we apply it to be sure we aren't opening up any security issues. In the meantime I've put up a test build, please give it a try and verify that the uuid-runtime upgrade can be successfully installed.

http://people.canonical.com/~sforshee/lp1498162/

Seth, is this for the host or the container? Either way, I'm not running 4.2..

It should be installed in the host, the container is using the same kernel as the host. I'll kick off a build for trusty.

Okay, debs for trusty are now posted to the same location.

3.19.0-31.35+lp1498162v201510291055 worked. I was able to update the uuid-runtime package.

Patch sent to the kernel-team list.

This bug was fixed in the package linux - 4.2.0-19.23

---------------
linux (4.2.0-19.23) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1515157

  [ Andy Whitcroft ]

  * [Config] re-enable OSS support and blacklist
    - LP: #1434842

  [ dann frazier ]

  * Revert "[Config] CONFIG_ARM64_ERRATUM_843419=n"
    - LP: #1502946

  [ Paolo Pisati ]

  * [SRU] [Config] armhf: LEDS_TRIGGER_HEARTBEAT=y
    - LP: #1510165

  [ Tim Gardner ]

  * [Config] Add iscsi_ibft and iscsi_boot_sysfs to generic inclusion list
    - LP: #1511006
  * [Config] CONFIG_AUFS_EXPORT=y
    - LP: #1121699

  [ Upstream Kernel Changes ]

  * Revert "KVM: x86: apply guest MTRR virtualization on host reserved
    pages"
    - LP: #1509886
  * Revert "KVM: SVM: use NPT page attributes"
    - LP: #1509886
  * Revert "KVM: SVM: Sync g_pat with guest-written PAT value"
    - LP: #1509886
  * Revert "cgroup: simplify threadgroup locking"
    - LP: #1509886
  * Revert "sched, cgroup: replace signal_struct->group_rwsem with a global
    percpu_rwsem"
    - LP: #1509886
  * Revert "ARM64: unwind: Fix PC calculation"
    - LP: #1514889
  * Revert "serial: 8250_dma: don't bother DMA with small transfers"
    - LP: #1514889
  * Revert "md: allow a partially recovered device to be hot-added to an
    array."
    - LP: #1514889
  * arm64: Change memcpy in kernel to use the copy template file
    - LP: #1508471
  * arm64: copy_to-from-in_user optimization using copy template
    - LP: #1508471
  * Input: elan_i2c - enable ELAN0600 acpi panels
    - LP: #1439111
  * e1000e: Fix tight loop implementation of systime read algorithm
  * arm: KVM: Fix incorrect device to IPA mapping
    - LP: #1509886
  * KVM: vmx: fix VPID is 0000H in non-root operation
    - LP: #1509886
  * kvm: don't try to register to KVM_FAST_MMIO_BUS for non mmio eventfd
    - LP: #1509886
  * kvm: fix zero length mmio searching
    - LP: #1509886
  * kvm: factor out core eventfd assign/deassign logic
    - LP: #1509886
  * kvm: fix double free for fast mmio eventfd
    - LP: #1509886
  * arm: KVM: Disable virtual timer even if the guest is not using it
    - LP: #1509886
  * kvm: svm: reset mmu on VCPU reset
    - LP: #1509886
  * KVM: x86: trap AMD MSRs for the TSeg base and mask
    - LP: #1509886
  * KVM: PPC: Book3S: Take the kvm->srcu lock in
    kvmppc_h_logical_ci_load/store()
    - LP: #1509886
  * KVM: PPC: Book3S HV: Pass the correct trap argument to
    kvmhv_commence_exit
    - LP: #1509886
  * time: Fix timekeeping_freqadjust()'s incorrect use of abs() instead of
    abs64()
    - LP: #1509886
  * target/iscsi: Fix np_ip bracket issue by removing np_ip
    - LP: #1509886
  * scsi: fix scsi_error_handler vs. scsi_host_dev_release race
    - LP: #1509886
  * target: Attach EXTENDED_COPY local I/O descriptors to xcopy_pt_sess
    - LP: #1509886
  * target: Fix PR registration + APTPL RCU conversion regression
    - LP: #1509886
  * iser-target: remove command with state ISTATE_REMOVE
    - LP: #1509886
  * iser-target: Put the reference on commands waiting for unsol data
    - LP: #1509886
  * toshiba_acpi: Fix hotkeys registration on some toshiba models
    - LP: #1509886
  *...

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug was fixed in the package linux - 3.19.0-37.42

---------------
linux (3.19.0-37.42) vivid; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1518406

  [ K. Y. Srinivasan ]

  * SAUCE: Drivers: hv: vmbus: Fix a Host signaling bug
    - LP: #1508706

 -- Kamal Mostafa <email address hidden> Fri, 20 Nov 2015 09:49:10 -0800

This bug was fixed in the package linux - 4.2.0-19.23

---------------
linux (4.2.0-19.23) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1515157

  [ Andy Whitcroft ]

  * [Config] re-enable OSS support and blacklist
    - LP: #1434842

  [ dann frazier ]

  * Revert "[Config] CONFIG_ARM64_ERRATUM_843419=n"
    - LP: #1502946

  [ Paolo Pisati ]

  * [SRU] [Config] armhf: LEDS_TRIGGER_HEARTBEAT=y
    - LP: #1510165

  [ Tim Gardner ]

  * [Config] Add iscsi_ibft and iscsi_boot_sysfs to generic inclusion list
    - LP: #1511006
  * [Config] CONFIG_AUFS_EXPORT=y
    - LP: #1121699

  [ Upstream Kernel Changes ]

  * Revert "KVM: x86: apply guest MTRR virtualization on host reserved
    pages"
    - LP: #1509886
  * Revert "KVM: SVM: use NPT page attributes"
    - LP: #1509886
  * Revert "KVM: SVM: Sync g_pat with guest-written PAT value"
    - LP: #1509886
  * Revert "cgroup: simplify threadgroup locking"
    - LP: #1509886
  * Revert "sched, cgroup: replace signal_struct->group_rwsem with a global
    percpu_rwsem"
    - LP: #1509886
  * Revert "ARM64: unwind: Fix PC calculation"
    - LP: #1514889
  * Revert "serial: 8250_dma: don't bother DMA with small transfers"
    - LP: #1514889
  * Revert "md: allow a partially recovered device to be hot-added to an
    array."
    - LP: #1514889
  * arm64: Change memcpy in kernel to use the copy template file
    - LP: #1508471
  * arm64: copy_to-from-in_user optimization using copy template
    - LP: #1508471
  * Input: elan_i2c - enable ELAN0600 acpi panels
    - LP: #1439111
  * e1000e: Fix tight loop implementation of systime read algorithm
  * arm: KVM: Fix incorrect device to IPA mapping
    - LP: #1509886
  * KVM: vmx: fix VPID is 0000H in non-root operation
    - LP: #1509886
  * kvm: don't try to register to KVM_FAST_MMIO_BUS for non mmio eventfd
    - LP: #1509886
  * kvm: fix zero length mmio searching
    - LP: #1509886
  * kvm: factor out core eventfd assign/deassign logic
    - LP: #1509886
  * kvm: fix double free for fast mmio eventfd
    - LP: #1509886
  * arm: KVM: Disable virtual timer even if the guest is not using it
    - LP: #1509886
  * kvm: svm: reset mmu on VCPU reset
    - LP: #1509886
  * KVM: x86: trap AMD MSRs for the TSeg base and mask
    - LP: #1509886
  * KVM: PPC: Book3S: Take the kvm->srcu lock in
    kvmppc_h_logical_ci_load/store()
    - LP: #1509886
  * KVM: PPC: Book3S HV: Pass the correct trap argument to
    kvmhv_commence_exit
    - LP: #1509886
  * time: Fix timekeeping_freqadjust()'s incorrect use of abs() instead of
    abs64()
    - LP: #1509886
  * target/iscsi: Fix np_ip bracket issue by removing np_ip
    - LP: #1509886
  * scsi: fix scsi_error_handler vs. scsi_host_dev_release race
    - LP: #1509886
  * target: Attach EXTENDED_COPY local I/O descriptors to xcopy_pt_sess
    - LP: #1509886
  * target: Fix PR registration + APTPL RCU conversion regression
    - LP: #1509886
  * iser-target: remove command with state ISTATE_REMOVE
    - LP: #1509886
  * iser-target: Put the reference on commands waiting for unsol data
    - LP: #1509886
  * toshiba_acpi: Fix hotkeys registration on some toshiba models
    - LP: #1509886
  *...

This bug was fixed in the package linux - 3.13.0-70.113

---------------
linux (3.13.0-70.113) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1516733

  [ Upstream Kernel Changes ]

  * arm64: errata: use KBUILD_CFLAGS_MODULE for erratum #843419
    - LP: #1516682

linux (3.13.0-69.112) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1514858

  [ Joseph Salisbury ]

  * SAUCE: storvsc: use small sg_tablesize on x86
    - LP: #1495983

  [ Luis Henriques ]

  * [Config] updateconfigs after 3.13.11-ckt28 and 3.13.11-ckt29 stable
    updates

  [ Upstream Kernel Changes ]

  * ext4: fix indirect punch hole corruption
    - LP: #1292234
  * x86/hyperv: Mark the Hyper-V TSC as unstable
    - LP: #1498206
  * namei: permit linking with CAP_FOWNER in userns
    - LP: #1498162
  * iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series
    - LP: #1510616
  * Drivers: hv: vmbus: Increase the limit on the number of pfns we can
    handle
    - LP: #1495983
  * sctp: fix race on protocol/netns initialization
    - LP: #1514832
  * [media] v4l: omap3isp: Fix sub-device power management code
    - LP: #1514832
  * [media] rc-core: fix remove uevent generation
    - LP: #1514832
  * xtensa: fix threadptr reload on return to userspace
    - LP: #1514832
  * ARM: OMAP2+: DRA7: clockdomain: change l4per2_7xx_clkdm to SW_WKUP
    - LP: #1514832
  * mac80211: enable assoc check for mesh interfaces
    - LP: #1514832
  * PCI: Add dev_flags bit to access VPD through function 0
    - LP: #1514832
  * PCI: Add VPD function 0 quirk for Intel Ethernet devices
    - LP: #1514832
  * usb: dwc3: ep0: Fix mem corruption on OUT transfers of more than 512
    bytes
    - LP: #1514832
  * serial: 8250_pci: Add support for Pericom PI7C9X795[1248]
    - LP: #1514832
  * KVM: MMU: fix validation of mmio page fault
    - LP: #1514832
  * auxdisplay: ks0108: fix refcount
    - LP: #1514832
  * devres: fix devres_get()
    - LP: #1514832
  * iio: adis16400: Fix adis16448 gyroscope scale
    - LP: #1514832
  * iio: Add inverse unit conversion macros
    - LP: #1514832
  * iio: adis16480: Fix scale factors
    - LP: #1514832
  * iio: industrialio-buffer: Fix iio_buffer_poll return value
    - LP: #1514832
  * iio: event: Remove negative error code from iio_event_poll
    - LP: #1514832
  * NFSv4: don't set SETATTR for O_RDONLY|O_EXCL
    - LP: #1514832
  * unshare: Unsharing a thread does not require unsharing a vm
    - LP: #1514832
  * ASoC: adav80x: Remove .read_flag_mask setting from
    adav80x_regmap_config
    - LP: #1514832
  * drivers: usb :fsl: Implement Workaround for USB Erratum A007792
    - LP: #1514832
  * drivers: usb: fsl: Workaround for USB erratum-A005275
    - LP: #1514832
  * serial: 8250: don't bind to SMSC IrCC IR port
    - LP: #1514832
  * staging: comedi: adl_pci7x3x: fix digital output on PCI-7230
    - LP: #1514832
  * blk-mq: fix buffer overflow when reading sysfs file of 'pending'
    - LP: #1514832
  * xtensa: fix kernel register spilling
    - LP: #1514832
  * NFS: nfs_set_pgio_error sometimes misses errors
    - LP: #1514832
  * NFS: Fix a NULL pointer dereference of migration...