jails pkg: Fail to chflags /libexec/ld-elf32.so.1:Operation not permitted

maxwell79 · 2025-12-12T01:00:56+0000

I have a fresh install of FreeBSD 15.0-RELEASE (with pkgbase). I've created a jail via
bsdinstall as a ZFS file system:

Code:

zroot/jails/myjail      618M  1.08T   618M  /jails/myjail

When I go to install anything e.g. Nginx I get:

Code:

pkg Fail to chflags /libexec/ld-elf32.so.1:Operation not permitted

Code:

New packages to be INSTALLED:
        FreeBSD-clibs-lib32: 15.0 [FreeBSD-base]
        nginx: 1.28.0_3,3 [FreeBSD-ports]
        pcre2: 10.46 [FreeBSD-ports]

Number of packages to be installed: 3

The process will require 13 MiB more space.

Proceed with this action? [y/N]: y
[jail.myjail] [1/3] Installing FreeBSD-clibs-lib32-15.0...
[jail.myjail] [1/3] Extracting FreeBSD-clibs-lib32-15.0: 100%
pkg: Fail to chflags /libexec/ld-elf32.so.1:Operation not permitted
root@jail:~ #

Here is my jail.conf file.

Code:

allow.nomount;
mount.devfs;
path ="/jails/$name";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;

host.hostname = "jail.$name";
ip4 = inherit;
ip6 = inherit;

myjail {
  allow.sysvipc = true;
  ip4.addr="192.168.0.2";
}

What have I missed?

skhal · 2025-12-13T03:39:28+0000

Same here but with FreeBSD-clang-15.0 in a jail that is based on FreeBSD-set-minimal-jail.

Code:

% pkg prime-list | grep FreeBSD-set
FreeBSD-set-minimal-jail

% doas pkg install FreeBSD-clang-15.0
Updating FreeBSD-ports repository catalogue...
FreeBSD-ports repository is up to date.
Updating FreeBSD-ports-kmods repository catalogue...
FreeBSD-ports-kmods repository is up to date.
Updating FreeBSD-base repository catalogue...
FreeBSD-base repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 4 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        FreeBSD-clang: 15.0 [FreeBSD-base]
        FreeBSD-clibs-lib32: 15.0 [FreeBSD-base]
        FreeBSD-libcompiler_rt-dev: 15.0 [FreeBSD-base]
        FreeBSD-lld: 15.0 [FreeBSD-base]

Number of packages to be installed: 4

The process will require 156 MiB more space.

Proceed with this action? [y/N]: y
[dev.lab.net] [1/4] Installing FreeBSD-clibs-lib32-15.0...
[dev.lab.net] [1/4] Extracting FreeBSD-clibs-lib32-15.0: 100%
pkg: Fail to chflags /libexec/ld-elf32.so.1:Operation not permitted

T-Aoki · 2025-12-13T04:53:15+0000

Just wild predictions, but possibilities I can imgine for now are:

The file (library) is somehow write locked.
doas already timed out for keeping root priviledge when attempt to chflags.

If the former, runnig in single user mode would be wanted.
If the latter, su instead of doas / sudo would be wanted.

atax1a · 2025-12-13T04:59:59+0000

look at the flags with ls -lo /libexec/ld-elf32.so.1

T-Aoki · 2025-12-13T05:24:56+0000

I thought the chflags is to drop schg for overwriting.
But if the operation is other than that, it would fail if there's schg flag.

FYI: In my case (on stable/15), the result is as follows.

Code:

% ls -lo /libexec/ld-elf32.so.1                                                                     
-r-xr-xr-x  1 root wheel schg,uarch 108088 12月  9 18:52 /libexec/ld-elf32.so.1

skhal · 2025-12-13T13:05:37+0000

It look like only uarch is set. Install as root does not help either:

Code:

op@nuc:~ % doas jexec dev su -

root@dev:~ # ls -lo /libexec/ld-elf32.so.1
-r-xr-xr-x  1 root wheel uarch 104792 Nov 27 18:00 /libexec/ld-elf32.so.1

root@dev:~ # pkg install FreeBSD-clang-15.0
Updating FreeBSD-ports repository catalogue...
FreeBSD-ports repository is up to date.
Updating FreeBSD-ports-kmods repository catalogue...
FreeBSD-ports-kmods repository is up to date.
Updating FreeBSD-base repository catalogue...
FreeBSD-base repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 4 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    FreeBSD-clang: 15.0 [FreeBSD-base]
    FreeBSD-clibs-lib32: 15.0 [FreeBSD-base]
    FreeBSD-libcompiler_rt-dev: 15.0 [FreeBSD-base]
    FreeBSD-lld: 15.0 [FreeBSD-base]

Number of packages to be installed: 4

The process will require 156 MiB more space.

Proceed with this action? [y/N]: y
[dev.lab.net] [1/4] Installing FreeBSD-clibs-lib32-15.0...
[dev.lab.net] [1/4] Extracting FreeBSD-clibs-lib32-15.0: 100%
pkg: Fail to chflags /libexec/ld-elf32.so.1:Operation not permitted

skhal · 2025-12-13T15:13:29+0000

Apparently, pkg install did work when run from the hosting environment, outside of jail:

Code:

root@nuc:~ # pkg -r /jail/container/dev install FreeBSD-clang-15.0
...

root@nuc:~ # pkg -r /jail/container/dev prime-list | grep FreeBSD-clang
FreeBSD-clang

FYI, I created the jail following the instructions at:

Thread 'Minimal pkgbase jails / chroots (Docker\OCI-like)'

Oct 7, 2025

Hello everyone! After some time around playing with pkgbase, I've found a
way for making minimal OCI\Podman\Docker-like chroot environments where theres
only an app (could be many of them, though) and its dependencies inside a
chroot environment. No need for managing 500+MB bases or having custom minimal
builds of FreeBSD (although with some nullfs magic having a shared base
could actually sometimes be a better choice

).

I believe this is the first real full tutorial how to make this work, and
if someone has more experience and knowledge about stuff in this post -- I
would really...

that can be summarized as:

Create a ZFS container
Copy PKG keys
Install FreeBSD-set-minimal-jail with pkg -r /jail/container/dev

maxwell79 · 2025-12-13T21:25:07+0000

I modified /etc/jail.conf to include allow.chflags = 1;

For example:

Code:

myjail { 
  allow.chflags = 1;
  ip4.addr="192.168.0.2";
}

And pkg install works for me. This is seemingly new to FreeBSD 15 as my jail setup has been stable for several years now.