The problem might be caused by inappropriate permissions on some of the APT key files.
Do the errors only affect OSMC packages or also Debian packages? Should we checked the permissions of /etc/apt/trusted.gpg.d?
The user might be squashing some of these permissions.
Sam
What should I do now? I haven’t done any changes to NFS root since forever. Once it was set up using wiki and forums it was working. Till now. Are you thinking about something or that’s it? If there’s anything you would like to check just let me know.
Probably worth seeing the permissions of the APT key files so we can compare them on non-NFS installations.
Unfortunately I don’t know what the issue is at this time. Someone needs to test that NFS installation functionality still works as expected.
In addition to what Sam has requested, please show the output from the following commands:
mount
sudo apt-get -o Debug::Acquire::Transaction=true update 2>&1 | paste-log
sudo apt-get -o Debug::Acquire::http=true update 2>&1 | paste-log
sudo apt-get -o Debug::Acquire::gpgv=true update 2>&1 | paste-logWhere should I look for those APT keys? I’m not very familiar with terminal. I know few things but nothing fancy.
The APT keys are in /etc/apt and /etc/apt/trusted.gpg.d
Use ls -la for both directories.
osmc@salon:~$ ls -la /etc/apt
total 32
drwxr-xr-x 6 root root 4096 Jan 10 22:46 .
drwxr-xr-x 76 root root 4096 Feb 12 19:47 …
drwxr-xr-x 2 root root 4096 Jan 10 23:01 apt.conf.d
drwxr-xr-x 2 root root 4096 Jan 10 22:58 preferences.d
-rw-r–r-- 1 root root 289 Jan 10 22:46 sources.list
drwxr-xr-x 2 root root 4096 Dec 11 2016 sources.list.d
-rw-r–r-- 1 root root 1197 Jan 28 2017 trusted.gpg
drwxr-xr-x 2 root root 4096 Feb 11 12:52 trusted.gpg.d
-rw-r–r-- 1 root root 0 Jan 28 2017 trusted.gpg~
osmc@salon:~$ ls -la /etc/apt/trusted.gpg.d/
total 56
drwxr-xr-x 2 root root 4096 Feb 11 12:52 .
drwxr-xr-x 6 root root 4096 Jan 10 22:46 …
-rw-r–r-- 1 root root 5138 Nov 30 2014 debian-archive-jessie-automatic.gpg
-rw-r–r-- 1 root root 5147 Nov 30 2014 debian-archive-jessie-security-automatic.gpg
-rw-r–r-- 1 root root 2775 Nov 30 2014 debian-archive-jessie-stable.gpg
-rw-r–r-- 1 root root 7483 Jun 18 2017 debian-archive-stretch-automatic.gpg
-rw-r–r-- 1 root root 7492 Jun 18 2017 debian-archive-stretch-security-automatic.gpg
-rw-r–r-- 1 root root 2275 Jun 18 2017 debian-archive-stretch-stable.gpg
-rw-r–r-- 1 root root 3780 Nov 30 2014 debian-archive-wheezy-automatic.gpg
-rw-r–r-- 1 root root 2851 Nov 30 2014 debian-archive-wheezy-stable.gpg
osmc@salon:~$ mount
devtmpfs on /dev type devtmpfs (rw,relatime,size=377804k,nr_inodes=94451,mode=755)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /run type tmpfs (rw,relatime)
192.168.1.2:/volume1/osmc on / type nfs (rw,noatime,vers=3,rsize=131072,wsize=131072,namlen=255,hard,nolock,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.2,mountvers=3,mountproto=tcp,local_lock=all,addr=192.168.1.2)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
systemd-1 on /boot type autofs (rw,relatime,fd=28,pgrp=1,timeout=0,minproto=5,maxproto=5,direct)
sunrpc on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=35,pgrp=1,timeout=0,minproto=5,maxproto=5,direct)
configfs on /sys/kernel/config type configfs (rw,relatime)
/dev/mmcblk0p1 on /boot type vfat (rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=76584k,mode=700,uid=1000,gid=1000)
osmc@salon:~$ sudo apt-get -o Debug::Acquire::Transaction=true update 2>&1 | paste-log
https://paste.osmc.tv/inixigotuk
rm: cannot remove ‘/tmp/tmp.U9BldHK3K0’: Operation not permitted
osmc@salon:~$ sudo apt-get -o Debug::Acquire::http=true update 2>&1 | paste-log
https://paste.osmc.tv/exibiravit
rm: cannot remove ‘/tmp/tmp.KmbTni1LLG’: Operation not permitted
osmc@salon:~$ sudo apt-get -o Debug::Acquire::gpgv=true update 2>&1 | paste-log
https://paste.osmc.tv/ekazewivek
rm: cannot remove ‘/tmp/tmp.G7LTIWX7Mv’: Operation not permitted
That’s strange. What’s the output from ls -la /tmp ?
osmc@salon:~$ ls -la /tmp
total 708
drwxrwxrwt 19 root root 16384 Feb 12 19:51 .
drwxrwxrwx 23 root root 4096 Jan 10 22:46 …
drwxrwxrwt 2 root root 4096 Feb 12 19:47 .ICE-unix
drwxrwxrwt 2 root root 4096 Feb 12 19:47 .Test-unix
drwxrwxrwt 2 root root 4096 Feb 12 19:47 .X11-unix
drwxrwxrwt 2 root root 4096 Feb 12 19:47 .XIM-unix
drwxrwxrwt 2 root root 4096 Feb 12 19:47 .font-unix
drwx------ 2 root root 4096 Feb 12 19:51 apt-key-gpghome.EniUStfNsj
drwx------ 2 root root 4096 Feb 12 19:51 apt-key-gpghome.FFenNFtM6w
drwx------ 2 root root 4096 Feb 12 19:50 apt-key-gpghome.GkCFRCmqG0
drwx------ 2 root root 4096 Feb 12 19:50 apt-key-gpghome.HcJI3Q5nqU
drwx------ 2 root root 4096 Feb 12 19:51 apt-key-gpghome.JX8DgaF3QE
drwx------ 2 root root 4096 Feb 12 19:51 apt-key-gpghome.Sge4xkw5xZ
drwx------ 2 root root 4096 Feb 12 19:50 apt-key-gpghome.dkcomt7erH
drwx------ 2 root root 4096 Feb 12 19:51 apt-key-gpghome.n1rrRfZ7He
drwx------ 2 root root 4096 Feb 12 19:50 apt-key-gpghome.nOkAllOqX3
drwx------ 2 root root 4096 Feb 12 19:51 apt-key-gpghome.sghDbWneKR
drwx------ 2 root root 4096 Feb 12 19:51 apt-key-gpghome.v3PICLivHo
drwx------ 2 root root 4096 Feb 12 19:51 apt-key-gpghome.zM9onnGnXk
-rw------- 1 root root 7668 Feb 12 19:51 apt.conf.0tbeQU
-rw------- 1 root root 7668 Feb 12 19:51 apt.conf.84zjSA
-rw------- 1 root root 7668 Feb 12 19:51 apt.conf.EtRmFC
-rw------- 1 root root 7682 Feb 12 19:50 apt.conf.PKLQaZ
-rw------- 1 root root 7668 Feb 12 19:51 apt.conf.X2gpnl
-rw------- 1 root root 7668 Feb 12 19:51 apt.conf.bqwSQb
-rw------- 1 root root 7668 Feb 12 19:51 apt.conf.ebyuqQ
-rw------- 1 root root 7682 Feb 12 19:50 apt.conf.klaR18
-rw------- 1 root root 7682 Feb 12 19:50 apt.conf.l9eKoe
-rw------- 1 root root 7668 Feb 12 19:51 apt.conf.leXnFf
-rw------- 1 root root 7682 Feb 12 19:50 apt.conf.ueiyfX
-rw------- 1 root root 7668 Feb 12 19:51 apt.conf.xOh5Eo
-rw------- 1 root root 61308 Feb 12 19:51 apt.data.6hR0Ir
-rw------- 1 root root 4144 Feb 12 19:50 apt.data.JEDD7s
-rw------- 1 root root 61308 Feb 12 19:51 apt.data.KGmBaz
-rw------- 1 root root 89377 Feb 12 19:51 apt.data.VaAXBE
-rw------- 1 root root 61308 Feb 12 19:50 apt.data.Xbw1Tz
-rw------- 1 root root 4144 Feb 12 19:51 apt.data.aRd6Xm
-rw------- 1 root root 4144 Feb 12 19:51 apt.data.dueeGg
-rw------- 1 root root 89377 Feb 12 19:51 apt.data.j2L40S
-rw------- 1 root root 89377 Feb 12 19:50 apt.data.mCol35
-rw------- 1 root root 473 Feb 12 19:51 apt.sig.48V1RD
-rw------- 1 root root 1601 Feb 12 19:51 apt.sig.4nSTND
-rw------- 1 root root 1601 Feb 12 19:51 apt.sig.8WnzS5
-rw------- 1 root root 1601 Feb 12 19:51 apt.sig.Wl2tXu
-rw------- 1 root root 473 Feb 12 19:51 apt.sig.a9Hlee
-rw------- 1 root root 473 Feb 12 19:50 apt.sig.ijxeJl
-rw------- 1 root root 1601 Feb 12 19:50 apt.sig.qK4eF7
-rw------- 1 root root 1601 Feb 12 19:50 apt.sig.uhBdFM
-rw------- 1 root root 1601 Feb 12 19:51 apt.sig.yKELf1
-rw------- 1 root root 2686 Feb 12 19:51 tmp.G7LTIWX7Mv
-rw------- 1 root root 7029 Feb 12 19:51 tmp.KmbTni1LLG
-rw------- 1 root root 3088 Feb 12 19:50 tmp.U9BldHK3K0
Those three files were created by the paste-log command and should be owned by user osmc, not by root. What happens if you run:
touch /tmp/zzztest
ls -l /tmp/zzztest
Looking at the third command:
sudo apt-get -o Debug::Acquire::gpgv=true updatei
we can see that it runs various /usr/bin/apt-key commands, which all fail with a return code of 1. So let’s try a few ourselves:
/usr/bin/apt-key --readonly verify /tmp/apt.sig.8WnzS5 /tmp/apt.data.KGmBaz
/usr/bin/apt-key --readonly verify /var/lib/apt/lists/partial/ftp.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/partial/ftp.debian.org_debian_dists_stretch_Release
I’ve removed the “–status-fd 3” part because it causes an error for me and doesn’t even appear in the man page for apt-key!
osmc@salon:~$ touch /tmp/zzztest
osmc@salon:~$ ls -l /tmp/zzztest
-rw-r–r-- 1 root root 0 Feb 12 21:52 /tmp/zzztest
osmc@salon:~$ /usr/bin/apt-key --readonly verify /tmp/apt.sig.8WnzS5 /tmp/apt.data.KGmBaz
cp: preserving permissions for ‘/tmp/apt-key-gpghome.xZvlXRIp7w/pubring.orig.gpg’: Operation not permitted
rm: cannot remove ‘/tmp/apt-key-gpghome.xZvlXRIp7w’: Operation not permitted
osmc@salon:~$ /usr/bin/apt-key --readonly verify /var/lib/apt/lists/partial/ftp.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/partial/ftp.debian.org_debian_dists_stretch_Release
cp: preserving permissions for ‘/tmp/apt-key-gpghome.t9mDvo4uTs/pubring.orig.gpg’: Operation not permitted
rm: cannot remove ‘/tmp/apt-key-gpghome.t9mDvo4uTs’: Operation not permitted
Looks like we have an issue with /tmp. 
Please run those two apt-key commands using sudo.
I hope it’s those you wanted
osmc@salon:~$ sudo /usr/bin/apt-key --readonly verify /tmp/apt.sig.8WnzS5 /tmp/apt.data.KGmBaz
gpgv: Signature made Mon Feb 12 12:43:58 2018 CET
gpgv: using RSA key D21169141CECD440F2EB8DDA9D6D8F6BC857C906
gpgv: Good signature from “Debian Security Archive Automatic Signing Key (8/jessie) ftpmaster@debian.org”
gpgv: Signature made Mon Feb 12 12:43:58 2018 CET
gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
gpgv: Good signature from “Debian Archive Automatic Signing Key (7.0/wheezy) ftpmaster@debian.org”
osmc@salon:~$ sudo /usr/bin/apt-key --readonly verify /var/lib/apt/lists/partial/ftp.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/partial/ftp.debian.org_debian_dists_stretch_Release
gpgv: can’t open signed data ‘/var/lib/apt/lists/partial/ftp.debian.org_debian_dists_stretch_Release’
gpgv: can’t hash datafile: No such file or directory
I wasn’t sure if anything would be in the “partial” directories - and it looks like the files weren’t there. No problem, since the other command worked.
Let’s try a few things more:
rm /tmp/zzztest
and if that doesn’t work:
sudo rm /tmp/zzztest
If you could run exportfs -v on the Synology box that would be useful.
removing from /tmp required sudo.
exportfs looks like this
admin@DS:~$ sudo exportfs -v
Password:
/volume4/Anime (rw,async,insecure,no_root_squash,no_subtree_check,insecure_locks,anonuid=1025,anongid=100,sec=sys,rw,no_root_squash,no_all_squash)
/volume1/Filmy (rw,async,insecure,no_root_squash,no_subtree_check,insecure_locks,anonuid=1025,anongid=100,sec=sys,rw,no_root_squash,no_all_squash)
/volume4/Filmy2
(rw,async,insecure,no_root_squash,no_subtree_check,insecure_locks,anonuid=1025,anongid=100,sec=sys,rw,no_root_squash,no_all_squash)
/volume3/MP3 (rw,async,insecure,no_root_squash,no_subtree_check,insecure_locks,anonuid=1025,anongid=100,sec=sys,rw,no_root_squash,no_all_squash)
/volume2/Seriale
(rw,async,insecure,no_root_squash,no_subtree_check,insecure_locks,anonuid=1025,anongid=100,sec=sys,rw,no_root_squash,no_all_squash)
/volume1/osmc (rw,async,crossmnt,insecure,root_squash,all_squash,no_subtree_check,anonuid=0,anongid=0,sec=sys,rw,root_squash,all_squash)
/volume1/osmc2 (rw,async,crossmnt,insecure,root_squash,all_squash,no_subtree_check,anonuid=0,anongid=0,sec=sys,rw,root_squash,all_squash)
NFS root from Pi’s are osmc and osmc2.
This isn’t a good way to do things:
root_squash,all_squash,anonuid=0,anongid=0
maps everything to root, even when it shouldn’t be, eg user osmc’s files should be owned by uid 1000, not by uid 0.
I’m not really sure how it affects your updates but I’d recommend that you change it simply to no_root_squash and re-export the share using exportfs -r.
This aplies to osmc and osmc2. Try one first and see if it makes a difference.
Squashing root has never been supported by OSMC. This has probably been working out of sheer luck in the past.
We have some guidance on a suitable exportfs somewhere IIRC. In Raspbmc we used to tell the user what was acceptable via the installer. Maybe we should start doing this again in the future
In Stretch, certain apt operations are sandboxed by an _apt user. I suspect the lack of proper ownership here is causing the update problems
I reckon that’ll be the cause.
I will try that today when I get back home. Is there any chance that the install might broke after that? I don’t want to be forced to reinstall everything. In fact maybe I will create new share with new settings and try it? I’d like to have it like it should be. Maybe you could write how export should looks like for NFS root?
Edit:
I’ve tried to install in a new directory. After first part, installer downloaded and placed files in NFS root on Synology. After the restart it did some more but next I saw sad face. And from now on, there’s a loop of sad face and restart of Pi.
Edit2:
When I create new NFS share these are default options:
/volume1/test <world>(rw,async,crossmnt,insecure,no_root_squash,no_subtree_check,insecure_locks,anonuid=1025,anongid=100,sec=sys,rw,no_root_squash,no_all_squash) Maybe it’ll help somehow.
Edit3:
I did chmod 555 to my test share and OSMC installed properly. Also as I choose to install 2017-12-1 I’m now able to update to 2018. I hope as it’s happening right now. I have found exact export here [Resolved] Impossible to do a NFS installation - #4 by DBMandrake and I will try to change and see what will happen with my existing osmc shares.
There’s no need for insecure or anonuid=1025,anongid=100. All UIDs must come from the OSMC installation, so there’s no reason for having anonuid or anongid in your /etc/expoorts line.