Occasionally, RPMs will set the xattr immutable flag on important libraries as a safety mechanism to try to prevent core OS breakage. Unfortunately, this will cause package upgrade failures with vague error messages. Eg.:
[root@archive ~]# yum update -y nss Loaded plugins: fastestmirror, priorities, security, upgrade-helper Loading mirror speeds from cached hostfile * epel: mirrors.sdm.noao.edu Skipping security plugin, no data Setting up Update Process Resolving Dependencies Skipping security plugin, no data --> Running transaction check ---> Package nss.i386 0:3.13.6-3.el5_9 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: nss i386 3.13.6-3.el5_9 updates 1.1 M Transaction Summary ================================================================================ Install 0 Package(s) Upgrade 1 Package(s) Total download size: 1.1 M Downloading Packages: nss-3.13.6-3.el5_9.i386.rpm | 1.1 MB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : nss 1/2 Error unpacking rpm package nss-3.13.6-3.el5_9.i386 error: unpacking of archive failed on file /usr/lib/libfreebl3.so: cpio: rename Failed: nss.i386 0:3.13.6-3.el5_9 Complete!
RPM uses cpio as it’s archive format, which is why we’re seeing a cpio error when trying to replace the file /usr/lib/libfreebl3.so.
Lets investigate that file.
[root@archive ~]# ls -la /usr/lib/libfreebl3.so -rwxr-xr-x 1 root root 240612 Apr 8 2007 /usr/lib/libfreebl3.so [root@archive ~]# lsattr /usr/lib/libfreebl3.so ----i-------- /usr/lib/libfreebl3.so
The “immutable” flag has been set which means that file can not be modified or unlinked reguardless of it’s standard POSIX permissions. We need to remove that flag in order for the package upgrade to complete.
[root@archive ~]# chattr -i /usr/lib/libfreebl3.so [root@archive ~]# lsattr /usr/lib/libfreebl3.so ------------- /usr/lib/libfreebl3.so
Now we can try to update the nss package again…
[root@archive ~]# yum update -y nss Loaded plugins: fastestmirror, priorities, security, upgrade-helper Loading mirror speeds from cached hostfile * epel: mirrors.sdm.noao.edu Skipping security plugin, no data Setting up Update Process Resolving Dependencies Skipping security plugin, no data --> Running transaction check ---> Package nss.i386 0:3.13.6-3.el5_9 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: nss i386 3.13.6-3.el5_9 updates 1.1 M Transaction Summary ================================================================================ Install 0 Package(s) Upgrade 1 Package(s) Total download size: 1.1 M Downloading Packages: nss-3.13.6-3.el5_9.i386.rpm | 1.1 MB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : nss 1/2 Error unpacking rpm package nss-3.13.6-3.el5_9.i386 error: unpacking of archive failed on file /usr/lib/libsoftokn3.so: cpio: rename Failed: nss.i386 0:3.13.6-3.el5_9 Complete!
Looks like we found another file with xattrs set…
[root@archive ~]# ls -la /usr/lib/libsoftokn3.so -rwxr-xr-x 1 root root 348040 Apr 8 2007 /usr/lib/libsoftokn3.so [root@archive ~]# lsattr /usr/lib/libsoftokn3.so ----i-------- /usr/lib/libsoftokn3.so [root@archive ~]# chattr -i /usr/lib/libsoftokn3.so [root@archive ~]# lsattr /usr/lib/libsoftokn3.so ------------- /usr/lib/libsoftokn3.so
Let try that update yet again…
[root@archive ~]# yum update -y nss Loaded plugins: fastestmirror, priorities, security, upgrade-helper Loading mirror speeds from cached hostfile * epel: mirrors.sdm.noao.edu Skipping security plugin, no data Setting up Update Process Resolving Dependencies Skipping security plugin, no data --> Running transaction check ---> Package nss.i386 0:3.13.6-3.el5_9 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: nss i386 3.13.6-3.el5_9 updates 1.1 M Transaction Summary ================================================================================ Install 0 Package(s) Upgrade 1 Package(s) Total download size: 1.1 M Downloading Packages: nss-3.13.6-3.el5_9.i386.rpm | 1.1 MB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : nss 1/2 /sbin/ldconfig: /usr/lib/libsoftokn3.so is not a symbolic link /sbin/ldconfig: /usr/lib/libfreebl3.so is not a symbolic link Cleanup : nss 2/2 Updated: nss.i386 0:3.13.6-3.el5_9 Complete!
Success!
2014-05-01 at 15:51
Good write up. You’ll get identical cpio errors if a directory is changed to a symlink and you try to upgrade. You can change regular files to symlinks, though, so one work-around is to convert the contents of the directory symlinks and leave the original directory in place.
2014-05-01 at 16:01
That behavior sounds wrong both ways to me. IMHO – the more intutive behavior would be to either pendanticly check that the dirent struct matches the expected file type or to ignore it and cleanup to the extent possible.
2014-07-03 at 15:26
Thanks! That saved me a bunch of time.
2014-07-03 at 17:19
I’m glad it helped. It took me a lot of head/wall intersections to discover that the immutable flag was being set.
2015-01-20 at 12:13
Thanks a lot. I was kind of blocked for one whole day. 🙂