Arch Linux Pacstrap Issues in VirtualBox

Published on July 28, 2023 at 6:23 am by LEW

Introduction

While doing Arch installs on Virtual Machines (VM) under VirtualBox (Vbox) I have on occasion noted a specific issue when installing software. Specifically, pacstrap not installing software and packages and reporting that “error: keyring is not writable”.

I found it somewhat frustrating, because in some cases I would create a new VM and there would be no issue. The error just seemed to go away. After some research I think I know what is causing the error, and have a work around, even though I have not yet figured out how to avoid it in the current Arch installer (JUL 2023).

So I thought I would type out a short post on my workaround.

The Cause of the Issue

From what I can tell there are three main causes; how the Arch Installer uses the keyring to validate packages, the way the Arch installer uses systemd. And the fact that the installer in RAM has limited space for modification.

Actually, it is not that they are problems. Rather they all seem to work together to work against. Let me explain.

The keyring is a security measure to protect against malicious packages. Official packages are signed with a public key that must be verified by your system before installation can take place. Not going to get into how public private key s work here, but just say that checking the date is part of the validation process.

To validate the key date, you need a validated time source, like Network Time Protocol (NTP) to validate your system clock time. Right now I am not clear on the specifics of how this actually works, other than you need it. Which brings us to systemd, or more specificity the timedatectl and systemd-timesyncd parts of systemd.

Running timddatectl from the command line will give you the status of your system time. The specific part I am interested in is the System clock synchronized entry. If this is set to no, you will never be able to get packstrap to install packages, and it will keep reporting the keyring not writable error.

Normally I would want to fix this by installing an actual ntp client, rather than relying on systemd. And this works on an installed system. However when I try to do it on the installer image in RAM, I encounter available space issues.

The Workaround

What I have found poking around the installer image is that when I use a bridge network in a Vbox VM, systemd-timesyncd is trying to use my routers gateway address as its ntp server, or sntp server more specifically.

Most consumer grade router software does not provide any type of time service. In some cases you can get around this if your router can load other software, like pfsense for example. Or you can use a computer as a router running third party software, again like pfsense.

The other way to do this is to set your VM network protocol to NAT. It seems the Vbox virtual NAT network has virtual time services available. As soon as I switched to NAT, timedatectl started reporting System clock synchronized entry as yes, and packstrap started working properly.

Conclusion

Okay, I am still mucking around in the Arch Linux installer image looking for a fix. I have come up with a few nuclear options, like disabling the time sync requirement, which I don’t recommend anyone do. Or if you do, remember to fix it once the install is done.

I am also still working to better understand how the systemd time services work, as I should be able to make it point to an actual time server (sort of like an actual ntp client).

Systemd does violate a primary UNIX philosophy, do one thing well. Systemd tries to do to many things and ends up being mediocre at most. But as it was accepted for most major Linux distros, we are sort of stuck with it for now.

So if you are using VirtualBox, and changed the network settings in the VM, try setting them back to NAT, at least to get you through the install.

Add New Comment

Your email address will not be published. Required fields are marked *