[Bug 1916485] Re: test -x fails inside shell scripts in containers
Florian Weimer
1916485 at bugs.launchpad.net
Sat Feb 27 07:51:36 UTC 2021
To paper over the faccessat2 issue, a libseccomp update is enough *if*
the container runtime already knows about the faccessat2 system call and
mentions it in its profiles. But with the current design, every new
system call will need similar updates to several components (not just
libseccomp) just to produce the ENOSYS error, which is not a sustainable
development model. Hence the runc pull request mentioned in comment 8.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
Status in glibc package in Ubuntu:
Triaged
Status in libseccomp package in Ubuntu:
Fix Committed
Status in glibc source package in Hirsute:
Triaged
Status in libseccomp source package in Hirsute:
Fix Committed
Bug description:
glibc regression causes test -x to fail inside scripts inside
docker/podman, dash and bash are broken, mksh and zsh are fine:
root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
root at 0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/#
root at 0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
root at 0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail"
root at 0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
The -f flag works, as does /usr/bin/test:
# bash -c "test -f /usr/bin/gpg || echo Fail"
# bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail"
#
[Original bug report]
root at 84b750e443f8:/# lsb_release -rd
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root at 84b750e443f8:/# dpkg -l gnupg apt
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-==========================================
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:hirsute
MAINTAINER Florian Lohoff <f at zz.de>
USER root
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
&& curl https://syncthing.net/release-key.txt | apt-key add -
Breaking it down it this seems to be an issue that there is new
functionality in apt/apt-key e.g. security hardening that docker
prohibits in its containers. Running this manually works only in an
--privileged container.
So adding keys in unpriviledged container or possibly kubernetes will
not work anymore.
Flo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions
More information about the foundations-bugs
mailing list