[Bug 1916485] Re: test -x fails inside shell scripts in containers
Matt Thalman
1916485 at bugs.launchpad.net
Tue Sep 21 15:22:59 UTC 2021
According to https://stackoverflow.com/questions/66319610/gpg-error-in-
ubuntu-21-04-after-second-apt-get-update-during-docker-build, this bug
fix is supposed to fix the issue of getting the following error when
running "apt-get update" in an Ubuntu 21.04 container: "W: GPG error:
http://ports.ubuntu.com/ubuntu-ports hirsute InRelease: gpgv, gpgv2 or
gpgv1 required for verification, but neither seems installed".
I was running into this error when attempting to build my Dockerfiles
based on arm64v8/ubuntu:21.04 and arm32v7/ubuntu:21.04. After upgrading
my runc version to 1.0.1, the error went away but only for
arm64v8/ubuntu:21.04. The Dockerfile based on arm32v7/ubuntu:21.04 still
encountered the error. In both cases, I am running the build on an
AArch64 device, so it's using emulation for the arm32v7/ubuntu:21.04
scenario. It would appear that it's still broken for that scenario?
The repro is very simple, just run the following command on an AArch64
device: "docker run --rm arm32v7/ubuntu:21.04 apt-get update". It will
output the following:
Unable to find image 'arm32v7/ubuntu:21.04' locally
21.04: Pulling from arm32v7/ubuntu
48989deb32eb: Pulling fs layer
48989deb32eb: Verifying Checksum
48989deb32eb: Download complete
48989deb32eb: Pull complete
Digest: sha256:b61c1421a092dd4ffc0b14a6b683513d775d5daa275598c74cd34090a0424a19
Status: Downloaded newer image for arm32v7/ubuntu:21.04
WARNING: The requested image's platform (linux/arm/v7) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.
Get:1 http://ports.ubuntu.com/ubuntu-ports hirsute InRelease [269 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports hirsute-updates InRelease [115 kB]
Err:1 http://ports.ubuntu.com/ubuntu-ports hirsute InRelease
gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
Get:3 http://ports.ubuntu.com/ubuntu-ports hirsute-backports InRelease [101 kB]
Err:2 http://ports.ubuntu.com/ubuntu-ports hirsute-updates InRelease
gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
Get:4 http://ports.ubuntu.com/ubuntu-ports hirsute-security InRelease [110 kB]
Err:3 http://ports.ubuntu.com/ubuntu-ports hirsute-backports InRelease
gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
Err:4 http://ports.ubuntu.com/ubuntu-ports hirsute-security InRelease
gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
Reading package lists...
W: GPG error: http://ports.ubuntu.com/ubuntu-ports hirsute InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
E: The repository 'http://ports.ubuntu.com/ubuntu-ports hirsute InRelease' is not signed.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports hirsute-updates InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
E: The repository 'http://ports.ubuntu.com/ubuntu-ports hirsute-updates InRelease' is not signed.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports hirsute-backports InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
E: The repository 'http://ports.ubuntu.com/ubuntu-ports hirsute-backports InRelease' is not signed.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports hirsute-security InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
E: The repository 'http://ports.ubuntu.com/ubuntu-ports hirsute-security InRelease' is not signed.
Here's the docker version info for the host machine:
Client:
Version: 20.10.7
API version: 1.41
Go version: go1.16.4
Git commit: f0df35096d5f5e6b559b42c7fde6c65a2909f7c5
Built: Sat Sep 11 15:09:09 2021
OS/Arch: linux/arm64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.8
API version: 1.41 (minimum version 1.12)
Go version: go1.16.6
Git commit: 75249d8
Built: Fri Jul 30 19:53:13 2021
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.4.9
GitCommit: e25210fe30a0a703442421b0f60afac609f950a3
runc:
Version: 1.0.1
GitCommit: v1.0.1-0-g4144b63
docker-init:
Version: 0.19.0
GitCommit: de40ad0
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
Status in Ubuntu on IBM z Systems:
New
Status in docker.io package in Ubuntu:
Invalid
Status in glibc package in Ubuntu:
Opinion
Status in libseccomp package in Ubuntu:
Fix Committed
Status in runc package in Ubuntu:
Fix Released
Status in systemd package in Ubuntu:
Fix Released
Status in docker.io source package in Xenial:
New
Status in libseccomp source package in Xenial:
New
Status in runc source package in Xenial:
New
Status in systemd source package in Xenial:
Invalid
Status in docker.io source package in Bionic:
New
Status in libseccomp source package in Bionic:
New
Status in runc source package in Bionic:
Fix Released
Status in systemd source package in Bionic:
Fix Released
Status in docker.io source package in Focal:
New
Status in libseccomp source package in Focal:
New
Status in runc source package in Focal:
Fix Released
Status in systemd source package in Focal:
Fix Released
Status in docker.io source package in Groovy:
Won't Fix
Status in libseccomp source package in Groovy:
Won't Fix
Status in runc source package in Groovy:
Fix Released
Status in systemd source package in Groovy:
Fix Released
Status in docker.io source package in Hirsute:
New
Status in libseccomp source package in Hirsute:
Fix Committed
Status in runc source package in Hirsute:
Fix Released
Status in systemd source package in Hirsute:
Fix Released
Status in systemd package in Debian:
Fix Released
Bug description:
(SRU template for systemd)
[impact]
bash (and some other shells) builtin test command -x operation fails
[test case]
on any affected host system, start nspawn container, e.g.:
$ sudo apt install systemd-container
$ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz
$ mkdir h
$ cd h
$ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz
$ sudo systemd-nspawn
Then from a bash shell, verify if test -x works:
root at h:~# ls -l /usr/bin/gpg
-rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg
root at h:~# test -x /usr/bin/gpg || echo "fail"
fail
[regression potential]
any regression would likely occur during a syscall, most likely
faccessat2(), or during other syscalls.
[scope]
this is needed for b/f
this is fixed upstream by commit
bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so
this is fixed in h
this was pulled into Debian at version 246.2 in commit
e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g
in x, the entire systemd seccomp code is completely different and the
patch doesn't apply, nor does it appear to be needed, as the problem
doesn't reproduce in a h container under x.
[other info]
this needs fixing in libseccomp as well
[original description]
glibc regression causes test -x to fail inside scripts inside
docker/podman, dash and bash are broken, mksh and zsh are fine:
root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
root at 0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/#
root at 0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
root at 0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail"
root at 0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
The -f flag works, as does /usr/bin/test:
# bash -c "test -f /usr/bin/gpg || echo Fail"
# bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail"
#
[Original bug report]
root at 84b750e443f8:/# lsb_release -rd
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root at 84b750e443f8:/# dpkg -l gnupg apt
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-==========================================
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:hirsute
MAINTAINER Florian Lohoff <f at zz.de>
USER root
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
&& curl https://syncthing.net/release-key.txt | apt-key add -
Breaking it down it this seems to be an issue that there is new
functionality in apt/apt-key e.g. security hardening that docker
prohibits in its containers. Running this manually works only in an
--privileged container.
So adding keys in unpriviledged container or possibly kubernetes will
not work anymore.
Flo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1916485/+subscriptions
More information about the foundations-bugs
mailing list