[Bug 2029523] Re: docker export is missing ownership information
Artem Leshchev
2029523 at bugs.launchpad.net
Fri Aug 4 16:58:37 UTC 2023
I've updated the bug description, I hope this is enough.
I'm not quite sure what should I do next, like changing status,
assignee, making pull requests or uploading deb packages. I could use
some pointers to speed up the process if anything else is needed from my
side.
** Tags added: regression-update
** Description changed:
- Tar archive created by docker export command is missing ownership
- information (all files are owned by root) after upgrading docker.io to
- 20.10.25-0ubuntu1~20.04.1. Previous version 20.10.21-0ubuntu1~20.04.2
- works as intended.
+ [ Impact ]
+ Tar archive created by docker export command is missing ownership information (all files are owned by root).
- You can reproduce this issue by running next commands:
+ [ Test Plan ]
+ Run next commands:
- docker run --name ubuntu ubuntu:20.04 ls -l /etc/shadow
- docker export ubuntu | tar tv etc/shadow
+ docker run --name lp_2029523 ubuntu:20.04 ls -l /etc/shadow
+ docker export lp_2029523 | tar tv etc/shadow
First command will show that file is owned by root:shadow, while second
- will show that it is owned by UID/GID 0/0.
+ will show that it is owned by UID/GID 0/0. Here you can downgrade or
+ apply the fix to see that second command starts to show UID/GID 0/42.
+
+ [ Where problems could occur ]
+ Upstream builds this Docker version with Go 1.19. While Go is usually pretty good in maintaining backward compatibility, there were some subtle changes in Go 1.20, like handling of TLS handshake failure and some other error handling. So there could be changes in behavior when error arrises.
+
+ [ Other Info ]
+ Bug introduced in 20.10.25-0ubuntu1~20.04.1. Previous version 20.10.21-0ubuntu1~20.04.2 works as intended. Jammy is also affected.
I've managed to find out that the issue is caused by this change: https://github.com/moby/moby/commit/721358e0cb7c10b41508f3c114baeceb2ac9ba0a#diff-12919f88ca9c04e478a6ffdf37e9a67ccdd2997afdc2e51adb1e67c53dcdbd8cL5-R5
- Go 1.19 introduced unix build tag that is used by upstream now, making source code silently skipped when built with older Go version. It can be fixed by appending this tag to DOCKER_BUILDTAGS.
+ Go 1.19 introduced unix build tag that is used by upstream now, making source code silently skipped when built with older Go version. It can be fixed by appending this tag to DOCKER_BUILDTAGS, but building package with newer Go version is even better.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: docker.io 20.10.25-0ubuntu1~20.04.1
ProcVersionSignature: Ubuntu 5.15.0-72.79~20.04.1-generic 5.15.98
Uname: Linux 5.15.0-72-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.27
Architecture: amd64
CasperMD5CheckResult: skip
Date: Thu Aug 3 20:27:42 2023
InstallationDate: Installed on 2023-05-19 (76 days ago)
InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316)
SourcePackage: docker.io-app
UpgradeStatus: No upgrade log present (probably fresh install)
** Description changed:
[ Impact ]
- Tar archive created by docker export command is missing ownership information (all files are owned by root).
+ Tar archive created by docker export command is missing ownership information (all files are owned by root). If this archive is then used to recreate filesystem for unprivileged processes (like via docker import or just unpacking it and chrooting), they can fail with permission denied error or in some other way.
[ Test Plan ]
Run next commands:
docker run --name lp_2029523 ubuntu:20.04 ls -l /etc/shadow
docker export lp_2029523 | tar tv etc/shadow
First command will show that file is owned by root:shadow, while second
will show that it is owned by UID/GID 0/0. Here you can downgrade or
apply the fix to see that second command starts to show UID/GID 0/42.
[ Where problems could occur ]
Upstream builds this Docker version with Go 1.19. While Go is usually pretty good in maintaining backward compatibility, there were some subtle changes in Go 1.20, like handling of TLS handshake failure and some other error handling. So there could be changes in behavior when error arrises.
[ Other Info ]
Bug introduced in 20.10.25-0ubuntu1~20.04.1. Previous version 20.10.21-0ubuntu1~20.04.2 works as intended. Jammy is also affected.
I've managed to find out that the issue is caused by this change: https://github.com/moby/moby/commit/721358e0cb7c10b41508f3c114baeceb2ac9ba0a#diff-12919f88ca9c04e478a6ffdf37e9a67ccdd2997afdc2e51adb1e67c53dcdbd8cL5-R5
Go 1.19 introduced unix build tag that is used by upstream now, making source code silently skipped when built with older Go version. It can be fixed by appending this tag to DOCKER_BUILDTAGS, but building package with newer Go version is even better.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: docker.io 20.10.25-0ubuntu1~20.04.1
ProcVersionSignature: Ubuntu 5.15.0-72.79~20.04.1-generic 5.15.98
Uname: Linux 5.15.0-72-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.27
Architecture: amd64
CasperMD5CheckResult: skip
Date: Thu Aug 3 20:27:42 2023
InstallationDate: Installed on 2023-05-19 (76 days ago)
InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316)
SourcePackage: docker.io-app
UpgradeStatus: No upgrade log present (probably fresh install)
** Description changed:
[ Impact ]
Tar archive created by docker export command is missing ownership information (all files are owned by root). If this archive is then used to recreate filesystem for unprivileged processes (like via docker import or just unpacking it and chrooting), they can fail with permission denied error or in some other way.
[ Test Plan ]
Run next commands:
docker run --name lp_2029523 ubuntu:20.04 ls -l /etc/shadow
docker export lp_2029523 | tar tv etc/shadow
First command will show that file is owned by root:shadow, while second
will show that it is owned by UID/GID 0/0. Here you can downgrade or
- apply the fix to see that second command starts to show UID/GID 0/42.
+ apply the fix to see that second command starts to show UID/GID 0/42
+ that is correct.
[ Where problems could occur ]
Upstream builds this Docker version with Go 1.19. While Go is usually pretty good in maintaining backward compatibility, there were some subtle changes in Go 1.20, like handling of TLS handshake failure and some other error handling. So there could be changes in behavior when error arrises.
[ Other Info ]
Bug introduced in 20.10.25-0ubuntu1~20.04.1. Previous version 20.10.21-0ubuntu1~20.04.2 works as intended. Jammy is also affected.
I've managed to find out that the issue is caused by this change: https://github.com/moby/moby/commit/721358e0cb7c10b41508f3c114baeceb2ac9ba0a#diff-12919f88ca9c04e478a6ffdf37e9a67ccdd2997afdc2e51adb1e67c53dcdbd8cL5-R5
Go 1.19 introduced unix build tag that is used by upstream now, making source code silently skipped when built with older Go version. It can be fixed by appending this tag to DOCKER_BUILDTAGS, but building package with newer Go version is even better.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: docker.io 20.10.25-0ubuntu1~20.04.1
ProcVersionSignature: Ubuntu 5.15.0-72.79~20.04.1-generic 5.15.98
Uname: Linux 5.15.0-72-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.27
Architecture: amd64
CasperMD5CheckResult: skip
Date: Thu Aug 3 20:27:42 2023
InstallationDate: Installed on 2023-05-19 (76 days ago)
InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316)
SourcePackage: docker.io-app
UpgradeStatus: No upgrade log present (probably fresh install)
** Description changed:
[ Impact ]
Tar archive created by docker export command is missing ownership information (all files are owned by root). If this archive is then used to recreate filesystem for unprivileged processes (like via docker import or just unpacking it and chrooting), they can fail with permission denied error or in some other way.
[ Test Plan ]
- Run next commands:
+ Run next commands (under user with docker group or under root):
docker run --name lp_2029523 ubuntu:20.04 ls -l /etc/shadow
docker export lp_2029523 | tar tv etc/shadow
First command will show that file is owned by root:shadow, while second
will show that it is owned by UID/GID 0/0. Here you can downgrade or
apply the fix to see that second command starts to show UID/GID 0/42
that is correct.
[ Where problems could occur ]
Upstream builds this Docker version with Go 1.19. While Go is usually pretty good in maintaining backward compatibility, there were some subtle changes in Go 1.20, like handling of TLS handshake failure and some other error handling. So there could be changes in behavior when error arrises.
[ Other Info ]
Bug introduced in 20.10.25-0ubuntu1~20.04.1. Previous version 20.10.21-0ubuntu1~20.04.2 works as intended. Jammy is also affected.
I've managed to find out that the issue is caused by this change: https://github.com/moby/moby/commit/721358e0cb7c10b41508f3c114baeceb2ac9ba0a#diff-12919f88ca9c04e478a6ffdf37e9a67ccdd2997afdc2e51adb1e67c53dcdbd8cL5-R5
Go 1.19 introduced unix build tag that is used by upstream now, making source code silently skipped when built with older Go version. It can be fixed by appending this tag to DOCKER_BUILDTAGS, but building package with newer Go version is even better.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: docker.io 20.10.25-0ubuntu1~20.04.1
ProcVersionSignature: Ubuntu 5.15.0-72.79~20.04.1-generic 5.15.98
Uname: Linux 5.15.0-72-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.27
Architecture: amd64
CasperMD5CheckResult: skip
Date: Thu Aug 3 20:27:42 2023
InstallationDate: Installed on 2023-05-19 (76 days ago)
InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316)
SourcePackage: docker.io-app
UpgradeStatus: No upgrade log present (probably fresh install)
** Description changed:
[ Impact ]
Tar archive created by docker export command is missing ownership information (all files are owned by root). If this archive is then used to recreate filesystem for unprivileged processes (like via docker import or just unpacking it and chrooting), they can fail with permission denied error or in some other way.
[ Test Plan ]
Run next commands (under user with docker group or under root):
docker run --name lp_2029523 ubuntu:20.04 ls -l /etc/shadow
docker export lp_2029523 | tar tv etc/shadow
First command will show that file is owned by root:shadow, while second
will show that it is owned by UID/GID 0/0. Here you can downgrade or
apply the fix to see that second command starts to show UID/GID 0/42
that is correct.
[ Where problems could occur ]
- Upstream builds this Docker version with Go 1.19. While Go is usually pretty good in maintaining backward compatibility, there were some subtle changes in Go 1.20, like handling of TLS handshake failure and some other error handling. So there could be changes in behavior when error arrises.
+ Upstream builds this Docker version with Go 1.19. While Go is usually pretty good at maintaining backward compatibility, there were some subtle changes in Go 1.20, like handling of TLS handshake failure and some other error handling. So there could be changes in behavior when error arrises.
[ Other Info ]
Bug introduced in 20.10.25-0ubuntu1~20.04.1. Previous version 20.10.21-0ubuntu1~20.04.2 works as intended. Jammy is also affected.
I've managed to find out that the issue is caused by this change: https://github.com/moby/moby/commit/721358e0cb7c10b41508f3c114baeceb2ac9ba0a#diff-12919f88ca9c04e478a6ffdf37e9a67ccdd2997afdc2e51adb1e67c53dcdbd8cL5-R5
Go 1.19 introduced unix build tag that is used by upstream now, making source code silently skipped when built with older Go version. It can be fixed by appending this tag to DOCKER_BUILDTAGS, but building package with newer Go version is even better.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: docker.io 20.10.25-0ubuntu1~20.04.1
ProcVersionSignature: Ubuntu 5.15.0-72.79~20.04.1-generic 5.15.98
Uname: Linux 5.15.0-72-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.27
Architecture: amd64
CasperMD5CheckResult: skip
Date: Thu Aug 3 20:27:42 2023
InstallationDate: Installed on 2023-05-19 (76 days ago)
InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316)
SourcePackage: docker.io-app
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2029523
Title:
docker export is missing ownership information
Status in docker.io-app package in Ubuntu:
New
Status in docker.io-app source package in Focal:
New
Status in docker.io-app source package in Jammy:
New
Bug description:
[ Impact ]
Tar archive created by docker export command is missing ownership information (all files are owned by root). If this archive is then used to recreate filesystem for unprivileged processes (like via docker import or just unpacking it and chrooting), they can fail with permission denied error or in some other way.
[ Test Plan ]
Run next commands (under user with docker group or under root):
docker run --name lp_2029523 ubuntu:20.04 ls -l /etc/shadow
docker export lp_2029523 | tar tv etc/shadow
First command will show that file is owned by root:shadow, while
second will show that it is owned by UID/GID 0/0. Here you can
downgrade or apply the fix to see that second command starts to show
UID/GID 0/42 that is correct.
[ Where problems could occur ]
Upstream builds this Docker version with Go 1.19. While Go is usually pretty good at maintaining backward compatibility, there were some subtle changes in Go 1.20, like handling of TLS handshake failure and some other error handling. So there could be changes in behavior when error arrises.
[ Other Info ]
Bug introduced in 20.10.25-0ubuntu1~20.04.1. Previous version 20.10.21-0ubuntu1~20.04.2 works as intended. Jammy is also affected.
I've managed to find out that the issue is caused by this change: https://github.com/moby/moby/commit/721358e0cb7c10b41508f3c114baeceb2ac9ba0a#diff-12919f88ca9c04e478a6ffdf37e9a67ccdd2997afdc2e51adb1e67c53dcdbd8cL5-R5
Go 1.19 introduced unix build tag that is used by upstream now, making source code silently skipped when built with older Go version. It can be fixed by appending this tag to DOCKER_BUILDTAGS, but building package with newer Go version is even better.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: docker.io 20.10.25-0ubuntu1~20.04.1
ProcVersionSignature: Ubuntu 5.15.0-72.79~20.04.1-generic 5.15.98
Uname: Linux 5.15.0-72-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.27
Architecture: amd64
CasperMD5CheckResult: skip
Date: Thu Aug 3 20:27:42 2023
InstallationDate: Installed on 2023-05-19 (76 days ago)
InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316)
SourcePackage: docker.io-app
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2029523/+subscriptions
More information about the Ubuntu-sponsors
mailing list