test -x fails inside shell scripts in containers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libseccomp (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Critical
|
Unassigned | ||
runc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Won't Fix
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned | ||
systemd (Debian) |
Fix Released
|
Unknown
|
|||
systemd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Won't Fix
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
(SRU template for systemd)
[impact]
bash (and some other shells) builtin test command -x operation fails
[test case]
on any affected host system, start nspawn container, e.g.:
$ sudo apt install systemd-container
$ wget https:/
$ mkdir h
$ cd h
$ sudo tar xvf ../hirsute-
$ sudo systemd-nspawn
Then from a bash shell, verify if test -x works:
root@h:~# ls -l /usr/bin/gpg
-rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg
root@h:~# test -x /usr/bin/gpg || echo "fail"
fail
[regression potential]
any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls.
[scope]
this is needed for b/f
this is fixed upstream by commit bcf08acbffdee0d
this was pulled into Debian at version 246.2 in commit e80c5e5371ab777
in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x.
[other info]
this needs fixing in libseccomp as well
[original description]
glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine:
root@0df2ce5d7a
root@0df2ce5d7a
Fail
root@0df2ce5d7a
Fail
root@0df2ce5d7a
root@0df2ce5d7a
root@0df2ce5d7a
root@0df2ce5d7a
root@0df2ce5d7a
root@0df2ce5d7a
Fail
root@0df2ce5d7a
Fail
The -f flag works, as does /usr/bin/test:
# bash -c "test -f /usr/bin/gpg || echo Fail"
# bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail"
#
[Original bug report]
root@84b750e443
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root@84b750e443
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Architecture Description
+++-===
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:
MAINTAINER Florian Lohoff <email address hidden>
USER root
RUN apt-get update \
&& DEBIAN_
&& curl https:/
Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container.
So adding keys in unpriviledged container or possibly kubernetes will not work anymore.
Flo
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | added: fr-1159 |
tags: | removed: rls-hh-incoming |
Changed in docker.io (Ubuntu Hirsute): | |
importance: | Undecided → Critical |
Changed in glibc (Ubuntu Hirsute): | |
status: | Triaged → Opinion |
tags: | added: server-next |
description: | updated |
description: | updated |
Changed in systemd (Ubuntu Groovy): | |
status: | New → Fix Released |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in glibc (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in glibc (Ubuntu Bionic): | |
status: | New → Invalid |
Changed in glibc (Ubuntu Focal): | |
status: | New → Invalid |
Changed in glibc (Ubuntu Groovy): | |
status: | New → Invalid |
no longer affects: | glibc (Ubuntu Hirsute) |
no longer affects: | glibc (Ubuntu Groovy) |
no longer affects: | glibc (Ubuntu Focal) |
no longer affects: | glibc (Ubuntu Bionic) |
no longer affects: | glibc (Ubuntu Xenial) |
no longer affects: | glibc (Ubuntu) |
Changed in glibc (Ubuntu): | |
status: | New → Opinion |
no longer affects: | docker.io (Debian) |
Changed in systemd (Debian): | |
status: | Unknown → Fix Released |
tags: |
added: architecture-s39064 bugnameltc-192453 severity-high targetmilestone-inin2104 removed: verification-done verification-done-bionic verification-done-focal verification-done-groovy |
tags: | added: reverse-proxy-bugzilla |
description: | updated |
Changed in docker.io (Ubuntu): | |
status: | New → Invalid |
tags: | removed: server-next |
Changed in docker.io (Ubuntu Xenial): | |
status: | New → Won't Fix |
Changed in runc (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in docker.io (Ubuntu Bionic): | |
status: | New → Fix Released |
Changed in docker.io (Ubuntu Focal): | |
status: | New → Fix Released |
Changed in docker.io (Ubuntu Hirsute): | |
status: | New → Fix Released |
Changed in docker.io (Ubuntu Bionic): | |
status: | Fix Released → Invalid |
Changed in docker.io (Ubuntu Xenial): | |
status: | Won't Fix → Invalid |
Changed in docker.io (Ubuntu Focal): | |
status: | Fix Released → Invalid |
Changed in docker.io (Ubuntu Hirsute): | |
status: | Fix Released → Invalid |
Changed in libseccomp (Ubuntu Xenial): | |
status: | New → Fix Released |
Changed in libseccomp (Ubuntu Bionic): | |
status: | New → Fix Released |
Changed in libseccomp (Ubuntu Focal): | |
status: | New → Fix Released |
no longer affects: | docker.io (Ubuntu) |
no longer affects: | docker.io (Ubuntu Xenial) |
no longer affects: | docker.io (Ubuntu Bionic) |
no longer affects: | docker.io (Ubuntu Focal) |
no longer affects: | docker.io (Ubuntu Groovy) |
no longer affects: | docker.io (Ubuntu Hirsute) |
affects: | ubuntu-z-systems → ubuntu-translations |
no longer affects: | ubuntu-translations |
no longer affects: | glibc (Ubuntu) |
Changed in systemd (Ubuntu Xenial): | |
status: | Invalid → Won't Fix |
Changed in runc (Ubuntu Xenial): | |
status: | Invalid → Won't Fix |
Bug also applies to apt 2.2.0
root@72aa012916 22:/# dpkg -l apt gnupg Unknown/ Install/ Remove/ Purge/Hold Not/Inst/ Conf-files/ Unpacked/ halF-conf/ Half-inst/ trig-aWait/ Trig-pend /Reinst- required (Status,Err: uppercase=bad) ======= ====-== ======= ======- ======= =====-= ======= ======= ======= ======= ======= ======
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Architecture Description
+++-===
ii apt 2.2.0 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
root@72aa012916 22:/# curl https:/ /syncthing. net/release- key.txt | apt-key add -
Dload Upload Total Spent Left Speed
% Total % Received % Xferd Average Speed Time Time Time Current
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 2462 100 2462 0 0 1969 0 0:00:01 0:00:01 --:--:-- 1969