| 2024-03-28 23:30:10 |
Logan Bussell |
bug |
|
|
added bug |
| 2024-03-29 00:34:08 |
Logan Bussell |
description |
When running Ubuntu Noble in an arm32 Docker container, on certain hosts (Azure VM CI agents), tar fails to extract certain archives that include folders with specific permissions set.
Here's a concise repro. The error occurs in when building the Dockerfile. I can only get this to work on Azure VMs, but can't find out why.
```Dockerfile
FROM ubuntu.azurecr.io/ubuntu:noble
# Create the problematic archive
RUN mkdir /test \
&& chmod 775 /test \
&& cd /test \
&& mkdir 775 \
&& chmod 775 775 \
&& touch 775/test.txt \
&& chmod 644 775/test.txt \
&& tar -czvf /test.tar.gz .
# Extracting it gives an error
RUN mkdir -p /test2 \
&& tar -tzvf /test.tar.gz \
&& tar -oxzf /test.tar.gz -C /test2
```
What I expected to happen: The test.tar.gz archive should be successfully extracted to the /test2 directory.
What happened instead: Tar throws the following error:
```
tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: Exiting with failure status due to previous errors
```
The Ubuntu container is running as root so there shouldn't be any permission errors.
Since this is running in a container, I observed this happening on the following kernel:
`Linux version 5.15.148.2-2.cm2 (root@CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) #1 SMP Fri Feb 23 23:38:33 UTC 2024`.
I was not able to reproduce it using Ubuntu 22.04 Jammy (ubuntu.azurecr.io/ubuntu:jammy), using the same kernel as above.
Additionally I was not able to reproduce this on the kernel `Linux cb0507859b24 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux`, which is running on my work machine, using Docker qemu emulation for the arm32 image (I do not have access to an arm32 native machine).
Ubuntu version: Ubuntu Noble Numbat (development branch) 24.04 (from ubuntu.azurecr.io/ubuntu:noble)
tar version: `1.35+dfsg-3` |
When running Ubuntu Noble in an arm32 Docker container, on certain hosts (Azure VM CI agents), tar fails to extract certain archives that include folders with specific permissions set.
Here's a concise repro. The error occurs in when building the Dockerfile. I can only get this to work on Azure VMs, but can't find out why.
```Dockerfile
FROM ubuntu.azurecr.io/ubuntu:noble
# Create the problematic archive
RUN mkdir /test \
&& chmod 775 /test \
&& cd /test \
&& mkdir 775 \
&& chmod 775 775 \
&& touch 775/test.txt \
&& chmod 644 775/test.txt \
&& tar -czvf /test.tar.gz .
# Extracting it gives an error
RUN mkdir -p /test2 \
&& tar -tzvf /test.tar.gz \
&& tar -oxzf /test.tar.gz -C /test2
```
What I expected to happen: The test.tar.gz archive should be successfully extracted to the /test2 directory.
What happened instead: Tar throws the following error:
```
tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: Exiting with failure status due to previous errors
```
The Ubuntu container is running as root so there shouldn't be any permission errors.
Since this is running in a container, I observed this happening on the following kernel:
`Linux version 5.15.148.2-2.cm2 (root@CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) #1 SMP Fri Feb 23 23:38:33 UTC 2024`
As well as
`Linux <hostname> 6.5.0-1017-azure #17~22.04.1-Ubuntu SMP Sat Mar 9 10:04:07 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux`
I was not able to reproduce it using Ubuntu 22.04 Jammy (ubuntu.azurecr.io/ubuntu:jammy), using the same kernel as above.
Additionally I was not able to reproduce this on the kernel `Linux cb0507859b24 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux`, which is running on my work machine, using Docker qemu emulation for the arm32 image.
Ubuntu version: Ubuntu Noble Numbat (development branch) 24.04 (from ubuntu.azurecr.io/ubuntu:noble)
tar version: `1.35+dfsg-3` |
|
| 2024-04-03 14:27:19 |
Cristovao Cordeiro |
bug |
|
|
added subscriber Cristovao Cordeiro |
| 2024-04-03 14:51:39 |
Launchpad Janitor |
tar (Ubuntu): status |
New |
Confirmed |
|
| 2024-04-03 14:52:43 |
Matt Thalman |
bug |
|
|
added subscriber Matt Thalman |
| 2024-04-03 14:58:02 |
Michael Simons |
bug |
|
|
added subscriber Michael Simons |
| 2024-04-18 22:28:14 |
nattofriends |
bug |
|
|
added subscriber nattofriends |
| 2024-05-02 10:44:41 |
Mark Elvers |
bug |
|
|
added subscriber Mark Elvers |
| 2024-05-31 10:15:29 |
Mark Elvers |
bug watch added |
|
https://github.com/ocaml/infrastructure/issues/121 |
|
| 2024-06-07 13:28:13 |
Ghadi Rahme |
tar (Ubuntu): assignee |
|
Ghadi Rahme (ghadi-rahme) |
|
| 2024-06-07 13:28:17 |
Ghadi Rahme |
tar (Ubuntu): importance |
Undecided |
High |
|
| 2024-06-07 13:28:25 |
Ghadi Rahme |
nominated for series |
|
Ubuntu Jammy |
|
| 2024-06-07 13:28:25 |
Ghadi Rahme |
bug task added |
|
tar (Ubuntu Jammy) |
|
| 2024-06-07 13:28:30 |
Ghadi Rahme |
tar (Ubuntu Jammy): importance |
Undecided |
High |
|
| 2024-06-07 14:10:32 |
Ghadi Rahme |
tar (Ubuntu): assignee |
Ghadi Rahme (ghadi-rahme) |
|
|
| 2024-06-07 14:23:50 |
Ghadi Rahme |
description |
When running Ubuntu Noble in an arm32 Docker container, on certain hosts (Azure VM CI agents), tar fails to extract certain archives that include folders with specific permissions set.
Here's a concise repro. The error occurs in when building the Dockerfile. I can only get this to work on Azure VMs, but can't find out why.
```Dockerfile
FROM ubuntu.azurecr.io/ubuntu:noble
# Create the problematic archive
RUN mkdir /test \
&& chmod 775 /test \
&& cd /test \
&& mkdir 775 \
&& chmod 775 775 \
&& touch 775/test.txt \
&& chmod 644 775/test.txt \
&& tar -czvf /test.tar.gz .
# Extracting it gives an error
RUN mkdir -p /test2 \
&& tar -tzvf /test.tar.gz \
&& tar -oxzf /test.tar.gz -C /test2
```
What I expected to happen: The test.tar.gz archive should be successfully extracted to the /test2 directory.
What happened instead: Tar throws the following error:
```
tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: Exiting with failure status due to previous errors
```
The Ubuntu container is running as root so there shouldn't be any permission errors.
Since this is running in a container, I observed this happening on the following kernel:
`Linux version 5.15.148.2-2.cm2 (root@CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) #1 SMP Fri Feb 23 23:38:33 UTC 2024`
As well as
`Linux <hostname> 6.5.0-1017-azure #17~22.04.1-Ubuntu SMP Sat Mar 9 10:04:07 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux`
I was not able to reproduce it using Ubuntu 22.04 Jammy (ubuntu.azurecr.io/ubuntu:jammy), using the same kernel as above.
Additionally I was not able to reproduce this on the kernel `Linux cb0507859b24 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux`, which is running on my work machine, using Docker qemu emulation for the arm32 image.
Ubuntu version: Ubuntu Noble Numbat (development branch) 24.04 (from ubuntu.azurecr.io/ubuntu:noble)
tar version: `1.35+dfsg-3` |
Thank you @loganbussell-msft for the bug report!
[Impact]
Currently running containers using modern versions of glibc such as the one available in noble on older hosts causes permissions issues inside the container. This is due to newer versions of glibc expecting the fchmodat2 syscall to be available and to return ENOSYS in case it is not. However docker seccomp profile defaults to returning EPERM for all non defined syscalls and writing an entry for fchmodat2 in the docker seccomp profile to return ENOSYS does not work on systems where libseccomp does not have support for fchmodat2.
Running armhf noble docker containers on arm64 jammy hosts has been seen to exhibit this behavior and a patch to libseccomp for jammy is required to fix the issue.
Other architectures may also be affected by this issue that such as ppc64le as reported by @mark-elvers.
I have backported a fix from upstream that adds the missing syscalls to libseccomp and verified it on an ampere arm machine as well as on a raspberry pi 4
[Test Plan]
1- On an ARM 64 machine install the latest version of docker on a jammy host by following the official docker documentation. [https://docs.docker.com/engine/install/ubuntu/]
2- Create an armhf noble docker container:
$ docker run --rm -it --platform linux/arm/v7 --entrypoint bash ubuntu.azurecr.io/ubuntu:noble
3- inside the docker container execute the following commands to create a new tar file and then extract it:
mkdir /test \
&& chmod 775 /test \
&& cd /test \
&& mkdir 775 \
&& chmod 775 775 \
&& touch 775/test.txt \
&& chmod 644 775/test.txt \
&& tar -czvf /test.tar.gz .
mkdir -p /test2 \
&& tar -tzvf /test.tar.gz \
&& tar -oxzf /test.tar.gz -C /test2
4- you will see the following errors:
tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: Exiting with failure status due to previous errors
5- When libseccomp is patched the command will run with no permission issues
[Where problems could occur]
* the issue might still occur on other platforms
* if using an older version of docker the issue will still occur
[Original Description]
When running Ubuntu Noble in an arm32 Docker container, on certain hosts (Azure VM CI agents), tar fails to extract certain archives that include folders with specific permissions set.
Here's a concise repro. The error occurs in when building the Dockerfile. I can only get this to work on Azure VMs, but can't find out why.
```Dockerfile
FROM ubuntu.azurecr.io/ubuntu:noble
# Create the problematic archive
RUN mkdir /test \
&& chmod 775 /test \
&& cd /test \
&& mkdir 775 \
&& chmod 775 775 \
&& touch 775/test.txt \
&& chmod 644 775/test.txt \
&& tar -czvf /test.tar.gz .
# Extracting it gives an error
RUN mkdir -p /test2 \
&& tar -tzvf /test.tar.gz \
&& tar -oxzf /test.tar.gz -C /test2
```
What I expected to happen: The test.tar.gz archive should be successfully extracted to the /test2 directory.
What happened instead: Tar throws the following error:
```
tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: Exiting with failure status due to previous errors
```
The Ubuntu container is running as root so there shouldn't be any permission errors.
Since this is running in a container, I observed this happening on the following kernel:
`Linux version 5.15.148.2-2.cm2 (root@CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) #1 SMP Fri Feb 23 23:38:33 UTC 2024`
As well as
`Linux <hostname> 6.5.0-1017-azure #17~22.04.1-Ubuntu SMP Sat Mar 9 10:04:07 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux`
I was not able to reproduce it using Ubuntu 22.04 Jammy (ubuntu.azurecr.io/ubuntu:jammy), using the same kernel as above.
Additionally I was not able to reproduce this on the kernel `Linux cb0507859b24 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux`, which is running on my work machine, using Docker qemu emulation for the arm32 image.
Ubuntu version: Ubuntu Noble Numbat (development branch) 24.04 (from ubuntu.azurecr.io/ubuntu:noble)
tar version: `1.35+dfsg-3` |
|
| 2024-06-07 14:24:16 |
Ghadi Rahme |
bug task added |
|
libseccomp (Ubuntu) |
|
| 2024-06-07 14:24:24 |
Ghadi Rahme |
libseccomp (Ubuntu): assignee |
|
Ghadi Rahme (ghadi-rahme) |
|
| 2024-06-07 14:24:27 |
Ghadi Rahme |
libseccomp (Ubuntu Jammy): assignee |
|
Ghadi Rahme (ghadi-rahme) |
|
| 2024-06-07 14:24:49 |
Ghadi Rahme |
tar (Ubuntu): status |
Confirmed |
Invalid |
|
| 2024-06-07 14:24:53 |
Ghadi Rahme |
tar (Ubuntu Jammy): status |
New |
Invalid |
|
| 2024-06-07 14:25:00 |
Ghadi Rahme |
bug task deleted |
tar (Ubuntu Jammy) |
|
|
| 2024-06-07 14:25:22 |
Ghadi Rahme |
libseccomp (Ubuntu): status |
New |
Confirmed |
|
| 2024-06-07 14:25:24 |
Ghadi Rahme |
libseccomp (Ubuntu Jammy): status |
New |
Confirmed |
|
| 2024-06-07 14:25:32 |
Ghadi Rahme |
tar (Ubuntu): status |
Invalid |
Confirmed |
|
| 2024-06-07 14:27:54 |
Ghadi Rahme |
attachment added |
|
jammy.debdiff https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/2059734/+attachment/5787198/+files/jammy.debdiff |
|
| 2024-06-07 14:28:07 |
Ghadi Rahme |
libseccomp (Ubuntu): importance |
Undecided |
High |
|
| 2024-06-07 14:28:09 |
Ghadi Rahme |
libseccomp (Ubuntu Jammy): importance |
Undecided |
High |
|
| 2024-06-07 14:28:18 |
Ghadi Rahme |
bug |
|
|
added subscriber Ubuntu Sponsors |
| 2024-06-11 15:32:21 |
Paride Legovini |
tar (Ubuntu): status |
Confirmed |
Invalid |
|
| 2024-06-11 15:33:06 |
Paride Legovini |
libseccomp (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2024-06-11 15:33:15 |
Paride Legovini |
libseccomp (Ubuntu Jammy): status |
Confirmed |
In Progress |
|
| 2024-06-11 15:33:21 |
Paride Legovini |
removed subscriber Ubuntu Sponsors |
|
|
|
| 2024-06-19 13:04:24 |
Robie Basak |
libseccomp (Ubuntu Jammy): status |
In Progress |
Incomplete |
|
| 2024-06-19 13:09:24 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
| 2024-06-19 13:42:38 |
Robie Basak |
libseccomp (Ubuntu): status |
Fix Released |
New |
|
| 2024-06-19 13:42:46 |
Robie Basak |
nominated for series |
|
Ubuntu Noble |
|
| 2024-06-19 13:42:46 |
Robie Basak |
bug task added |
|
tar (Ubuntu Noble) |
|
| 2024-06-19 13:42:46 |
Robie Basak |
bug task added |
|
libseccomp (Ubuntu Noble) |
|
| 2024-06-19 14:21:08 |
Robie Basak |
nominated for series |
|
Ubuntu Mantic |
|
| 2024-06-19 14:21:08 |
Robie Basak |
bug task added |
|
tar (Ubuntu Mantic) |
|
| 2024-06-19 14:21:08 |
Robie Basak |
bug task added |
|
libseccomp (Ubuntu Mantic) |
|
