group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #39312
[Bug 1916485] Re: test -x fails inside shell scripts in containers
This bug was fixed in the package systemd - 237-3ubuntu10.46
---------------
systemd (237-3ubuntu10.46) bionic; urgency=medium
* d/p/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch:
Add support for faccessat2 (LP: #1916485)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b5f11a9baecf0cefb503632e938d473234172128
* d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch:
Stop attempting to restrict address families on ppc archs
(LP: #1918696)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4569a047ece8b1b300ef63e49b5aea8aba35c500
* d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch:
Add openat2() syscall to seccomp filter list
(LP: #1891810)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2ddfbfa79af4f22b7adf946c4299433fd74a4f17
-- Dan Streetman <ddstreet@xxxxxxxxxxxxx> Wed, 17 Mar 2021 17:38:05
-0400
** Changed in: systemd (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
Status in docker.io package in Ubuntu:
New
Status in glibc package in Ubuntu:
Opinion
Status in libseccomp package in Ubuntu:
Fix Committed
Status in runc package in Ubuntu:
Fix Released
Status in systemd package in Ubuntu:
Fix Released
Status in docker.io source package in Xenial:
New
Status in libseccomp source package in Xenial:
New
Status in runc source package in Xenial:
New
Status in systemd source package in Xenial:
Invalid
Status in docker.io source package in Bionic:
New
Status in libseccomp source package in Bionic:
New
Status in runc source package in Bionic:
Fix Committed
Status in systemd source package in Bionic:
Fix Released
Status in docker.io source package in Focal:
New
Status in libseccomp source package in Focal:
New
Status in runc source package in Focal:
Fix Committed
Status in systemd source package in Focal:
Fix Released
Status in docker.io source package in Groovy:
New
Status in libseccomp source package in Groovy:
New
Status in runc source package in Groovy:
Fix Committed
Status in systemd source package in Groovy:
Fix Released
Status in docker.io source package in Hirsute:
New
Status in libseccomp source package in Hirsute:
Fix Committed
Status in runc source package in Hirsute:
Fix Released
Status in systemd source package in Hirsute:
Fix Released
Status in systemd package in Debian:
Fix Released
Bug description:
(SRU template for systemd)
[impact]
bash (and some other shells) builtin test command -x operation fails
[test case]
on any affected host system, start nspawn container, e.g.:
$ sudo apt install systemd-container
$ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz
$ mkdir h
$ cd h
$ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz
$ sudo systemd-nspawn
Then from a bash shell, verify if test -x works:
root@h:~# ls -l /usr/bin/gpg
-rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg
root@h:~# test -x /usr/bin/gpg || echo "fail"
fail
[regression potential]
any regression would likely occur during a syscall, most likely
faccessat2(), or during other syscalls.
[scope]
this is needed for b/f
this is fixed upstream by commit
bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so
this is fixed in h
this was pulled into Debian at version 246.2 in commit
e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g
in x, the entire systemd seccomp code is completely different and the
patch doesn't apply, nor does it appear to be needed, as the problem
doesn't reproduce in a h container under x.
[other info]
this needs fixing in libseccomp as well
[original description]
glibc regression causes test -x to fail inside scripts inside
docker/podman, dash and bash are broken, mksh and zsh are fine:
root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
root@0df2ce5d7a46:/#
root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail"
root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
The -f flag works, as does /usr/bin/test:
# bash -c "test -f /usr/bin/gpg || echo Fail"
# bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail"
#
[Original bug report]
root@84b750e443f8:/# lsb_release -rd
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root@84b750e443f8:/# dpkg -l gnupg apt
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-==========================================
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:hirsute
MAINTAINER Florian Lohoff <f@xxxxx>
USER root
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
&& curl https://syncthing.net/release-key.txt | apt-key add -
Breaking it down it this seems to be an issue that there is new
functionality in apt/apt-key e.g. security hardening that docker
prohibits in its containers. Running this manually works only in an
--privileged container.
So adding keys in unpriviledged container or possibly kubernetes will
not work anymore.
Flo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1916485/+subscriptions