[Bug 1916485] Re: test -x fails inside shell scripts in containers

Sergio Durigan Junior 1916485 at bugs.launchpad.net
Mon Apr 19 21:28:25 UTC 2021 

Before I change the status of this bug, I would like to report my
findings here.

I am testing things on a Bionic s390x machine with everything up-to-
date:

# apt policy systemd
systemd:
  Installed: 237-3ubuntu10.46
...
# apt policy containerd
containerd:
  Installed: 1.4.4-0ubuntu1~18.04.2
...
# apt policy docker.io
docker.io:
  Installed: 20.10.2-0ubuntu1~18.04.2
...
# apt policy runc
runc:
  Installed: 1.0.0~rc93-0ubuntu1~18.04.1
...

Following the reproduction steps listed in the Description section still
fail for me:

# systemd-nspawn 
Spawning container h on /root/h.
Press ^] three times within 1s to kill container.
# bash -c 'test -x /usr/bin/gpg || echo Fail'
Fail

When I'm in a hirsute Docker container, it also fails:

$ docker run -it --rm ubuntu:hirsute
root at 78506947b11f:/# bash -c 'test -x /usr/bin/gpg || echo Fail'
Fail

This is impacting the build of the 21.04 OCI images on s390x (amd64,
arm64 and ppc64el succeed).

I'm still not sure what's causing this, nor why this is happening only
on s390x.  I will post more details when I have them.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1916485

Title:
  test -x fails inside shell scripts in containers

Status in docker.io package in Ubuntu:
  New
Status in glibc package in Ubuntu:
  Opinion
Status in libseccomp package in Ubuntu:
  Fix Committed
Status in runc package in Ubuntu:
  Fix Released
Status in systemd package in Ubuntu:
  Fix Released
Status in docker.io source package in Xenial:
  New
Status in libseccomp source package in Xenial:
  New
Status in runc source package in Xenial:
  New
Status in systemd source package in Xenial:
  Invalid
Status in docker.io source package in Bionic:
  New
Status in libseccomp source package in Bionic:
  New
Status in runc source package in Bionic:
  Fix Released
Status in systemd source package in Bionic:
  Fix Released
Status in docker.io source package in Focal:
  New
Status in libseccomp source package in Focal:
  New
Status in runc source package in Focal:
  Fix Released
Status in systemd source package in Focal:
  Fix Released
Status in docker.io source package in Groovy:
  New
Status in libseccomp source package in Groovy:
  New
Status in runc source package in Groovy:
  Fix Released
Status in systemd source package in Groovy:
  Fix Released
Status in docker.io source package in Hirsute:
  New
Status in libseccomp source package in Hirsute:
  Fix Committed
Status in runc source package in Hirsute:
  Fix Released
Status in systemd source package in Hirsute:
  Fix Released
Status in systemd package in Debian:
  Fix Released

Bug description:
  (SRU template for systemd)

  [impact]

  bash (and some other shells) builtin test command -x operation fails

  [test case]

  on any affected host system, start nspawn container, e.g.:

  $ sudo apt install systemd-container
  $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz
  $ mkdir h
  $ cd h
  $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz
  $ sudo systemd-nspawn

  Then from a bash shell, verify if test -x works:

  root at h:~# ls -l /usr/bin/gpg
  -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg
  root at h:~# test -x /usr/bin/gpg || echo "fail"
  fail

  [regression potential]

  any regression would likely occur during a syscall, most likely
  faccessat2(), or during other syscalls.

  [scope]

  this is needed for b/f

  this is fixed upstream by commit
  bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so
  this is fixed in h

  this was pulled into Debian at version 246.2 in commit
  e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g

  in x, the entire systemd seccomp code is completely different and the
  patch doesn't apply, nor does it appear to be needed, as the problem
  doesn't reproduce in a h container under x.

  [other info]

  this needs fixing in libseccomp as well

  [original description]

  glibc regression causes test -x to fail inside scripts inside
  docker/podman, dash and bash are broken, mksh and zsh are fine:

  root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
  root at 0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
  Fail
  root at 0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
  Fail
  root at 0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
  root at 0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
  root at 0df2ce5d7a46:/#

  root at 0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
  root at 0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail"
  root at 0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail"
  Fail
  root at 0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail"
  Fail

  The -f flag works, as does /usr/bin/test:
  # bash -c "test -f /usr/bin/gpg  || echo Fail"
  # bash -c "/usr/bin/test -x /usr/bin/gpg  || echo Fail"
  #

  [Original bug report]
  root at 84b750e443f8:/# lsb_release -rd
  Description:	Ubuntu Hirsute Hippo (development branch)
  Release:	21.04
  root at 84b750e443f8:/# dpkg -l gnupg apt
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name           Version         Architecture Description
  +++-==============-===============-============-==========================================
  ii  apt            2.1.20          amd64        commandline package manager
  ii  gnupg          2.2.20-1ubuntu2 all          GNU privacy guard - a free PGP replacement

  Hi,
  for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.

  The build fails with:

  0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
  them is required for this operation

  The simple Dockerfile to reproduce the error - "docker build -t foo ."

  FROM amd64/ubuntu:hirsute
  MAINTAINER Florian Lohoff <f at zz.de>

  USER root

  RUN apt-get update \
   && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
    && curl https://syncthing.net/release-key.txt | apt-key add -

  Breaking it down it this seems to be an issue that there is new
  functionality in apt/apt-key e.g. security hardening that docker
  prohibits in its containers. Running this manually works only in an
  --privileged container.

  So adding keys in unpriviledged container or possibly kubernetes will
  not work anymore.

  Flo

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1916485/+subscriptions

More information about the foundations-bugs mailing list