[Bug 1916485] Re: test -x fails inside shell scripts in containers
Julian Andres Klode
1916485 at bugs.launchpad.net
Mon Feb 22 15:25:17 UTC 2021
Broken bash:
faccessat2(AT_FDCWD, "/usr/bin/gpg", X_OK, AT_EACCESS) = -1 EPERM
(Operation not permitted)
Good bash w/ old glibc:
faccessat(AT_FDCWD, "/usr/bin/gpg", X_OK) = 0
Good mksh:
newfstatat(AT_FDCWD, "/usr/bin/gpg", {st_mode=S_IFREG|0755,
st_size=1083472, ...}, 0) = 0
** Description changed:
glibc regression causes test -x to fail inside scripts inside
docker/podman:
- root at 0df2ce5d7a46:/# echo 'test -x /usr/bin/gpg || echo Fail' > a
- root at 0df2ce5d7a46:/# sh a
- Fail
- root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
- root at 0df2ce5d7a46:/#
-
+ root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
+ root at 0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
+ Fail
[Original bug report]
root at 84b750e443f8:/# lsb_release -rd
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root at 84b750e443f8:/# dpkg -l gnupg apt
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-==========================================
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:hirsute
MAINTAINER Florian Lohoff <f at zz.de>
USER root
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
&& curl https://syncthing.net/release-key.txt | apt-key add -
Breaking it down it this seems to be an issue that there is new
functionality in apt/apt-key e.g. security hardening that docker
prohibits in its containers. Running this manually works only in an
--privileged container.
So adding keys in unpriviledged container or possibly kubernetes will
not work anymore.
Flo
** Description changed:
glibc regression causes test -x to fail inside scripts inside
- docker/podman:
+ docker/podman, dash and bash are broken, mksh is fine:
root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
+ root at 0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
+ Fail
root at 0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
Fail
+ root at 0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
+ root at 0df2ce5d7a46:/#
[Original bug report]
root at 84b750e443f8:/# lsb_release -rd
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root at 84b750e443f8:/# dpkg -l gnupg apt
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-==========================================
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:hirsute
MAINTAINER Florian Lohoff <f at zz.de>
USER root
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
&& curl https://syncthing.net/release-key.txt | apt-key add -
Breaking it down it this seems to be an issue that there is new
functionality in apt/apt-key e.g. security hardening that docker
prohibits in its containers. Running this manually works only in an
--privileged container.
So adding keys in unpriviledged container or possibly kubernetes will
not work anymore.
Flo
** Description changed:
glibc regression causes test -x to fail inside scripts inside
- docker/podman, dash and bash are broken, mksh is fine:
+ docker/podman, dash and bash are broken, mksh and zsh are fine:
root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
root at 0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
+ root at 0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/#
[Original bug report]
root at 84b750e443f8:/# lsb_release -rd
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root at 84b750e443f8:/# dpkg -l gnupg apt
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-==========================================
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:hirsute
MAINTAINER Florian Lohoff <f at zz.de>
USER root
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
&& curl https://syncthing.net/release-key.txt | apt-key add -
Breaking it down it this seems to be an issue that there is new
functionality in apt/apt-key e.g. security hardening that docker
prohibits in its containers. Running this manually works only in an
--privileged container.
So adding keys in unpriviledged container or possibly kubernetes will
not work anymore.
Flo
** Description changed:
glibc regression causes test -x to fail inside scripts inside
docker/podman, dash and bash are broken, mksh and zsh are fine:
root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
root at 0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/#
+
+ root at 0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
+ root at 0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail"
+ root at 0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail"
+ Fail
+ root at 0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail"
+ Fail
+
[Original bug report]
root at 84b750e443f8:/# lsb_release -rd
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root at 84b750e443f8:/# dpkg -l gnupg apt
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-==========================================
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:hirsute
MAINTAINER Florian Lohoff <f at zz.de>
USER root
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
&& curl https://syncthing.net/release-key.txt | apt-key add -
Breaking it down it this seems to be an issue that there is new
functionality in apt/apt-key e.g. security hardening that docker
prohibits in its containers. Running this manually works only in an
--privileged container.
So adding keys in unpriviledged container or possibly kubernetes will
not work anymore.
Flo
** Description changed:
glibc regression causes test -x to fail inside scripts inside
docker/podman, dash and bash are broken, mksh and zsh are fine:
root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
root at 0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/#
root at 0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
root at 0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail"
root at 0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
+ The -f flag works, as does /usr/bin/test:
+ # bash -c "test -f /usr/bin/gpg || echo Fail"
+ # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail"
+ #
[Original bug report]
root at 84b750e443f8:/# lsb_release -rd
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root at 84b750e443f8:/# dpkg -l gnupg apt
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-==========================================
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:hirsute
MAINTAINER Florian Lohoff <f at zz.de>
USER root
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
&& curl https://syncthing.net/release-key.txt | apt-key add -
Breaking it down it this seems to be an issue that there is new
functionality in apt/apt-key e.g. security hardening that docker
prohibits in its containers. Running this manually works only in an
--privileged container.
So adding keys in unpriviledged container or possibly kubernetes will
not work anymore.
Flo
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
Status in glibc package in Ubuntu:
Triaged
Bug description:
glibc regression causes test -x to fail inside scripts inside
docker/podman, dash and bash are broken, mksh and zsh are fine:
root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
root at 0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/#
root at 0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
root at 0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail"
root at 0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
The -f flag works, as does /usr/bin/test:
# bash -c "test -f /usr/bin/gpg || echo Fail"
# bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail"
#
[Original bug report]
root at 84b750e443f8:/# lsb_release -rd
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root at 84b750e443f8:/# dpkg -l gnupg apt
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-==========================================
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:hirsute
MAINTAINER Florian Lohoff <f at zz.de>
USER root
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
&& curl https://syncthing.net/release-key.txt | apt-key add -
Breaking it down it this seems to be an issue that there is new
functionality in apt/apt-key e.g. security hardening that docker
prohibits in its containers. Running this manually works only in an
--privileged container.
So adding keys in unpriviledged container or possibly kubernetes will
not work anymore.
Flo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions
More information about the foundations-bugs
mailing list