[Bug 1916485] Re: test -x fails inside shell scripts in containers
Alex Murray
1916485 at bugs.launchpad.net
Mon Mar 1 00:03:05 UTC 2021
As I understand it I don't see there is any issue here with libseccomp
in Ubuntu as it currently stands - whilst the aforementioned runc
workaround commit description specifies a number of shortcomings with
libseccomp and the inability to easily handle and distinguish newly
added syscalls between it and glibc etc, until there is some more
generic mechanism for either libseccomp policy authors, or libseccomp
itself, to easily identify what syscalls are supported by a given system
and therefore whether the generated policy is sufficient to enumerate
these, there is no obvious "fix" for libseccomp itself.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
Status in glibc package in Ubuntu:
Triaged
Status in libseccomp package in Ubuntu:
Fix Committed
Status in glibc source package in Hirsute:
Triaged
Status in libseccomp source package in Hirsute:
Fix Committed
Bug description:
glibc regression causes test -x to fail inside scripts inside
docker/podman, dash and bash are broken, mksh and zsh are fine:
root at 0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
root at 0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root at 0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
root at 0df2ce5d7a46:/#
root at 0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
root at 0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail"
root at 0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
root at 0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail"
Fail
The -f flag works, as does /usr/bin/test:
# bash -c "test -f /usr/bin/gpg || echo Fail"
# bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail"
#
[Original bug report]
root at 84b750e443f8:/# lsb_release -rd
Description: Ubuntu Hirsute Hippo (development branch)
Release: 21.04
root at 84b750e443f8:/# dpkg -l gnupg apt
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-==========================================
ii apt 2.1.20 amd64 commandline package manager
ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement
Hi,
for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20.
The build fails with:
0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
them is required for this operation
The simple Dockerfile to reproduce the error - "docker build -t foo ."
FROM amd64/ubuntu:hirsute
MAINTAINER Florian Lohoff <f at zz.de>
USER root
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
&& curl https://syncthing.net/release-key.txt | apt-key add -
Breaking it down it this seems to be an issue that there is new
functionality in apt/apt-key e.g. security hardening that docker
prohibits in its containers. Running this manually works only in an
--privileged container.
So adding keys in unpriviledged container or possibly kubernetes will
not work anymore.
Flo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions
More information about the foundations-bugs
mailing list