Bug#909644: Bug #909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Shengjing Zhu]

Control: reassign -1 runc


Since it's trivial to fix in runc, I reassign this to runc now.

It'll be fixed later, which is approved by release team, along with
another improvement in runc.

-- 
Shengjing Zhu

Bug#909644: Bug #909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Arnaud Rebillout]

On 3/6/19 4:55 PM, Dmitry Smirnov wrote:
> This is not such a small and definitely undesirable overhead. Its purpose is 
> unclear, it requires manual step and sure enough it will be forgotten.
> Moreover it aims at the problem in another package.
> It is not runc's job to meet Docker expectations. 
> Also commit ID is probably useless anyway since we should attempt to always 
> shipped a tagged (pre-)release. Plus we have patches that make commit ID even 
> more irrelevant.
>
> Docker problem should be fixed in Docker.
> And clearly it is a Docker's problem to expect a very particular (bundled) 
> runc (for no good reason), and forever whine into logs about not having 
> that...


I think applying the patch to runc build as suggested by Shengjing is a
good solution for everyone, much better that what I initially proposed.

It doesn't involve any git commit, which wouldn't make sense as both of
you pointed out, and doesn't add any overhead.

The new output for `runc --version` after this patch looks like that:

  $ /usr/sbin/runc --version
  runc version 1.0.0~rc6+dfsg1
  commit: 1.0.0~rc6+dfsg1-3
  spec: 1.0.1

It's a bit hacky to display the debian version on the commit line, but
why not. I think it doesn't hurt either.

It also prevents to add any patch to docker, as after testing I can
confirm that docker doesn't complain anymore, at least for my use-case.
Docker is happy enough to have a line such as `commit:
1.0.0~rc6+dfsg1-3` in the output of `runc --version`. Apparently the
content of the line doesn't matter, as long as the line is there.

Bug#909644: Bug #909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Arnaud Rebillout]

On 3/6/19 10:03 AM, Shengjing Zhu wrote:
> I think the runc should be fixed.
>
> But I don't like the patch you suggested. It's confused to user. If
> you set the git commit to the upstream one, like
> ccb5efd37fb7c86364786e9137e22948751de7ed for 1.0.0-rc6, the user would
> think it's 1.0.0-rc6 indeed, but apparently it's not, it's 1.0.0-rc6
> with CVE-2019-5736 patch.


Indeed, you're right.


> So I would suggest to use the debian package version in the commit
> field. More specifically:
>
> diff --git a/debian/rules b/debian/rules
> index 81df53b..0087b6b 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -5,7 +5,11 @@
>
> export DH_GOPKG := github.com/opencontainers/runc
> export DH_GOLANG_INSTALL_EXTRA := libcontainer/seccomp/fixtures
> +
> +include /usr/share/dpkg/pkg-info.mk
> +
> TAGS=apparmor seccomp selinux ambient
> +LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X
> main.gitCommit=$(DEB_VERSION)
>
> %:
>dh $@ --buildsystem=golang --with=golang --builddirectory=_build
> @@ -33,7 +37,7 @@ override_dh_auto_configure:
> #  ln -svrf vendor/github.com/opencontainers/specs
> _build/src/github.com/opencontainers/
>
> override_dh_auto_build:
> -   dh_auto_build -- -tags "$(TAGS)"
> +   dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)"
>
> override_dh_auto_test:
>DH_GOLANG_EXCLUDES="libcontainer/integration" \


Thanks for the patch, I applied it and force-pushed it to wip/909644.
Feel free to merge if you like it.


> And we're late to fix this before hard freeze. If we want this fix
> included in buster, we should ask release team to unblock.


Ok, I will do that if you upload the package then.

Bug#909644: Bug #909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Dmitry Smirnov]

On Wednesday, 6 March 2019 12:50:54 PM AEDT Arnaud Rebillout wrote:

> **Solution 1**
> [...]
> One is to patch docker, and fix their code so that it can handle various
> runc version outputs.

I prefer this solution.


> **Solution 2**
> 
> The other way is to modify the runc build so that we include the git
> commit. I've pushed such a change on a branch at:
> 
> https://salsa.debian.org/go-team/packages/runc/commit/033a60b549b0935861c92
> bf4e5118d03ef443a8f
> 
> It's actually not that bad, no patch involved, it's really just adding
> ldflags. The only downside I see is that there's an additional step when
> a maintainer wants to release a new upstream version: he has to look for
> the corresponding commit and add it to the file
> `debian/upstream-version-gitcommits`. I provided a helper script to do
> that, so it's really a small overhead.

This is not such a small and definitely undesirable overhead. Its purpose is 
unclear, it requires manual step and sure enough it will be forgotten.
Moreover it aims at the problem in another package.
It is not runc's job to meet Docker expectations. 
Also commit ID is probably useless anyway since we should attempt to always 
shipped a tagged (pre-)release. Plus we have patches that make commit ID even 
more irrelevant.

Docker problem should be fixed in Docker.
And clearly it is a Docker's problem to expect a very particular (bundled) 
runc (for no good reason), and forever whine into logs about not having 
that...

-- 
All the best,
 Dmitry Smirnov.

---

If liberty means anything at all, it means the right to tell people what
they do not want to hear.
-- George Orwell



signature.asc
Description: This is a digitally signed message part.

Bug#909644: Bug #909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Shengjing Zhu]

Hi Arnaud,

Thanks for the summary.

On Wed, Mar 6, 2019 at 9:51 AM Arnaud Rebillout
 wrote:
>
>   Dear Go team,
>
> So let met sum up this bug now to avoid you reading the backlog:
>
> In short, docker doesn't recognize the output of `runc --version`, and
> then it misbehaves and flood the log forever. To be more accurate,
> docker is not happy because it wants to know the git commit that was
> used to build runc. This information may or may not be part of the
> output of `runc --version`: it depends on how runc was built. Actually,
> there are two fields, `version` and `gitcommit`, that can be passed
> optionally to runc during the build (as ldflags). Therefore the output
> of `runc --version` varies accordingly.
>
> So there's two ways out of that:
>
> **Solution 1**
>
> One is to patch docker, and fix their code so that it can handle various
> runc version outputs. This is the way chosen by buildroot for example:
>
> https://github.com/buildroot/buildroot/blob/master/package/docker-engine/0001-Fix-faulty-runc-version-commit-scrape.patch
>
> Note that this patch is not the definitive solution: it just allows
> docker to handle the output of runc *as built in buildroot*, and not in
> every case. If we go this way, we'll do something similar, supporting
> "debian's runc" output, and end up with a patch that has no chance to
> make it upstream.
>
> Maybe the core of the issue is that the `runc --version` output is
> difficult to parse properly, and that's why docker upstream don't want
> to bother fixing their code...
>
>
> **Solution 2**
>
> The other way is to modify the runc build so that we include the git
> commit. I've pushed such a change on a branch at:
>
> https://salsa.debian.org/go-team/packages/runc/commit/033a60b549b0935861c92bf4e5118d03ef443a8f
>
> It's actually not that bad, no patch involved, it's really just adding
> ldflags. The only downside I see is that there's an additional step when
> a maintainer wants to release a new upstream version: he has to look for
> the corresponding commit and add it to the file
> `debian/upstream-version-gitcommits`. I provided a helper script to do
> that, so it's really a small overhead.

I think the runc should be fixed.

But I don't like the patch you suggested. It's confused to user. If
you set the git commit to the upstream one, like
ccb5efd37fb7c86364786e9137e22948751de7ed for 1.0.0-rc6, the user would
think it's 1.0.0-rc6 indeed, but apparently it's not, it's 1.0.0-rc6
with CVE-2019-5736 patch.

So I would suggest to use the debian package version in the commit
field. More specifically:

diff --git a/debian/rules b/debian/rules
index 81df53b..0087b6b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,7 +5,11 @@

export DH_GOPKG := github.com/opencontainers/runc
export DH_GOLANG_INSTALL_EXTRA := libcontainer/seccomp/fixtures
+
+include /usr/share/dpkg/pkg-info.mk
+
TAGS=apparmor seccomp selinux ambient
+LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X
main.gitCommit=$(DEB_VERSION)

%:
   dh $@ --buildsystem=golang --with=golang --builddirectory=_build
@@ -33,7 +37,7 @@ override_dh_auto_configure:
#  ln -svrf vendor/github.com/opencontainers/specs
_build/src/github.com/opencontainers/

override_dh_auto_build:
-   dh_auto_build -- -tags "$(TAGS)"
+   dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)"

override_dh_auto_test:
   DH_GOLANG_EXCLUDES="libcontainer/integration" \


>
>
> **What do you think?**
>
> I'm in favor of solution 2, it seems the path of least trouble, and is
> also a correct thing to do IMHO. I'd like to have this fixed for buster,
> as this issue has been opened for a long while.
>
> If you agree with solution 2 I'll need some DD to upload a new version
> of runc with this change (sorry to bother you...). Also this bug should
> be re-assigned to runc if we solve it in the runc package.
>
> For more details you can also look at upstream discussion:
> https://github.com/moby/moby/issues/38709
>
>

And we're late to fix this before hard freeze. If we want this fix
included in buster, we should ask release team to unblock.

-- 
Shengjing Zhu

Bug#909644: Bug #909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Stephen Gelman]

> On Mar 5, 2019, at 7:50 PM, Arnaud Rebillout  
> wrote:
> 
>   Dear Go team,
> 
> So let met sum up this bug now to avoid you reading the backlog:
> 
> In short, docker doesn't recognize the output of `runc --version`, and
> then it misbehaves and flood the log forever. To be more accurate,
> docker is not happy because it wants to know the git commit that was
> used to build runc. This information may or may not be part of the
> output of `runc --version`: it depends on how runc was built. Actually,
> there are two fields, `version` and `gitcommit`, that can be passed
> optionally to runc during the build (as ldflags). Therefore the output
> of `runc --version` varies accordingly.
> 
> So there's two ways out of that:
> 
> **Solution 1**
> 
> One is to patch docker, and fix their code so that it can handle various
> runc version outputs. This is the way chosen by buildroot for example:
> 
> https://github.com/buildroot/buildroot/blob/master/package/docker-engine/0001-Fix-faulty-runc-version-commit-scrape.patch
> 
> Note that this patch is not the definitive solution: it just allows
> docker to handle the output of runc *as built in buildroot*, and not in
> every case. If we go this way, we'll do something similar, supporting
> "debian's runc" output, and end up with a patch that has no chance to
> make it upstream.
> 
> Maybe the core of the issue is that the `runc --version` output is
> difficult to parse properly, and that's why docker upstream don't want
> to bother fixing their code...
> 
> 
> **Solution 2**
> 
> The other way is to modify the runc build so that we include the git
> commit. I've pushed such a change on a branch at:
> 
> https://salsa.debian.org/go-team/packages/runc/commit/033a60b549b0935861c92bf4e5118d03ef443a8f
> 
> It's actually not that bad, no patch involved, it's really just adding
> ldflags. The only downside I see is that there's an additional step when
> a maintainer wants to release a new upstream version: he has to look for
> the corresponding commit and add it to the file
> `debian/upstream-version-gitcommits`. I provided a helper script to do
> that, so it's really a small overhead.
> 
> 
> **What do you think?**
> 
> I'm in favor of solution 2, it seems the path of least trouble, and is
> also a correct thing to do IMHO. I'd like to have this fixed for buster,
> as this issue has been opened for a long while.
> 
> If you agree with solution 2 I'll need some DD to upload a new version
> of runc with this change (sorry to bother you...). Also this bug should
> be re-assigned to runc if we solve it in the runc package.
> 
> For more details you can also look at upstream discussion:
> https://github.com/moby/moby/issues/38709
> 
> 
> All the best,
> 
>   Arnaud

Based on the upstream bug linked it sounds like solution 2 is what they prefer, 
and also makes runc consistent with upstream releases.  If there’s consensus I 
am happy to sponsor an upload of runc for you.  Unfortunately, since we’re so 
close to the freeze it will not make it into buster unless there is an 
exception made.

Stephen

Bug#909644: Bug #909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Arnaud Rebillout]

  Dear Go team,

So let met sum up this bug now to avoid you reading the backlog:

In short, docker doesn't recognize the output of `runc --version`, and
then it misbehaves and flood the log forever. To be more accurate,
docker is not happy because it wants to know the git commit that was
used to build runc. This information may or may not be part of the
output of `runc --version`: it depends on how runc was built. Actually,
there are two fields, `version` and `gitcommit`, that can be passed
optionally to runc during the build (as ldflags). Therefore the output
of `runc --version` varies accordingly.

So there's two ways out of that:

**Solution 1**

One is to patch docker, and fix their code so that it can handle various
runc version outputs. This is the way chosen by buildroot for example:

https://github.com/buildroot/buildroot/blob/master/package/docker-engine/0001-Fix-faulty-runc-version-commit-scrape.patch

Note that this patch is not the definitive solution: it just allows
docker to handle the output of runc *as built in buildroot*, and not in
every case. If we go this way, we'll do something similar, supporting
"debian's runc" output, and end up with a patch that has no chance to
make it upstream.

Maybe the core of the issue is that the `runc --version` output is
difficult to parse properly, and that's why docker upstream don't want
to bother fixing their code...


**Solution 2**

The other way is to modify the runc build so that we include the git
commit. I've pushed such a change on a branch at:

https://salsa.debian.org/go-team/packages/runc/commit/033a60b549b0935861c92bf4e5118d03ef443a8f

It's actually not that bad, no patch involved, it's really just adding
ldflags. The only downside I see is that there's an additional step when
a maintainer wants to release a new upstream version: he has to look for
the corresponding commit and add it to the file
`debian/upstream-version-gitcommits`. I provided a helper script to do
that, so it's really a small overhead.


**What do you think?**

I'm in favor of solution 2, it seems the path of least trouble, and is
also a correct thing to do IMHO. I'd like to have this fixed for buster,
as this issue has been opened for a long while.

If you agree with solution 2 I'll need some DD to upload a new version
of runc with this change (sorry to bother you...). Also this bug should
be re-assigned to runc if we solve it in the runc package.

For more details you can also look at upstream discussion:
https://github.com/moby/moby/issues/38709


All the best,

  Arnaud

Bug#909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Arnaud Rebillout]

On Fri, 25 Jan 2019 08:20:03 +0700 Arnaud Rebillout
 wrote:
> On Thu, 24 Jan 2019 18:43:18 +0100 Marcel Partap  wrote:
>
> > reassign runc
> >
> > OK coreos fixed this by building runc with a commit hash:
> >
>
https://github.com/coreos/coreos-overlay/pull/2428/commits/a0294fbf2caf5f1a04651a22bb67357969f5831f
> >
> > Isn't this is quite a reasonable fix?
> >
>

Hmm, and on the other hand, the commit you refer to is not really about
patching runc, it's just about making the commit id available at compile
time. It's also something reasonable. But I still believe it's easier to
just patch docker.

Bug#909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Arnaud Rebillout]

On Thu, 24 Jan 2019 18:43:18 +0100 Marcel Partap  wrote:

> reassign runc
>
> OK coreos fixed this by building runc with a commit hash:
>
https://github.com/coreos/coreos-overlay/pull/2428/commits/a0294fbf2caf5f1a04651a22bb67357969f5831f
>
> Isn't this is quite a reasonable fix?
>

Runc is doing the right thing, it's free to report its version the way
it wants. There's no reason to patch it because one particular program
expects a different output. Maybe there are other programs out there
parsing the runc version string, and maybe you break them by patching
runc this way.

On the other end, patching docker is trivial, it's just one line to comment.

Bug#909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Dmitry Smirnov]

On Wednesday, 26 September 2018 6:40:14 PM AEST Marcel Partap wrote:
> Why would these two programs shipped in the same package not be compatible
> with one another I wonder?

They are compatible, but "runc" is not shipped by the docker.io package...

Problem is that fork-obsessed Docker expects a particular version of runc and 
fails to recognise the available one and/or to parse its version output.


> How can it be fixed?

Someone needs to produce a patch for Docker to fix version parsing from the 
output of `/usr/sbin/runc -v`, I think.

-- 
Regards,
 Dmitry Smirnov.

---

You have enemies? Good. That means you've stood up for something,
sometime in your life.
-- Victor Hugo, "Villemain", 1845
   (often misattributed to Winston Churchill)


signature.asc
Description: This is a digitally signed message part.

Bug#909644: docker.io: dockerd warning: failed to retrieve docker-runc version: unknown output format: runc version spec: 1.0.1

[Marcel Partap]

Package: docker.io
Version: 18.06.1+dfsg1-2
Severity: normal

docker.io 18.06.1+dfsg1-2: the sys log is being spammed with these messages:

> Sep 26 10:02:34 base dockerd[1329]:
time="2018-09-26T10:02:34.612458096+02:00" level=warning msg="failed to
retrieve docker-runc version: unknown output format: runc version spec:
1.0.1\n"
> Sep 26 10:02:54 base dockerd[1329]:
time="2018-09-26T10:02:54.608852757+02:00" level=warning msg="failed to
retrieve docker-runc version: unknown output format: runc version spec:
1.0.1\n"
> Sep 26 10:03:14 base dockerd[1329]:
time="2018-09-26T10:03:14.608428914+02:00" level=warning msg="failed to
retrieve docker-runc version: unknown output format: runc version spec:
1.0.1\n"
> Sep 26 10:03:34 base dockerd[1329]:
time="2018-09-26T10:03:34.608336092+02:00" level=warning msg="failed to
retrieve docker-runc version: unknown output format: runc version spec:
1.0.1\n"
> Sep 26 10:03:54 base dockerd[1329]:
time="2018-09-26T10:03:54.608367304+02:00" level=warning msg="failed to
retrieve docker-runc version: unknown output format: runc version spec:
1.0.1\n"
> Sep 26 10:04:14 base dockerd[1329]:
time="2018-09-26T10:04:14.608181868+02:00" level=warning msg="failed to
retrieve docker-runc version: unknown output format: runc version spec:
1.0.1\n"
> Sep 26 10:04:34 base dockerd[1329]:
time="2018-09-26T10:04:34.608692071+02:00" level=warning msg="failed to
retrieve docker-runc version: unknown output format: runc version spec:
1.0.1\n"
> Sep 26 10:04:54 base dockerd[1329]:
time="2018-09-26T10:04:54.608829153+02:00" level=warning msg="failed to
retrieve docker-runc version: unknown output format: runc version spec:
1.0.1\n"

Why would these two programs shipped in the same package not be compatible with
one another I wonder? How can it be fixed?



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (510, 'unstable'), (510, 'testing'), (509, 'experimental'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), 
LANGUAGE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages docker.io depends on:
ii  adduser 3.118
ii  iptables1.6.2-1.1
ii  libc6   2.27-6
ii  libdevmapper1.02.1  2:1.02.145-4.1
ii  libltdl72.4.6-4
ii  libnspr42:4.20-1
ii  libnss3 2:3.39-1
ii  libseccomp2 2.3.3-3
ii  libsystemd0 239-9
ii  lsb-base9.20170808
ii  runc1.0.0~rc5+dfsg1-3
ii  tini0.18.0-1

Versions of packages docker.io recommends:
ii  ca-certificates  20180409
ii  cgroupfs-mount   1.4
ii  git  1:2.19.0-1
ii  needrestart  3.3-1
ii  xz-utils 5.2.2-1.3

Versions of packages docker.io suggests:
pn  aufs-tools   
ii  btrfs-progs  4.17-1
ii  debootstrap  1.0.109
pn  docker-doc   
ii  e2fsprogs1.44.4-2
pn  rinse
ii  xfsprogs 4.15.1-1
pn  zfs-fuse | zfsutils  

-- no debconf information