[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Fixed in Hirsute, Focal, Groovy, Bionic, and Xenial with libseccomp 2.5.1-1ubuntu1 ** Changed in: systemd (Ubuntu Xenial) Status: Invalid => Won't Fix ** Changed in: runc (Ubuntu Xenial) Status: Invalid => Won't Fix ** Bug watch removed: Red Hat Bugzilla #1900021 https://bugzilla.redhat.com/show_bug.cgi?id=1900021 ** Changed in: libseccomp (Ubuntu Groovy) Status: Won't Fix => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in libseccomp package in Ubuntu: Fix Released Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Released Status in runc source package in Xenial: Won't Fix Status in systemd source package in Xenial: Won't Fix Status in libseccomp source package in Bionic: Fix Released Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in libseccomp source package in Focal: Fix Released Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** No longer affects: glibc (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in libseccomp package in Ubuntu: Fix Released Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Released Status in runc source package in Xenial: Invalid Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Released Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in libseccomp source package in Focal: Fix Released Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** No longer affects: docker.io (Ubuntu) ** No longer affects: docker.io (Ubuntu Xenial) ** No longer affects: docker.io (Ubuntu Bionic) ** No longer affects: docker.io (Ubuntu Focal) ** No longer affects: docker.io (Ubuntu Groovy) ** No longer affects: docker.io (Ubuntu Hirsute) ** Project changed: ubuntu-z-systems => ubuntu-translations ** No longer affects: ubuntu-translations -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Released Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Released Status in runc source package in Xenial: Invalid Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Released Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in libseccomp source package in Focal: Fix Released Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
I took the liberty to clean up this bug and mark things as Invalid/Fix Released as needed. Hopefully I got everything right, but feel free to reopen/re-classify a task if there's something wrong. Thanks. ** Changed in: libseccomp (Ubuntu Hirsute) Status: Fix Committed => Fix Released ** Changed in: libseccomp (Ubuntu) Status: Fix Committed => Fix Released ** Changed in: ubuntu-z-systems Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: Invalid Status in docker.io package in Ubuntu: Invalid Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Released Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: Invalid Status in libseccomp source package in Xenial: Fix Released Status in runc source package in Xenial: Invalid Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Released Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: Invalid Status in libseccomp source package in Focal: Fix Released Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: Won't Fix Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: Invalid Status in libseccomp source package in Hirsute: Fix Released Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Changed in: docker.io (Ubuntu Bionic) Status: New => Fix Released ** Changed in: docker.io (Ubuntu Focal) Status: New => Fix Released ** Changed in: docker.io (Ubuntu Hirsute) Status: New => Fix Released ** Changed in: docker.io (Ubuntu Bionic) Status: Fix Released => Invalid ** Changed in: docker.io (Ubuntu Xenial) Status: Won't Fix => Invalid ** Changed in: docker.io (Ubuntu Focal) Status: Fix Released => Invalid ** Changed in: docker.io (Ubuntu Hirsute) Status: Fix Released => Invalid ** Changed in: libseccomp (Ubuntu Xenial) Status: New => Fix Released ** Changed in: libseccomp (Ubuntu Bionic) Status: New => Fix Released ** Changed in: libseccomp (Ubuntu Focal) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: Invalid Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: Invalid Status in libseccomp source package in Xenial: Fix Released Status in runc source package in Xenial: Invalid Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Released Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: Invalid Status in libseccomp source package in Focal: Fix Released Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: Won't Fix Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: Invalid Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Changed in: docker.io (Ubuntu Xenial) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: Invalid Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: Invalid Status in libseccomp source package in Xenial: Fix Released Status in runc source package in Xenial: Invalid Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Released Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: Invalid Status in libseccomp source package in Focal: Fix Released Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: Won't Fix Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: Invalid Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Changed in: runc (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: Invalid Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: Invalid Status in libseccomp source package in Xenial: Fix Released Status in runc source package in Xenial: Invalid Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Released Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: Invalid Status in libseccomp source package in Focal: Fix Released Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: Won't Fix Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: Invalid Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not
Re: [Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
On Tuesday, September 21 2021, Matt Thalman wrote: > Client: > Version: 20.10.7 > API version: 1.41 > Go version:go1.16.4 > Git commit:f0df35096d5f5e6b559b42c7fde6c65a2909f7c5 > Built: Sat Sep 11 15:09:09 2021 > OS/Arch: linux/arm64 > Context: default > Experimental: true > > Server: Docker Engine - Community > Engine: > Version: 20.10.8 > API version: 1.41 (minimum version 1.12) > Go version: go1.16.6 > Git commit: 75249d8 > Built:Fri Jul 30 19:53:13 2021 > OS/Arch: linux/arm64 > Experimental: false > containerd: > Version: 1.4.9 > GitCommit:e25210fe30a0a703442421b0f60afac609f950a3 > runc: > Version: 1.0.1 > GitCommit:v1.0.1-0-g4144b63 > docker-init: > Version: 0.19.0 > GitCommit:de40ad0 I don't have time to try to reproduce right now, but as mwhudson said it doesn't look like you're using the Ubuntu docker.io package. The first thing that caught my attention is the Go version used to build the package: we use Go 1.13, whereas you used Go 1.16. The other suspicious thing is the GitCommit field, which should contain our tags (for example "20.10.7-0ubuntu1~20.04.1" on Focal). Are you using Ubuntu on the host? Perhaps your comment was made because you're experiencing this error with the Ubuntu docker image, but bear in mind that this bug is about the docker.io/runc/containerd packages that run on the Ubuntu host. Thanks, -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: Invalid Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: Won't Fix Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg ||
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Are using the docker packages from the Ubuntu archive? It doesn't quite look like it but I'm not completely sure how to tell. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: Invalid Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: Won't Fix Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
According to https://stackoverflow.com/questions/66319610/gpg-error-in- ubuntu-21-04-after-second-apt-get-update-during-docker-build, this bug fix is supposed to fix the issue of getting the following error when running "apt-get update" in an Ubuntu 21.04 container: "W: GPG error: http://ports.ubuntu.com/ubuntu-ports hirsute InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed". I was running into this error when attempting to build my Dockerfiles based on arm64v8/ubuntu:21.04 and arm32v7/ubuntu:21.04. After upgrading my runc version to 1.0.1, the error went away but only for arm64v8/ubuntu:21.04. The Dockerfile based on arm32v7/ubuntu:21.04 still encountered the error. In both cases, I am running the build on an AArch64 device, so it's using emulation for the arm32v7/ubuntu:21.04 scenario. It would appear that it's still broken for that scenario? The repro is very simple, just run the following command on an AArch64 device: "docker run --rm arm32v7/ubuntu:21.04 apt-get update". It will output the following: Unable to find image 'arm32v7/ubuntu:21.04' locally 21.04: Pulling from arm32v7/ubuntu 48989deb32eb: Pulling fs layer 48989deb32eb: Verifying Checksum 48989deb32eb: Download complete 48989deb32eb: Pull complete Digest: sha256:b61c1421a092dd4ffc0b14a6b683513d775d5daa275598c74cd34090a0424a19 Status: Downloaded newer image for arm32v7/ubuntu:21.04 WARNING: The requested image's platform (linux/arm/v7) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested WARNING: apt does not have a stable CLI interface. Use with caution in scripts. Get:1 http://ports.ubuntu.com/ubuntu-ports hirsute InRelease [269 kB] Get:2 http://ports.ubuntu.com/ubuntu-ports hirsute-updates InRelease [115 kB] Err:1 http://ports.ubuntu.com/ubuntu-ports hirsute InRelease gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed Get:3 http://ports.ubuntu.com/ubuntu-ports hirsute-backports InRelease [101 kB] Err:2 http://ports.ubuntu.com/ubuntu-ports hirsute-updates InRelease gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed Get:4 http://ports.ubuntu.com/ubuntu-ports hirsute-security InRelease [110 kB] Err:3 http://ports.ubuntu.com/ubuntu-ports hirsute-backports InRelease gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed Err:4 http://ports.ubuntu.com/ubuntu-ports hirsute-security InRelease gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed Reading package lists... W: GPG error: http://ports.ubuntu.com/ubuntu-ports hirsute InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed E: The repository 'http://ports.ubuntu.com/ubuntu-ports hirsute InRelease' is not signed. W: GPG error: http://ports.ubuntu.com/ubuntu-ports hirsute-updates InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed E: The repository 'http://ports.ubuntu.com/ubuntu-ports hirsute-updates InRelease' is not signed. W: GPG error: http://ports.ubuntu.com/ubuntu-ports hirsute-backports InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed E: The repository 'http://ports.ubuntu.com/ubuntu-ports hirsute-backports InRelease' is not signed. W: GPG error: http://ports.ubuntu.com/ubuntu-ports hirsute-security InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed E: The repository 'http://ports.ubuntu.com/ubuntu-ports hirsute-security InRelease' is not signed. Here's the docker version info for the host machine: Client: Version: 20.10.7 API version: 1.41 Go version:go1.16.4 Git commit:f0df35096d5f5e6b559b42c7fde6c65a2909f7c5 Built: Sat Sep 11 15:09:09 2021 OS/Arch: linux/arm64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.8 API version: 1.41 (minimum version 1.12) Go version: go1.16.6 Git commit: 75249d8 Built:Fri Jul 30 19:53:13 2021 OS/Arch: linux/arm64 Experimental: false containerd: Version: 1.4.9 GitCommit:e25210fe30a0a703442421b0f60afac609f950a3 runc: Version: 1.0.1 GitCommit:v1.0.1-0-g4144b63 docker-init: Version: 0.19.0 GitCommit:de40ad0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: Invalid Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Changed in: docker.io (Ubuntu) Status: New => Invalid ** Tags removed: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: Invalid Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: Won't Fix Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release ** Changed in: libseccomp (Ubuntu Groovy) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: Won't Fix Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release ** Changed in: docker.io (Ubuntu Groovy) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: Won't Fix Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Description changed: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h - $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz + $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Hello! The kernel team has applied the fix to their pre-release branch. They have a 5-week release cycle, so we should be seeing a new Bionic Linux kernel with the fix in the following 3-4 weeks. Thanks. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Dan, let me know if you need help driving the Linux kernel SRU forward. Thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Thanks for the investigation, Dan. I tested the Linux package from your PPA on a s390x machine and can confirm that it does solve the issue. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
https://launchpad.net/~ddstreet/+archive/ubuntu/lp1916485 in case anyone wants to test with the patched kernel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed,
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
It seems the s390x failure on bionic is fixed by the patch(es) for bug 1895132. I'm not 100% sure why it is returning the normal ENOSYS for invalid syscalls except while running under systemd-nspawn, but it might be due to the different syscall entry path taken when _TIF_TRACE is set, and that does get set if _TIF_SECCOMP is set. In any case, I'll send the kernel patches to the ML. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Interestingly, faccessat2() does correctly return ENOSYS when using a simple chroot instead of systemd-nspawn: ubuntu@test-s390x:~/h$ sudo systemd-nspawn Spawning container h on /home/ubuntu/h. Press ^] three times within 1s to kill container. root@h:~# test -x /bin/bash || echo "fail" fail root@h:~# exit logout Container h exited successfully. ubuntu@test-s390x:~/h$ sudo chroot . root@test-s390x:/# test -x /bin/bash || echo "fail" root@test-s390x:/# and to verify, stracing bash: faccessat2(AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 ENOSYS (Function not implemented) faccessat(AT_FDCWD, "/bin/bash", X_OK) = 0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Also affects: ubuntu-z-systems Importance: Undecided Status: New ** Tags added: reverse-proxy-bugzilla -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Problem seems to be on s390x with the 4.15 kernel, faccessat2() still returns EPERM: faccessat2(AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted) while on amd64 it now returns ENOSYS which is correctly handled with fallback to faccessat() faccessat2(AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 ENOSYS (Function not implemented) faccessat(AT_FDCWD, "/bin/bash", X_OK) = 0 (note both traces were of bash running 'test -x /bin/bash') -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Tags removed: verification-done verification-done-bionic verification-done-focal verification-done-groovy ** Tags added: architecture-s39064 bugnameltc-192453 severity-high targetmilestone-inin2104 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E:
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Guest is Hirsute to have libc6:s390x2.33-0ubuntu5 s390x The following (not optimized for speed but readability) gives us a simple environment-matrix for comparisons: for r in xenial bionic focal groovy hirsute; do uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=s390x label=daily release=${r}; uvt-kvm create --host-passthrough --password=ubuntu ${r}-test-nspawn release=${r} arch=s390x label=daily; uvt-kvm wait ${r}-test-nspawn uvt-kvm ssh ${r}-test-nspawn "sudo apt update" uvt-kvm ssh ${r}-test-nspawn "sudo apt upgrade -y" uvt-kvm ssh ${r}-test-nspawn "wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-s390x-root.tar.xz; uvt-kvm ssh ${r}-test-nspawn "mkdir h" uvt-kvm ssh ${r}-test-nspawn "sudo tar -xzf hirsute-server-cloudimg-s390x-root.tar.xz -C h"; uvt-kvm ssh ${r}-test-nspawn "sudo apt install -y systemd-container" uvt-kvm ssh ${r}-test-nspawn "sudo reboot"; sleep 5s uvt-kvm wait ${r}-test-nspawn done Test (as before) is: $ cd h $ sudo systemd-nspawn $ bash -c 'test -x /usr/bin/gpg || echo Fail' Out of that I can confirm (and further limit releases to just bionic) that on s390x we have: Xenial - 4.4.0-210/229-4ubuntu21.31 - works Bionic - 4.15.0-142/237-3ubuntu10.46 - fails Focal - 5.4.0-72/245.4-4ubuntu3.6 - works Groovy - 5.8.0-50/246.6-1ubuntu1.3 - works Hirsute - 5.11.0-16/247.3-3ubuntu3 - works Next I split the Bionic case to for a few usual suspects (kernel/systemd/glibc): Already on step #1 Kernel I found something: Bionic - 4.15.0-142/237-3ubuntu10.46 - fails Bionic - 5.4.0-72/237-3ubuntu10.46 - works Ok so the new kernel fixes it (whatever it is) so what about things in proposed already: There is a new 4.15 kernel and a new systemd Bionic - 4.15.0-143/237-3ubuntu10.47 - fails So none of the builds in proposed has the fix, but something between 4.15 and 5.4 kernels fixes it. That might also be the reason why the other releases are fine - the kernel levels are either >=5.4 (fixed) or <4.15 (not having the issue). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x.
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Before I change the status of this bug, I would like to report my findings here. I am testing things on a Bionic s390x machine with everything up-to- date: # apt policy systemd systemd: Installed: 237-3ubuntu10.46 ... # apt policy containerd containerd: Installed: 1.4.4-0ubuntu1~18.04.2 ... # apt policy docker.io docker.io: Installed: 20.10.2-0ubuntu1~18.04.2 ... # apt policy runc runc: Installed: 1.0.0~rc93-0ubuntu1~18.04.1 ... Following the reproduction steps listed in the Description section still fail for me: # systemd-nspawn Spawning container h on /root/h. Press ^] three times within 1s to kill container. # bash -c 'test -x /usr/bin/gpg || echo Fail' Fail When I'm in a hirsute Docker container, it also fails: $ docker run -it --rm ubuntu:hirsute root@78506947b11f:/# bash -c 'test -x /usr/bin/gpg || echo Fail' Fail This is impacting the build of the 21.04 OCI images on s390x (amd64, arm64 and ppc64el succeed). I'm still not sure what's causing this, nor why this is happening only on s390x. I will post more details when I have them. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
This bug was fixed in the package runc - 1.0.0~rc93-0ubuntu1~18.04.1 --- runc (1.0.0~rc93-0ubuntu1~18.04.1) bionic; urgency=medium * Backport version 1.0.0~rc93-0ubuntu1 from Hirsute (LP: #1919322, LP: #1916485). - Use Go 1.13 to build it, with the default Go 1.10 it FTBFS. + d/control: b-d on golang-1.13-go instead of golang-any, + d/rules: add Go 1.13 to the $PATH. - d/rules: set GOCACHE to a temporary directory. dh-golang sets it to "off" which is not accepted by Go >= 1.12. - d/rules: set GO111MODULE to "off" to avoid getting modules info online. -- Lucas Kanashiro Tue, 16 Mar 2021 15:47:19 -0300 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
This bug was fixed in the package runc - 1.0.0~rc93-0ubuntu1~20.04.1 --- runc (1.0.0~rc93-0ubuntu1~20.04.1) focal; urgency=medium * Backport version 1.0.0~rc93-0ubuntu1 from Hirsute (LP: #1919322, LP: #1916485). -- Lucas Kanashiro Tue, 16 Mar 2021 15:34:35 -0300 ** Changed in: runc (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
This bug was fixed in the package runc - 1.0.0~rc93-0ubuntu1~20.10.1 --- runc (1.0.0~rc93-0ubuntu1~20.10.1) groovy; urgency=medium * Backport version 1.0.0~rc93-0ubuntu1 from Hirsute (LP: #1919322, LP: #1916485). -- Lucas Kanashiro Tue, 16 Mar 2021 15:23:05 -0300 ** Changed in: runc (Ubuntu Groovy) Status: Fix Committed => Fix Released ** Changed in: runc (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
This bug was fixed in the package systemd - 237-3ubuntu10.46 --- systemd (237-3ubuntu10.46) bionic; urgency=medium * d/p/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch: Add support for faccessat2 (LP: #1916485) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b5f11a9baecf0cefb503632e938d473234172128 * d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch: Stop attempting to restrict address families on ppc archs (LP: #1918696) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4569a047ece8b1b300ef63e49b5aea8aba35c500 * d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch: Add openat2() syscall to seccomp filter list (LP: #1891810) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2ddfbfa79af4f22b7adf946c4299433fd74a4f17 -- Dan Streetman Wed, 17 Mar 2021 17:38:05 -0400 ** Changed in: systemd (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Sorry, I forgot to update the tags. Nothing is missing in the runc verification, we can release it. ** Tags removed: verification-needed verification-needed-groovy ** Tags added: verification-done verification-done-groovy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
I see verification of runc in comment #37 for all series - but groovy isn't marked as verified. Is there anything missing in the verification? Or can we release runc for groovy safely? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
This bug was fixed in the package systemd - 245.4-4ubuntu3.6 --- systemd (245.4-4ubuntu3.6) focal; urgency=medium * debian/patches/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch: Add support for faccessat2 (LP: #1916485) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=affb2c6507dccfeed02820a2267639648e2a2260 * d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch: Stop attempting to restrict address families on ppc archs (LP: #1918696) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=daff4b6604362fcb5d305682216d5ca15a4c5738 * d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch: Add openat2() syscall to seccomp filter list (LP: #1891810) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=69c8a684e2513b2f6530e5a5cf15c83abfb7bc74 * d/p/lp1915887-Downgrade-a-couple-of-warnings-to-debug.patch: Downgrade some log messages so they stop spamming logs (LP: #1915887) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3c2c4731b90ed430ca1790270e69cd125643b94b * d/p/lp1887744-basic-unit-file-when-loading-linked-unit-files-use-l.patch: Use src name, not dst name, of symlinked unit files (LP: #1887744) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=03770601097cfdc09adeadf5593083da69345409 -- Dan Streetman Wed, 17 Mar 2021 17:36:08 -0400 ** Changed in: systemd (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
To verify runc I am launching a docker container and calling "test -x" like was done for systemd. Groovy == ubuntu@docker-groovy:~$ cat /etc/os-release NAME="Ubuntu" VERSION="20.10 (Groovy Gorilla)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.10" VERSION_ID="20.10" HOME_URL="https://www.ubuntu.com/; SUPPORT_URL="https://help.ubuntu.com/; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy; VERSION_CODENAME=groovy UBUNTU_CODENAME=groovy ubuntu@docker-groovy:~$ dpkg -l | grep runc ii runc 1.0.0~rc93-0ubuntu1~20.10.1 amd64Open Container Project - runtime ubuntu@docker-groovy:~$ docker run -it ubuntu:focal /bin/bash Unable to find image 'ubuntu:focal' locally focal: Pulling from library/ubuntu a70d879fa598: Pull complete c4394a92d1f8: Pull complete 10e6159c56c0: Pull complete Digest: sha256:3c9c713e0979e9bd6061ed52ac1e9e1f246c9495aa063619d9d695fb8039aa1f Status: Downloaded newer image for ubuntu:focal root@7fa381c4877b:/# which ls /usr/bin/ls root@7fa381c4877b:/# ls -l /usr/bin/ls -rwxr-xr-x 1 root root 142144 Sep 5 2019 /usr/bin/ls root@7fa381c4877b:/# test -x /usr/bin/ls || echo "fail" root@7fa381c4877b:/# Focal = ubuntu@docker-focal:~$ cat /etc/os-release NAME="Ubuntu" VERSION="20.04.2 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.2 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/; SUPPORT_URL="https://help.ubuntu.com/; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy; VERSION_CODENAME=focal UBUNTU_CODENAME=focal ubuntu@docker-focal:~$ dpkg -l | grep runc ii runc 1.0.0~rc93-0ubuntu1~20.04.1 amd64 Open Container Project - runtime ubuntu@docker-focal:~$ sudo docker run -it ubuntu:focal /bin/bash Unable to find image 'ubuntu:focal' locally focal: Pulling from library/ubuntu a70d879fa598: Pull complete c4394a92d1f8: Pull complete 10e6159c56c0: Pull complete Digest: sha256:3c9c713e0979e9bd6061ed52ac1e9e1f246c9495aa063619d9d695fb8039aa1f Status: Downloaded newer image for ubuntu:focal root@bf6b6e1534e5:/# which ls /usr/bin/ls root@bf6b6e1534e5:/# test -x /usr/bin/ls || echo "fail" root@bf6b6e1534e5:/# Bionic == ubuntu@docker-bionic:~$ cat /etc/os-release NAME="Ubuntu" VERSION="18.04.5 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.5 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/; SUPPORT_URL="https://help.ubuntu.com/; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy; VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic ubuntu@docker-bionic:~$ dpkg -l | grep runc ii runc 1.0.0~rc93-0ubuntu1~18.04.1 amd64Open Container Project - runtime ubuntu@docker-bionic:~$ sudo docker run -it ubuntu:focal /bin/bash Unable to find image 'ubuntu:focal' locally focal: Pulling from library/ubuntu a70d879fa598: Pull complete c4394a92d1f8: Pull complete 10e6159c56c0: Pull complete Digest: sha256:3c9c713e0979e9bd6061ed52ac1e9e1f246c9495aa063619d9d695fb8039aa1f Status: Downloaded newer image for ubuntu:focal root@1979a3f523dc:/# which ls /usr/bin/ls root@1979a3f523dc:/# test -x /usr/bin/ls || echo "fail" root@1979a3f523dc:/# -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
@kanashiro I believe you uploaded runc, can you perform verification for it ** Changed in: systemd (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed,
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
marking verification-done-bionic for systemd (I don't see any verification steps listed for runc) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
root@lp1916485-b:~# wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz ... root@lp1916485-b:~# mkdir h root@lp1916485-b:~# cd h root@lp1916485-b:~/h# tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz ... root@lp1916485-b:~/h# dpkg -l systemd|grep systemd ii systemd237-3ubuntu10.45 amd64system and service manager root@lp1916485-b:~/h# dpkg -l libseccomp2|grep seccomp ii libseccomp2:amd64 2.4.3-1ubuntu3.18.04.3 amd64high level interface to Linux seccomp filter root@lp1916485-b:~/h# systemd-nspawn Spawning container h on /root/h. Press ^] three times within 1s to kill container. root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 root root 1083472 Feb 22 09:33 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail root@lp1916485-b:~/h# dpkg -l systemd|grep systemd ii systemd237-3ubuntu10.46 amd64system and service manager root@lp1916485-b:~/h# dpkg -l libseccomp2|grep seccomp ii libseccomp2:amd64 2.5.1-1ubuntu1~18.04.1 amd64high level interface to Linux seccomp filter root@lp1916485-b:~/h# systemd-nspawn Spawning container h on /root/h. Press ^] three times within 1s to kill container. root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 root root 1083472 Feb 22 09:33 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" root@h:~# ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
marking verification-done-focal for systemd (I don't see any verification steps listed for runc) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
root@lp1916485-f:~# dpkg -l systemd|grep systemd ii systemd245.4-4ubuntu3.5 amd64system and service manager root@lp1916485-f:~# wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz ... root@lp1916485-f:~# mkdir h root@lp1916485-f:~# cd h root@lp1916485-f:~/h# tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz ... root@lp1916485-f:~/h# systemd-nspawn Spawning container h on /root/h. Press ^] three times within 1s to kill container. root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 root root 1083472 Feb 22 09:33 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail root@lp1916485-f:~/h# dpkg -l libseccomp2|grep libseccomp ii libseccomp2:amd64 2.5.1-1ubuntu1~20.04.1 amd64high level interface to Linux seccomp filter root@lp1916485-f:~/h# dpkg -l systemd|grep systemd ii systemd245.4-4ubuntu3.6 amd64system and service manager root@lp1916485-f:~/h# systemd-nspawn Spawning container h on /root/h. Press ^] three times within 1s to kill container. root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 root root 1083472 Feb 22 09:33 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" root@h:~# ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Changed in: systemd (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Bug watch added: Debian Bug tracker #984573 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984573 ** Also affects: docker.io (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984573 Importance: Unknown Status: Unknown ** No longer affects: docker.io (Debian) ** Also affects: systemd (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984573 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Unknown Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Hello Florian, or anyone else affected, Accepted systemd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.46 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: systemd (Ubuntu Bionic) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Hello Florian, or anyone else affected, Accepted systemd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/245.4-4ubuntu3.6 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: systemd (Ubuntu Focal) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Will this be fixed in the 21.04 tag docker image as well? I am having the problem there also. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: New Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ."
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Also affects: glibc (Ubuntu) Importance: Undecided Status: New ** Changed in: glibc (Ubuntu) Status: New => Opinion -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: New Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** No longer affects: glibc (Ubuntu Hirsute) ** No longer affects: glibc (Ubuntu Groovy) ** No longer affects: glibc (Ubuntu Focal) ** No longer affects: glibc (Ubuntu Bionic) ** No longer affects: glibc (Ubuntu Xenial) ** No longer affects: glibc (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: New Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Hello Florian, or anyone else affected, Accepted runc into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc93-0ubuntu1~20.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-groovy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: runc (Ubuntu Groovy) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-groovy ** Changed in: runc (Ubuntu Focal) Status: New => Fix Committed ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: Invalid Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: Invalid Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in glibc source package in Focal: Invalid Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: New Status in docker.io source package in Groovy: New Status in glibc source package in Groovy: Invalid Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Opinion Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
This bug was fixed in the package runc - 1.0.0~rc93-0ubuntu1 --- runc (1.0.0~rc93-0ubuntu1) hirsute; urgency=medium * New upstream release (LP: #1919182). - runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc (LP: #1916485). * Remove patch addressing a bug fixed by upstream: - debian/patches/test--fix_TestGetAdditionalGroups.patch * Refresh patch: - debian/patches/test--skip-fs-related-cgroups-test.patch * Backport upstream patch to fix patchpbf test on armhf: - debian/patches/fix-patchpbf-test-on-32-bit.patch -- Lucas Kanashiro Tue, 10 Mar 2021 09:30:36 -0300 ** Changed in: runc (Ubuntu Hirsute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: Invalid Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: Invalid Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: New Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in glibc source package in Focal: Invalid Status in libseccomp source package in Focal: New Status in runc source package in Focal: New Status in systemd source package in Focal: New Status in docker.io source package in Groovy: New Status in glibc source package in Groovy: Invalid Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: New Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Opinion Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
@oded-geek - yes, the libseccomp SRU to backport 2.5.1 to these releases is being handled in https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: Invalid Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: Invalid Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: New Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in glibc source package in Focal: Invalid Status in libseccomp source package in Focal: New Status in runc source package in Focal: New Status in systemd source package in Focal: New Status in docker.io source package in Groovy: New Status in glibc source package in Groovy: Invalid Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: New Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Opinion Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: New Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Seems to still be an issue with docker on groovy/focal/[...]. Any plans to backport the new seccomp to those? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: Invalid Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: Invalid Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: New Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in glibc source package in Focal: Invalid Status in libseccomp source package in Focal: New Status in runc source package in Focal: New Status in systemd source package in Focal: New Status in docker.io source package in Groovy: New Status in glibc source package in Groovy: Invalid Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: New Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Opinion Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: New Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Changed in: glibc (Ubuntu Xenial) Status: New => Invalid ** Changed in: glibc (Ubuntu Bionic) Status: New => Invalid ** Changed in: glibc (Ubuntu Focal) Status: New => Invalid ** Changed in: glibc (Ubuntu Groovy) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: Invalid Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: Invalid Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: New Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in glibc source package in Focal: Invalid Status in libseccomp source package in Focal: New Status in runc source package in Focal: New Status in systemd source package in Focal: New Status in docker.io source package in Groovy: New Status in glibc source package in Groovy: Invalid Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: New Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Opinion Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: New Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Description changed: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. + + [other info] + + this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: New Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Description changed: + (SRU template for systemd) + [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail + alternately using docker, this Dockerfile can be used with 'docker build + -t foo .' (taken from example in original description) - alternately using docker, this Dockerfile can be used with 'docker build -t foo .' (taken from example in original description) - - $ cat Dockerfile + $ cat Dockerfile FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN bash -c "test -x /bin/bash && echo ok || echo fail" [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo ** Description changed: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Description changed: [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail + + alternately using docker, this Dockerfile can be used with 'docker build -t foo .' (taken from example in original description) + + $ cat Dockerfile + FROM amd64/ubuntu:hirsute + MAINTAINER Florian Lohoff + + USER root + + RUN bash -c "test -x /bin/bash && echo ok || echo fail" + [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] - this is needed for x/b/f + this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g + + in x, the entire systemd seccomp code is completely different and the + patch doesn't apply, nor does it appear to be needed, as the problem + doesn't reproduce in a h container under x. [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Description changed: + [impact] + + bash (and some other shells) builtin test command -x operation fails + + [test case] + + on any affected host system, start nspawn container, e.g.: + + $ sudo apt install systemd-container + $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz + $ mkdir h + $ cd h + $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz + $ sudo systemd-nspawn + + Then from a bash shell, verify if test -x works: + + root@h:~# ls -l /usr/bin/gpg + -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg + root@h:~# test -x /usr/bin/gpg || echo "fail" + fail + + [regression potential] + + any regression would likely occur during a syscall, most likely + faccessat2(), or during other syscalls. + + [scope] + + this is needed for x/b/f/g + + this is fixed upstream by commit + bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so + this is fixed in h + + [original description] + glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo ** Description changed: [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] - this is needed for x/b/f/g + this is needed for x/b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h + + this was pulled into Debian at version 246.2 in commit + e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Running "test -x ..." also fails in systemd-nspawn for systemd < 247, I think only the following patch needs to be SRU-d to earlier systemd versions: https://github.com/systemd/systemd/commit/bcf08acbffdee0d6360d3c31d268e73d0623e5dc ** Also affects: systemd (Ubuntu) Importance: Undecided Status: New ** Changed in: systemd (Ubuntu Hirsute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: New Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in glibc source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: New Status in systemd source package in Focal: New Status in docker.io source package in Groovy: New Status in glibc source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: New Status in systemd source package in Groovy: New Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Opinion Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: New Status in systemd source package in Hirsute: Fix Released Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: New Status in docker.io source package in Focal: New Status in glibc source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: New Status in docker.io source package in Groovy: New Status in glibc source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: New Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Opinion Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: New Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Changed in: docker.io (Ubuntu Hirsute) Importance: Undecided => Critical ** Changed in: glibc (Ubuntu Hirsute) Status: Triaged => Opinion -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: New Status in docker.io source package in Focal: New Status in glibc source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: New Status in docker.io source package in Groovy: New Status in glibc source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: New Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Opinion Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: New Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Also affects: glibc (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: libseccomp (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: docker.io (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: runc (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: glibc (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: libseccomp (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: docker.io (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: runc (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: glibc (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: libseccomp (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: docker.io (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: runc (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: glibc (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: libseccomp (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: docker.io (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: runc (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: New Status in docker.io source package in Focal: New Status in glibc source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: New Status in docker.io source package in Groovy: New Status in glibc source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: New Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Triaged Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: New Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Following all the discussions fixing the container runtimes seems to be the way out of this. For runc https://github.com/opencontainers/runc/pull/2750 should be SRUd to all releases. ** Also affects: docker.io (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Triaged Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: New Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Also affects: runc (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in glibc source package in Hirsute: Triaged Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: New Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
As I understand it I don't see there is any issue here with libseccomp in Ubuntu as it currently stands - whilst the aforementioned runc workaround commit description specifies a number of shortcomings with libseccomp and the inability to easily handle and distinguish newly added syscalls between it and glibc etc, until there is some more generic mechanism for either libseccomp policy authors, or libseccomp itself, to easily identify what syscalls are supported by a given system and therefore whether the generated policy is sufficient to enumerate these, there is no obvious "fix" for libseccomp itself. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Status in glibc source package in Hirsute: Triaged Status in libseccomp source package in Hirsute: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
To paper over the faccessat2 issue, a libseccomp update is enough *if* the container runtime already knows about the faccessat2 system call and mentions it in its profiles. But with the current design, every new system call will need similar updates to several components (not just libseccomp) just to produce the ENOSYS error, which is not a sustainable development model. Hence the runc pull request mentioned in comment 8. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Status in glibc source package in Hirsute: Triaged Status in libseccomp source package in Hirsute: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
I've been scratching my head over this regression [1] for a while now, in the context of running a hirsute container on a 20.04 host (in particular, a GitHub workflow machine) In my case, the symptom is that after upgrading glibc, `which` is broken; that of course also uses faccessat(), similar to test -x. I tried all sorts of the "usual" workarounds, as seccomp has been giving trouble for a while now [2]. But this failure is robust against fuse- overlayfs vs. vfs (inefficient full copies of the file system), root vs. user podman, podman vs. docker, and, relevant for this bug, it *also happens* with --security-opt=seccomp=unconfined and/org --privileged, both of which should disable seccomp. Hence I believe this bug can't at least only be in libseccomp. [1] https://github.com/martinpitt/umockdev/runs/1984769591?check_suite_focus=true#step:3:1019 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1900021 ** Bug watch added: Red Hat Bugzilla #1900021 https://bugzilla.redhat.com/show_bug.cgi?id=1900021 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Status in glibc source package in Hirsute: Triaged Status in libseccomp source package in Hirsute: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Julian said in comment #9 that 2.5.1 would be good. But then Florians comment #11 does not make me feel so sure. In any case we now have: libseccomp | 2.5.1-1ubuntu1 | hirsute| source Does that mean we are good now? Subscribing Alex who did the 2.5.1 upload ... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Status in glibc source package in Hirsute: Triaged Status in libseccomp source package in Hirsute: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Also affects: glibc (Ubuntu Hirsute) Importance: Critical Status: Triaged ** Also affects: libseccomp (Ubuntu Hirsute) Importance: Critical Status: Fix Committed ** Tags removed: rls-hh-incoming -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Status in glibc source package in Hirsute: Triaged Status in libseccomp source package in Hirsute: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Tags added: fr-1159 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Patches have been proposed for that, but were rejected: [PATCH] syscalls: Document OCI seccomp filter interactions & workaround https://lore.kernel.org/linux-api/87lfer2c0b@oldenburg2.str.redhat.com/ [RFC PATCH] Linux: Add seccomp probing to faccessat2 https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html We *really* need to clean this up properly, so that we are prepared if we need to add a new system call as part of a security fix. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
The other question is whether the change in glibc should be rolled back such that it works when invoked in older container hosts. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Fixed in libseccomp2 2.5.1 ** Also affects: libseccomp (Ubuntu) Importance: Undecided Status: New ** Changed in: libseccomp (Ubuntu) Status: New => Fix Committed ** Changed in: libseccomp (Ubuntu) Importance: Undecided => Critical -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp