Bug#1014463: podman-toolbox: Toolbox only works with fedora-toolbox:34

Thu, 17 Nov 2022 08:51:19 -0800 

Package: podman-toolbox
Version: 0.0.99.3-1
Followup-For: Bug #1014463
X-Debbugs-Cc: s...@robots.org.uk

I think the log messages are a red herring and the underlying issue is
that the toolbox binary is not able to run inside the container.

Toolbox appears to work by bind-mounting /usr/bin/toolbox into the
container. 'toolbox init-container' is set as the entry point, and it's
_this_ command that's failing to start; but the output isn't shown by
toolbox and you get the generic 'invalid entry point PID of container'
error message instead.

    $ toolbox create -i quay.io/centos/centos:stream8
    Created container: centos-stream8
    Enter with: toolbox enter centos-stream8

    $ podman inspect centos-stream8 | jq '.[].ImageName'
    "quay.io/centos/centos:stream8"

    $ podman inspect centos-stream8 | jq '.[].Config.Cmd' -c
    
["toolbox","--log-level","debug","init-container","--gid","876099160","--home","/home/sam","--shell","/bin/bash","--uid","1423121","--user","sam","--monitor-host"]

    $ podman start --attach centos-stream8
    toolbox: /lib64/libc.so.6: version `GLIBC_2.32' not found (required by 
toolbox)

    $ podman unshare

        # podman mount centos-stream8
        
/home/sam/.local/share/containers/storage/overlay/02976304f367a933a73eb3590c79acea57dc62e47f2642df560237190ea669b5/merged

        # grep ^NAME= 
/home/sam/.local/share/containers/storage/overlay/02976304f367a933a73eb3590c79acea57dc62e47f2642df560237190ea669b5/merged/etc/os-release
 
        NAME="CentOS Stream"
        
        # ldd 
/home/sam/.local/share/containers/storage/overlay/02976304f367a933a73eb3590c79acea57dc62e47f2642df560237190ea669b5/merged/lib64/libc.so.6
        [...]
        Version definitions:
        [...]
        28 0x00 0x06969187 GLIBC_2.27
                GLIBC_2.26 
        29 0x00 0x06969188 GLIBC_2.28
                GLIBC_2.27 
        30 0x00 0x0963cf85 GLIBC_PRIVATE
                GLIBC_2.28 
        [...]        
        
        # exit
        exit

I'm not seeing an easy way to fix this... if toolbox is built against
unstable then it's often going to pull in glibc symbols that are newer
than the container images that it tries to run.

In this case it's only a single symbol that is used from GLIBC_2.32.

    $ objdump -T /usr/bin/toolbox | fgrep GLIBC_2.32
    0000000000000000      DF *UND*      0000000000000000 (GLIBC_2.32) 
pthread_sigmask

    
According to
<https://github.com/containers/toolbox/issues/529#issuecomment-678003552>
this is fixed by <https://github.com/containers/toolbox/pull/534>, which
was closed a year ago. Maybe the libc-wrappers.a static library that
provides this symbol isn't being built by Debian for some reason...

-- System Information:
Debian Release: 11.5
  APT prefers stable-updates
  APT policy: (570, 'stable-updates'), (570, 'stable-security'), (570, 
'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), 
(530, 'unstable-debug'), (530, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.19.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages podman-toolbox depends on:
ii  flatpak  1.10.7-0+deb11u1
ii  libc6    2.36-4
ii  podman   4.2.0+ds1-3
ii  uidmap   1:4.8.1-1

Versions of packages podman-toolbox recommends:
ii  bash-completion  1:2.11-2

podman-toolbox suggests no packages.

-- no debconf information

Reply via email to