Fixed in Hirsute, Focal, Groovy, Bionic, and Xenial with libseccomp
2.5.1-1ubuntu1
** Changed in: systemd (Ubuntu Xenial)
Status: Invalid => Won't Fix
** Changed in: runc (Ubuntu Xenial)
Status: Invalid => Won't Fix
** Bug watch removed: Red Hat Bugzilla #1900021
https://bugzill
** No longer affects: glibc (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
To manage notifications about this bug go to:
http
** No longer affects: docker.io (Ubuntu)
** No longer affects: docker.io (Ubuntu Xenial)
** No longer affects: docker.io (Ubuntu Bionic)
** No longer affects: docker.io (Ubuntu Focal)
** No longer affects: docker.io (Ubuntu Groovy)
** No longer affects: docker.io (Ubuntu Hirsute)
** Project c
I took the liberty to clean up this bug and mark things as Invalid/Fix
Released as needed. Hopefully I got everything right, but feel free to
reopen/re-classify a task if there's something wrong.
Thanks.
** Changed in: libseccomp (Ubuntu Hirsute)
Status: Fix Committed => Fix Released
**
** Changed in: docker.io (Ubuntu Bionic)
Status: New => Fix Released
** Changed in: docker.io (Ubuntu Focal)
Status: New => Fix Released
** Changed in: docker.io (Ubuntu Hirsute)
Status: New => Fix Released
** Changed in: docker.io (Ubuntu Bionic)
Status: Fix Released
** Changed in: runc (Ubuntu Xenial)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
To manage notificatio
** Changed in: docker.io (Ubuntu Xenial)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
To manage noti
On Tuesday, September 21 2021, Matt Thalman wrote:
> Client:
> Version: 20.10.7
> API version: 1.41
> Go version:go1.16.4
> Git commit:f0df35096d5f5e6b559b42c7fde6c65a2909f7c5
> Built: Sat Sep 11 15:09:09 2021
> OS/Arch: linux/arm64
> Co
Are using the docker packages from the Ubuntu archive? It doesn't quite
look like it but I'm not completely sure how to tell.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fai
According to https://stackoverflow.com/questions/66319610/gpg-error-in-
ubuntu-21-04-after-second-apt-get-update-during-docker-build, this bug
fix is supposed to fix the issue of getting the following error when
running "apt-get update" in an Ubuntu 21.04 container: "W: GPG error:
http://ports.ubun
** Changed in: docker.io (Ubuntu)
Status: New => Invalid
** Tags removed: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in conta
The Groovy Gorilla has reached end of life, so this bug will not be
fixed for that release
** Changed in: libseccomp (Ubuntu Groovy)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpa
The Groovy Gorilla has reached end of life, so this bug will not be
fixed for that release
** Changed in: docker.io (Ubuntu Groovy)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad
** Description changed:
(SRU template for systemd)
[impact]
bash (and some other shells) builtin test command -x operation fails
[test case]
on any affected host system, start nspawn container, e.g.:
$ sudo apt install systemd-container
$ wget
https://cloud-images.ubu
Hello! The kernel team has applied the fix to their pre-release branch.
They have a 5-week release cycle, so we should be seeing a new Bionic
Linux kernel with the fix in the following 3-4 weeks. Thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is sub
Dan, let me know if you need help driving the Linux kernel SRU forward.
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
To mana
Thanks for the investigation, Dan. I tested the Linux package from your
PPA on a s390x machine and can confirm that it does solve the issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Titl
https://launchpad.net/~ddstreet/+archive/ubuntu/lp1916485
in case anyone wants to test with the patched kernel
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shel
It seems the s390x failure on bionic is fixed by the patch(es) for bug
1895132. I'm not 100% sure why it is returning the normal ENOSYS for
invalid syscalls except while running under systemd-nspawn, but it might
be due to the different syscall entry path taken when _TIF_TRACE is set,
and that does
Interestingly, faccessat2() does correctly return ENOSYS when using a
simple chroot instead of systemd-nspawn:
ubuntu@test-s390x:~/h$ sudo systemd-nspawn
Spawning container h on /home/ubuntu/h.
Press ^] three times within 1s to kill container.
root@h:~# test -x /bin/bash || echo "fail"
fail
root@
** Also affects: ubuntu-z-systems
Importance: Undecided
Status: New
** Tags added: reverse-proxy-bugzilla
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside
Problem seems to be on s390x with the 4.15 kernel, faccessat2() still
returns EPERM:
faccessat2(AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 EPERM
(Operation not permitted)
while on amd64 it now returns ENOSYS which is correctly handled with
fallback to faccessat()
faccessat2(AT_FDCWD, "/bin/ba
** Tags removed: verification-done verification-done-bionic
verification-done-focal verification-done-groovy
** Tags added: architecture-s39064 bugnameltc-192453 severity-high
targetmilestone-inin2104
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscr
Guest is Hirsute to have
libc6:s390x2.33-0ubuntu5 s390x
The following (not optimized for speed but readability) gives us a
simple environment-matrix for comparisons:
for r in xenial bionic focal groovy hirsute; do
uvt-simplestreams-libvirt --verbose sync --source
http://cloud-images.ub
Before I change the status of this bug, I would like to report my
findings here.
I am testing things on a Bionic s390x machine with everything up-to-
date:
# apt policy systemd
systemd:
Installed: 237-3ubuntu10.46
...
# apt policy containerd
containerd:
Installed: 1.4.4-0ubuntu1~18.04.2
...
#
This bug was fixed in the package runc - 1.0.0~rc93-0ubuntu1~18.04.1
---
runc (1.0.0~rc93-0ubuntu1~18.04.1) bionic; urgency=medium
* Backport version 1.0.0~rc93-0ubuntu1 from Hirsute (LP: #1919322,
LP: #1916485).
- Use Go 1.13 to build it, with the default Go 1.10 it FTBFS.
This bug was fixed in the package runc - 1.0.0~rc93-0ubuntu1~20.04.1
---
runc (1.0.0~rc93-0ubuntu1~20.04.1) focal; urgency=medium
* Backport version 1.0.0~rc93-0ubuntu1 from Hirsute (LP: #1919322,
LP: #1916485).
-- Lucas Kanashiro Tue, 16 Mar 2021 15:34:35
-0300
** Changed
This bug was fixed in the package runc - 1.0.0~rc93-0ubuntu1~20.10.1
---
runc (1.0.0~rc93-0ubuntu1~20.10.1) groovy; urgency=medium
* Backport version 1.0.0~rc93-0ubuntu1 from Hirsute (LP: #1919322,
LP: #1916485).
-- Lucas Kanashiro Tue, 16 Mar 2021 15:23:05
-0300
** Changed
This bug was fixed in the package systemd - 237-3ubuntu10.46
---
systemd (237-3ubuntu10.46) bionic; urgency=medium
* d/p/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch:
Add support for faccessat2 (LP: #1916485)
https://git.launchpad.net/~ubuntu-core-dev/u
Sorry, I forgot to update the tags. Nothing is missing in the runc
verification, we can release it.
** Tags removed: verification-needed verification-needed-groovy
** Tags added: verification-done verification-done-groovy
--
You received this bug notification because you are a member of Ubuntu
B
I see verification of runc in comment #37 for all series - but groovy
isn't marked as verified. Is there anything missing in the verification?
Or can we release runc for groovy safely?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
ht
This bug was fixed in the package systemd - 245.4-4ubuntu3.6
---
systemd (245.4-4ubuntu3.6) focal; urgency=medium
*
debian/patches/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch:
Add support for faccessat2 (LP: #1916485)
https://git.launchpad.net/~ubuntu
To verify runc I am launching a docker container and calling "test -x"
like was done for systemd.
Groovy
==
ubuntu@docker-groovy:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.10 (Groovy Gorilla)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.10"
VERSION_ID="20.10"
HOME_URL="https://www.
@kanashiro I believe you uploaded runc, can you perform verification for
it
** Changed in: systemd (Ubuntu Xenial)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
marking verification-done-bionic for systemd (I don't see any
verification steps listed for runc)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in c
root@lp1916485-b:~# wget
https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz
...
root@lp1916485-b:~# mkdir h
root@lp1916485-b:~# cd h
root@lp1916485-b:~/h# tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz
...
root@lp1916485-b:~/h# dpkg -l systemd|grep sy
marking verification-done-focal for systemd (I don't see any
verification steps listed for runc)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in co
root@lp1916485-f:~# dpkg -l systemd|grep systemd
ii systemd245.4-4ubuntu3.5 amd64system and service manager
root@lp1916485-f:~# wget
https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz
...
root@lp1916485-f:~# mkdir h
root@lp1916485-f:~# cd h
** Changed in: systemd (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
To manage notifi
** Bug watch added: Debian Bug tracker #984573
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984573
** Also affects: docker.io (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984573
Importance: Unknown
Status: Unknown
** No longer affects: docker.io (Debian)
**
Hello Florian, or anyone else affected,
Accepted systemd into bionic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.46 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https:
Hello Florian, or anyone else affected,
Accepted systemd into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/systemd/245.4-4ubuntu3.6 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https:/
Will this be fixed in the 21.04 tag docker image as well? I am having
the problem there also.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in cont
** Also affects: glibc (Ubuntu)
Importance: Undecided
Status: New
** Changed in: glibc (Ubuntu)
Status: New => Opinion
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
** No longer affects: glibc (Ubuntu Hirsute)
** No longer affects: glibc (Ubuntu Groovy)
** No longer affects: glibc (Ubuntu Focal)
** No longer affects: glibc (Ubuntu Bionic)
** No longer affects: glibc (Ubuntu Xenial)
** No longer affects: glibc (Ubuntu)
--
You received this bug notificati
Hello Florian, or anyone else affected,
Accepted runc into groovy-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/runc/1.0.0~rc93-0ubuntu1~20.10.1 in
a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
h
This bug was fixed in the package runc - 1.0.0~rc93-0ubuntu1
---
runc (1.0.0~rc93-0ubuntu1) hirsute; urgency=medium
* New upstream release (LP: #1919182).
- runc now has special handling for seccomp profiles to avoid making new
syscalls unusable for glibc (LP: #1916485).
@oded-geek - yes, the libseccomp SRU to backport 2.5.1 to these releases
is being handled in
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
Seems to still be an issue with docker on groovy/focal/[...]. Any plans
to backport the new seccomp to those?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell
** Changed in: glibc (Ubuntu Xenial)
Status: New => Invalid
** Changed in: glibc (Ubuntu Bionic)
Status: New => Invalid
** Changed in: glibc (Ubuntu Focal)
Status: New => Invalid
** Changed in: glibc (Ubuntu Groovy)
Status: New => Invalid
--
You received this bug no
** Description changed:
(SRU template for systemd)
[impact]
bash (and some other shells) builtin test command -x operation fails
[test case]
on any affected host system, start nspawn container, e.g.:
$ sudo apt install systemd-container
$ wget
https://cloud-images.ubu
** Description changed:
+ (SRU template for systemd)
+
[impact]
bash (and some other shells) builtin test command -x operation fails
[test case]
on any affected host system, start nspawn container, e.g.:
$ sudo apt install systemd-container
$ wget
https://cloud-images.ubu
** Description changed:
[impact]
bash (and some other shells) builtin test command -x operation fails
[test case]
on any affected host system, start nspawn container, e.g.:
$ sudo apt install systemd-container
$ wget
https://cloud-images.ubuntu.com/hirsute/current/hirsute-
** Description changed:
+ [impact]
+
+ bash (and some other shells) builtin test command -x operation fails
+
+ [test case]
+
+ on any affected host system, start nspawn container, e.g.:
+
+ $ sudo apt install systemd-container
+ $ wget
https://cloud-images.ubuntu.com/hirsute/current/hirsute-
Running "test -x ..." also fails in systemd-nspawn for systemd < 247, I think
only the following patch needs to be SRU-d to earlier systemd versions:
https://github.com/systemd/systemd/commit/bcf08acbffdee0d6360d3c31d268e73d0623e5dc
** Also affects: systemd (Ubuntu)
Importance: Undecided
** Tags added: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
To manage notifications about this bug go to:
https://bugs.l
** Changed in: docker.io (Ubuntu Hirsute)
Importance: Undecided => Critical
** Changed in: glibc (Ubuntu Hirsute)
Status: Triaged => Opinion
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/191
** Also affects: glibc (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: libseccomp (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: docker.io (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: runc (Ubuntu Groovy)
Following all the discussions fixing the container runtimes seems to be the way
out of this.
For runc https://github.com/opencontainers/runc/pull/2750 should be SRUd to all
releases.
** Also affects: docker.io (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notifi
** Also affects: runc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
To manage no
As I understand it I don't see there is any issue here with libseccomp
in Ubuntu as it currently stands - whilst the aforementioned runc
workaround commit description specifies a number of shortcomings with
libseccomp and the inability to easily handle and distinguish newly
added syscalls between i
To paper over the faccessat2 issue, a libseccomp update is enough *if*
the container runtime already knows about the faccessat2 system call and
mentions it in its profiles. But with the current design, every new
system call will need similar updates to several components (not just
libseccomp) just
I've been scratching my head over this regression [1] for a while now,
in the context of running a hirsute container on a 20.04 host (in
particular, a GitHub workflow machine) In my case, the symptom is that
after upgrading glibc, `which` is broken; that of course also uses
faccessat(), similar to
Julian said in comment #9 that 2.5.1 would be good.
But then Florians comment #11 does not make me feel so sure.
In any case we now have:
libseccomp | 2.5.1-1ubuntu1 | hirsute| source
Does that mean we are good now?
Subscribing Alex who did the 2.5.1 upload ...
** Also affects: glibc (Ubuntu Hirsute)
Importance: Critical
Status: Triaged
** Also affects: libseccomp (Ubuntu Hirsute)
Importance: Critical
Status: Fix Committed
** Tags removed: rls-hh-incoming
--
You received this bug notification because you are a member of Ubuntu
Bugs
** Tags added: fr-1159
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
To manage notifications about this bug go to:
https://bugs.launc
Patches have been proposed for that, but were rejected:
[PATCH] syscalls: Document OCI seccomp filter interactions & workaround
https://lore.kernel.org/linux-api/87lfer2c0b@oldenburg2.str.redhat.com/
[RFC PATCH] Linux: Add seccomp probing to faccessat2
https://sourceware.org/pipermail/libc-al
The other question is whether the change in glibc should be rolled back
such that it works when invoked in older container hosts.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x
Fixed in libseccomp2 2.5.1
** Also affects: libseccomp (Ubuntu)
Importance: Undecided
Status: New
** Changed in: libseccomp (Ubuntu)
Status: New => Fix Committed
** Changed in: libseccomp (Ubuntu)
Importance: Undecided => Critical
--
You received this bug notification becau
Yes, it's a seccomp issue that needs to be fixed on the container host.
There's a generic kludge here:
https://github.com/opencontainers/runc/pull/2750
Recent docker/podman version be okay as well, but the fix (logically,
not explicitly) depends on other package updates too (e.g., libseccomp).
M
Potentially a seccomp confinement issue in podman and docker?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
To manage notifications a
Broken bash:
faccessat2(AT_FDCWD, "/usr/bin/gpg", X_OK, AT_EACCESS) = -1 EPERM
(Operation not permitted)
Good bash w/ old glibc:
faccessat(AT_FDCWD, "/usr/bin/gpg", X_OK) = 0
Good mksh:
newfstatat(AT_FDCWD, "/usr/bin/gpg", {st_mode=S_IFREG|0755,
st_size=1083472, ...}, 0) = 0
** Description
72 matches
Mail list logo
