As I understand it I don't see there is any issue here with libseccomp in Ubuntu as it currently stands - whilst the aforementioned runc workaround commit description specifies a number of shortcomings with libseccomp and the inability to easily handle and distinguish newly added syscalls between it and glibc etc, until there is some more generic mechanism for either libseccomp policy authors, or libseccomp itself, to easily identify what syscalls are supported by a given system and therefore whether the generated policy is sufficient to enumerate these, there is no obvious "fix" for libseccomp itself.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Status in glibc source package in Hirsute: Triaged Status in libseccomp source package in Hirsute: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-===============-============-========================================== ii apt 2.1.20 amd64 commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff <f...@zz.de> USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
