Re: [atomic] official centos-7 docker image are wrong

[Eric Paris <eparis redhat com>]

I'm willing to bet one week's pay that RH didn't silently release the
same version twice with different code...

Wasn't there a problem that one of the base image build systems somehow
didn't support file caps and so the caps were being silently lost?
Maybe something about squashfs not understanding filecaps and rpm not
considering that a permanent failure... Very very hazy...

I know I remember this bug in the back of my head...

In any case if you look in the centos base image (after installing
attr)

# getfattr -n security.capability /usr/bin/ping
/usr/bin/ping: security.capability: No such attribute

# rpm -V iputils
........P    /usr/bin/ping
........P    /usr/bin/ping6
........P    /usr/sbin/arping
........P    /usr/sbin/clockdiff

So while the right version/rpm was installed the actual bits in the
base image aren't what the rpm says they should be! The bug is in how
the base image is created...  I don't know where, but just building it
again will likely just keep doing the wrong thing...

I know this will trigger someone's mind who looking into this months
and months ago...

-Eric

On Wed, 2016-02-10 at 11:15 +0100, Farkas Levente wrote:
> hi,
> according to this bug
> https://bugzilla.redhat.com/show_bug.cgi?id=1142311
> rh silently replace iputils with the same version with a fixed
> capabilities.
> unfortunately official base centos-7 (ie. latest 7.2) docker images
> are
> build with the wrong version, so these images should have to be
> rebuild
> with the proper version.
> currently in the official centos7 docker images:
> -------------------------------------
> # rpm -qi iputils
> Name        : iputils
> Version     : 20121221
> Release     : 7.el7
> Architecture: x86_64
> Install Date: Wed 23 Dec 2015 06:09:24 PM UTC
> Group       : System Environment/Daemons
> Size        : 368577
> License     : BSD and GPLv2+
> Signature   : RSA/SHA256, Wed 25 Nov 2015 02:43:41 PM UTC, Key ID
> 24c6a8a7f4a80eb5
> Source RPM  : iputils-20121221-7.el7.src.rpm
> Build Date  : Fri 20 Nov 2015 07:12:19 PM UTC
> Build Host  : worker1.bsys.centos.org
> Relocations : (not relocatable)
> Packager    : CentOS BuildSystem <http://bugs.centos.org>
> Vendor      : CentOS
> URL         : http://www.skbuff.net/iputils
> Summary     : Network monitoring tools including ping
> Description :
> The iputils package contains basic utilities for monitoring a
> network,
> including ping. The ping command sends a series of ICMP protocol
> ECHO_REQUEST packets to a specified network host to discover whether
> the target machine is alive and receiving network traffic.
> -------------------------------------
> 
> while in the centos repo:
> -------------------------------------
> # rpm -qi iputils
> Name        : iputils
> Version     : 20121221
> Release     : 7.el7
> Architecture: x86_64
> Install Date: Tue 15 Dec 2015 03:15:22 PM CET
> Group       : System Environment/Daemons
> Size        : 368577
> License     : BSD and GPLv2+
> Signature   : RSA/SHA256, Wed 25 Nov 2015 03:43:41 PM CET, Key ID
> 24c6a8a7f4a80eb5
> Source RPM  : iputils-20121221-7.el7.src.rpm
> Build Date  : Fri 20 Nov 2015 08:12:19 PM CET
> Build Host  : worker1.bsys.centos.org
> Relocations : (not relocatable)
> Packager    : CentOS BuildSystem <http://bugs.centos.org>
> Vendor      : CentOS
> URL         : http://www.skbuff.net/iputils
> Summary     : Network monitoring tools including ping
> Description :
> The iputils package contains basic utilities for monitoring a
> network,
> including ping. The ping command sends a series of ICMP protocol
> ECHO_REQUEST packets to a specified network host to discover whether
> the target machine is alive and receiving network traffic.
> -------------------------------------
> imho it's a bug! without it ping not working from any docker
> container
> based on centos7.
>