[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]
Re: [atomic] (no subject)

From: Jim Perrin <jperrin redhat com>
To: Jeremy Eder <jeder redhat com>
Cc: atomic projectatomic io, CentOS devel <centos-devel centos org>
Subject: Re: [atomic] (no subject)
Date: Thu, 11 Feb 2016 08:16:07 -0600
Yeah, I'm seeing that now. This is interesting though, as the images
have all been made the same way. I'm using livemedia-creator to generate
a disk image, and virt-tar-out to package it up. This is how we've done
the centos-6 and 7 containers for a while now, but your rpm commands
give me a bit more to go on. I'll poke at it a few different ways to see
what's going on.

On 02/11/2016 05:49 AM, Jeremy Eder wrote:
> Hey Jim --
> 
> Eric's right.  Something's up with the attributes on the iputils files that
> are in the base centos image.   I found that the "centos tools image" does
> not exhibit this behavior.
> 
> [root dhcp23-177 ~]# docker run -it centos rpm -V iputils
> ........P    /usr/bin/ping
> ........P    /usr/bin/ping6
> ........P    /usr/sbin/arping
> ........P    /usr/sbin/clockdiff
> 
> Those were the 4 files touched by the patch that fixed the issue in the
> original bugzilla.
> 
> [root dhcp23-177 ~]# docker run -it centos/tools rpm -V iputils
> [root dhcp23-177 ~]#
> 
> And Levente's reproducer looks better when using the tools image.
> 
> root dhcp23-177 ~]# docker run -it centos/tools bash
> [root af28656bfae7 /]# adduser test
> [root af28656bfae7 /]# su - test
> [test af28656bfae7 ~]$ ping google.com
> PING google.com (216.58.217.142) 56(84) bytes of data.
> 64 bytes from iad23s43-in-f14.1e100.net (216.58.217.142): icmp_seq=1 ttl=52
> time=12.2 ms
> ^C
> --- google.com ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> Note that as root in the base centos container, ping works fine.  It's only
> when you adduser and run ping as non-root that the issue shows up.
> 
> 
> 
> On Wed, Feb 10, 2016 at 11:48 PM, Eric Paris <eparis redhat com> wrote:
> 
>> On Wed, 2016-02-10 at 21:40 -0500, Jason Brooks wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Eric Paris" <eparis redhat com>
>>>> To: "Farkas Levente" <lfarkas lfarkas org>, "CentOS devel" <centos-
>>>> devel centos org>, atomic projectatomic io
>>>> Sent: Wednesday, February 10, 2016 5:00:31 PM
>>>> Subject: Re: [atomic] official centos-7 docker image are wrong
>>>>
>>>> I'm willing to bet one week's pay that RH didn't silently release
>>>> the
>>>> same version twice with different code...
>>>>
>>>> Wasn't there a problem that one of the base image build systems
>>>> somehow
>>>> didn't support file caps and so the caps were being silently lost?
>>>> Maybe something about squashfs not understanding filecaps and rpm
>>>> not
>>>> considering that a permanent failure... Very very hazy...
>>>
>>> There was this:
>>>
>>> http://www.projectatomic.io/blog/2015/04/problems-with-ping-in-
>>> containers-on-atomic-hosts/
>>
>> Yeah, I (sorta) remember those issues too, but don't think that is it
>> either.  ping in the centos images doesn't have any file caps...   In
>> that case the problem was it had CAP_EFFECTIVE set and shouldn't have.
>>
>> My money would be on the environment where the iputils binary was
>> installed which differs between Centos and RHEL... (but a much much
>> smaller amount of money)
>>
>> -Eric
>>
>>>>
>>>> I know I remember this bug in the back of my head...
>>>>
>>>> In any case if you look in the centos base image (after installing
>>>> attr)
>>>>
>>>> # getfattr -n security.capability /usr/bin/ping
>>>> /usr/bin/ping: security.capability: No such attribute
>>>>
>>>> # rpm -V iputils
>>>> ........P    /usr/bin/ping
>>>> ........P    /usr/bin/ping6
>>>> ........P    /usr/sbin/arping
>>>> ........P    /usr/sbin/clockdiff
>>>>
>>>> So while the right version/rpm was installed the actual bits in the
>>>> base image aren't what the rpm says they should be! The bug is in
>>>> how
>>>> the base image is created...  I don't know where, but just building
>>>> it
>>>> again will likely just keep doing the wrong thing...
>>>>
>>>> I know this will trigger someone's mind who looking into this
>>>> months
>>>> and months ago...
>>>>
>>>> -Eric
>>>>
>>>> On Wed, 2016-02-10 at 11:15 +0100, Farkas Levente wrote:
>>>>> hi,
>>>>> according to this bug
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1142311
>>>>> rh silently replace iputils with the same version with a fixed
>>>>> capabilities.
>>>>> unfortunately official base centos-7 (ie. latest 7.2) docker
>>>>> images
>>>>> are
>>>>> build with the wrong version, so these images should have to be
>>>>> rebuild
>>>>> with the proper version.
>>>>> currently in the official centos7 docker images:
>>>>> -------------------------------------
>>>>> # rpm -qi iputils
>>>>> Name        : iputils
>>>>> Version     : 20121221
>>>>> Release     : 7.el7
>>>>> Architecture: x86_64
>>>>> Install Date: Wed 23 Dec 2015 06:09:24 PM UTC
>>>>> Group       : System Environment/Daemons
>>>>> Size        : 368577
>>>>> License     : BSD and GPLv2+
>>>>> Signature   : RSA/SHA256, Wed 25 Nov 2015 02:43:41 PM UTC, Key ID
>>>>> 24c6a8a7f4a80eb5
>>>>> Source RPM  : iputils-20121221-7.el7.src.rpm
>>>>> Build Date  : Fri 20 Nov 2015 07:12:19 PM UTC
>>>>> Build Host  : worker1.bsys.centos.org
>>>>> Relocations : (not relocatable)
>>>>> Packager    : CentOS BuildSystem <http://bugs.centos.org>
>>>>> Vendor      : CentOS
>>>>> URL         : http://www.skbuff.net/iputils
>>>>> Summary     : Network monitoring tools including ping
>>>>> Description :
>>>>> The iputils package contains basic utilities for monitoring a
>>>>> network,
>>>>> including ping. The ping command sends a series of ICMP protocol
>>>>> ECHO_REQUEST packets to a specified network host to discover
>>>>> whether
>>>>> the target machine is alive and receiving network traffic.
>>>>> -------------------------------------
>>>>>
>>>>> while in the centos repo:
>>>>> -------------------------------------
>>>>> # rpm -qi iputils
>>>>> Name        : iputils
>>>>> Version     : 20121221
>>>>> Release     : 7.el7
>>>>> Architecture: x86_64
>>>>> Install Date: Tue 15 Dec 2015 03:15:22 PM CET
>>>>> Group       : System Environment/Daemons
>>>>> Size        : 368577
>>>>> License     : BSD and GPLv2+
>>>>> Signature   : RSA/SHA256, Wed 25 Nov 2015 03:43:41 PM CET, Key ID
>>>>> 24c6a8a7f4a80eb5
>>>>> Source RPM  : iputils-20121221-7.el7.src.rpm
>>>>> Build Date  : Fri 20 Nov 2015 08:12:19 PM CET
>>>>> Build Host  : worker1.bsys.centos.org
>>>>> Relocations : (not relocatable)
>>>>> Packager    : CentOS BuildSystem <http://bugs.centos.org>
>>>>> Vendor      : CentOS
>>>>> URL         : http://www.skbuff.net/iputils
>>>>> Summary     : Network monitoring tools including ping
>>>>> Description :
>>>>> The iputils package contains basic utilities for monitoring a
>>>>> network,
>>>>> including ping. The ping command sends a series of ICMP protocol
>>>>> ECHO_REQUEST packets to a specified network host to discover
>>>>> whether
>>>>> the target machine is alive and receiving network traffic.
>>>>> -------------------------------------
>>>>> imho it's a bug! without it ping not working from any docker
>>>>> container
>>>>> based on centos7.
>>>>>
>>>>
>>>>
>>>
>>
>>
> 
> 

-- 
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77
References:
- [atomic] (no subject)
  - From: Jeremy Eder
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]