Comments (16)
errietta
commented on July 23, 2024
6
We can reproduce this. Neither 21.10 nor 20.04 have this issue, but latest and 22.04 tags do.
This fails on ci (buddy ci, no idea what version of docker they use on the host) AND my local macbook: Docker version 20.10.8, build 3967b7d.
from docker-brew-ubuntu-core.
errietta
commented on July 23, 2024
3
@woky
1:
errykostala in ~ > docker run -it ubuntu:jammy apt-get update
Unable to find image 'ubuntu:jammy' locally
jammy: Pulling from library/ubuntu
Digest: sha256:2a7dffab37165e8b4f206f61cfd984f8bb279843b070217f6ad310c9c31c9c7c
Status: Downloaded newer image for ubuntu:jammy
Get:1 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [90.7 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [90.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [90.7 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB]
Get:6 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB]
Get:8 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [621 B]
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [693 B]
Fetched 20.2 MB in 3s (7590 kB/s)
Reading package lists... Done
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
(doesn't work)
2:
errykostala in ~ > docker run -it --security-opt seccomp=unconfined ubuntu:jammy apt-get update
Get:1 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [90.7 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [90.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [90.7 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB]
Get:6 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB]
Get:8 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [693 B]
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [621 B]
Fetched 20.2 MB in 3s (7716 kB/s)
Reading package lists... Done
(seems to work)
3:
errykostala in ~ > docker run -it --privileged ubuntu:jammy apt-get update
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [90.7 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [90.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [90.7 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB]
Get:8 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [621 B]
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [693 B]
Fetched 20.2 MB in 3s (7406 kB/s)
Reading package lists... Done
(also works)
That's not really an acceptable fix though, because running with --privileged is a great backdoor into escaping the container and privescing into the host
from docker-brew-ubuntu-core.
mwhudson
commented on July 23, 2024
2
@srepollock i don't know what problem you're seeing there, but it's not the same as the ones the other people are discussing which is a problem with the clone3 syscall, which is only used in jammy and kinetic images -- if you're seeing the issue with focal, it's 100% something else so please file a new bug!
from docker-brew-ubuntu-core.
tianon
commented on July 23, 2024
1
You need to update Docker and libseccomp on your host (not just a newer
Docker image).
from docker-brew-ubuntu-core.
tianon
commented on July 23, 2024
1
Definitely at least libseccomp 2.4.2 or newer, but possibly even as
high as 2.5.0.
from docker-brew-ubuntu-core.
woky
commented on July 23, 2024
1
@tnir It seems you're running focal host with docker-ce package from https://docs.docker.com/engine/install/ubuntu/, not docker.io from Ubuntu archive, but you're not using the latest version. Your docker-ce is at 5:20.10.12~3-0~ubuntu-focal but the Docker archive already contains 5:20.10.14~3-0~ubuntu-focal.
Anyway, I've tried to replicate your setup with
V='5:20.10.12~3-0~ubuntu-focal'
apt-get install docker-ce=$V docker-ce-cli=$V docker-ce-rootless-extras=$V containerd.io
so my versions are
root@localhost:~# dpkg -l docker-ce libseccomp2
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=================-===========================-============-====================================================
ii docker-ce 5:20.10.12~3-0~ubuntu-focal amd64 Docker: the open-source application container engine
ii libseccomp2:amd64 2.5.1-1ubuntu1~20.04.2 amd64 high level interface to Linux seccomp filter
root@localhost:~# docker version
Client: Docker Engine - Community
Version: 20.10.12
API version: 1.41
Go version: go1.16.12
Git commit: e91ed57
Built: Mon Dec 13 11:45:33 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.12
API version: 1.41 (minimum version 1.12)
Go version: go1.16.12
Git commit: 459d0df
Built: Mon Dec 13 11:43:42 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.11
GitCommit: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0
root@localhost:~#
And I still can't reproduce your bug:
root@localhost:~# docker run ubuntu:jammy apt-get update
Get:1 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [90.7 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [90.7 kB]
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [90.7 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB]
Get:7 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB]
Get:8 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [693 B]
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [621 B]
Fetched 20.2 MB in 1s (15.8 MB/s)
Reading package lists...
root@localhost:~#
Any suggestions to reproduce this?
from docker-brew-ubuntu-core.
woky
commented on July 23, 2024
@tnir, it looks like you hit this issue: https://bugs.launchpad.net/cloud-images/+bug/1943049 It should be fixed in latest docker.io package in archives. Can you try to update?
from docker-brew-ubuntu-core.
tnir
commented on July 23, 2024
@woky Thanks. Nothing is changed even with https://hub.docker.com/layers/ubuntu/library/ubuntu/latest/images/sha256-c27987afd3fd8234bcf7a81e46cf86c2c4c10ef06e80f0869c22c6ff22b29f9d?context=explore (linux/amd64) 🤔 :
$ docker run --rm ubuntu@sha256:c27987afd3fd8234bcf7a81e46cf86c2c4c10ef06e80f0869c22c6ff22b29f9d apt update
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [90.7 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [90.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [90.7 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB]
Get:8 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB]
Fetched 20.2 MB in 3s (5897 kB/s)
Reading package lists...
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
from docker-brew-ubuntu-core.
andrewcorrigan
commented on July 23, 2024
What versions are required of Docker and libseccomp? I'm hitting similar issues to the above using:
Docker version 20.10.14, build a224086
libseccomp-2.3.1-4.el7.x86_64
from docker-brew-ubuntu-core.
tnir
commented on July 23, 2024
Even with libseccomp 2.5.1-1ubuntu1~20.04.2, it does not work to me:
$ docker version
Client: Docker Engine - Community
Version: 20.10.12
API version: 1.41
Go version: go1.16.12
Git commit: e91ed57
Built: Mon Dec 13 11:45:33 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.12
API version: 1.41 (minimum version 1.12)
Go version: go1.16.12
Git commit: 459d0df
Built: Mon Dec 13 11:43:42 2021
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: 1.4.13
GitCommit: 9cc61520f4cd876b86e77edfeb88fbcd536d1f9d
gitpod:
Version: 1.1.0
GitCommit: v1.1.0-0-g067aaf85
docker-init:
Version: 0.19.0
GitCommit: de40ad0
$ dpkg -l libseccomp2
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=================-======================-============-============================================
ii libseccomp2:amd64 2.5.1-1ubuntu1~20.04.2 amd64 high level interface to Linux seccomp filter
from docker-brew-ubuntu-core.
woky
commented on July 23, 2024
Can you try to run the following commands and post output all?
docker run -it ubuntu:jammy apt-get updatedocker run -it --security-opt seccomp=unconfined ubuntu:jammy apt-get updatedocker run -it --privileged ubuntu:jammy apt-get update
from docker-brew-ubuntu-core.
tnir
commented on July 23, 2024
--security-opt seccomp=unconfined is required to reproduce the problem to me as well.
from docker-brew-ubuntu-core.
errietta
commented on July 23, 2024
@tnir it works fine with, doesn't work without, unless that's what you meant
from docker-brew-ubuntu-core.
woky
commented on July 23, 2024
@tnir Can you run the following on your host and attach here resulting strace.log?
docker run -it woky/jammy-strace strace -f apt update &> strace.log
Also, please post output of the following from your host
cat /etc/os-releaseuname -a
TIA
EDIT: Please also attach output of docker info.
from docker-brew-ubuntu-core.
srepollock
commented on July 23, 2024
I am running into this issue on:
macOS: 11.3.1 (20E241)
docker desktop: 4.8.1 (78998)
docker engine: 20.10.14
Trying to build with: ubuntu:latest in the Dockerfile
Running in console: docker build -t [name] -f Dockerfile .
as soon as I hit RUN apt update --fix-missing && apt upgrade -y the build then fails out with:
=> ERROR [ 2/21] RUN apt update --fix-missing && apt upgrade -y 1.5s
------
> [ 2/21] RUN apt update --fix-missing && apt upgrade -y:
#6 1.135 Segmentation fault
------
executor failed running [/bin/sh -c apt update --fix-missing && apt upgrade -y]: exit code: 139
make: *** [build-main_server] Error 1
I am unable to build and therefore cannot run with --security-opt seccomp=unconfined
Please note: I have built on both:
Windows (latest):
I don't have access to the machine at the time of writing as I'm away from it, but docker was up to date and using the same Dockerfile
AWS EC2 Ubuntu
- Ubuntu 22.04
- Docker 20.10.16
I've tried the following Ubuntu images with similar errors (in no particular order):
latest
focal
impish
devel
The following seems to work:
bionic
trusty
Edit*:
$ docker version
Client:
Cloud integration: v1.0.24
Version: 20.10.14
API version: 1.41
Go version: go1.16.15
Git commit: a224086
Built: Thu Mar 24 01:49:20 2022
OS/Arch: darwin/amd64
Context: default
Experimental: true
Server: Docker Desktop 4.8.1 (78998)
Engine:
Version: 20.10.14
API version: 1.41 (minimum version 1.12)
Go version: go1.16.15
Git commit: 87a90dc
Built: Thu Mar 24 01:46:14 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.11
GitCommit: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0
from docker-brew-ubuntu-core.
tianon
commented on July 23, 2024
This repository is no longer canonical; see #248 for more details.
from docker-brew-ubuntu-core.
Related Issues (20)
- Docker image 21.04 (rolling) - apt update error HOT 6
- less command missing Ubuntu 20.10 image HOT 1
- how to tell the version of python3 supported in the default repository without installing? HOT 2
- Repositories no longer have release files HOT 3
- changelogs of "native" packages are missing HOT 3
- Cannot create new threads in Ubuntu 21.10 HOT 2
- [Question] Why date is not updated when new version is created? HOT 2
- to use gpu but slow HOT 1
- Ubuntu:20.04 image usage guidelines HOT 1
- Update Ubuntu Focal 20.04 image to 20220105 HOT 9
- dpkg broken in Jammy image on singular-doc pkg extraction HOT 2
- Need help in increasing the windows/chrome resolution for Ubuntu image HOT 1
- Update Ubuntu Focal 20.04 image to 20220316 HOT 4
- Rerun build job to update ubuntu image LTE 20.04 HOT 1
- `apt update` fails on macOS HOT 1
- how to build 16.04.4 docker image? HOT 1
- Q: Get SERIAL or GitHash from running image HOT 1
- ubuntu:latest throws an error "failed to solve with frontend dockerfile.v0" HOT 3
- Unable to build from ubuntu 21.04 since 23 july HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-brew-ubuntu-core.