hi, according to this bug https://bugzilla.redhat.com/show_bug.cgi?id=1142311 rh silently replace iputils with the same version with a fixed capabilities. unfortunately official base centos-7 (ie. latest 7.2) docker images are build with the wrong version, so these images should have to be rebuild with the proper version. currently in the official centos7 docker images: ------------------------------------- # rpm -qi iputils Name : iputils Version : 20121221 Release : 7.el7 Architecture: x86_64 Install Date: Wed 23 Dec 2015 06:09:24 PM UTC Group : System Environment/Daemons Size : 368577 License : BSD and GPLv2+ Signature : RSA/SHA256, Wed 25 Nov 2015 02:43:41 PM UTC, Key ID 24c6a8a7f4a80eb5 Source RPM : iputils-20121221-7.el7.src.rpm Build Date : Fri 20 Nov 2015 07:12:19 PM UTC Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem http://bugs.centos.org Vendor : CentOS URL : http://www.skbuff.net/iputils Summary : Network monitoring tools including ping Description : The iputils package contains basic utilities for monitoring a network, including ping. The ping command sends a series of ICMP protocol ECHO_REQUEST packets to a specified network host to discover whether the target machine is alive and receiving network traffic. -------------------------------------
while in the centos repo: ------------------------------------- # rpm -qi iputils Name : iputils Version : 20121221 Release : 7.el7 Architecture: x86_64 Install Date: Tue 15 Dec 2015 03:15:22 PM CET Group : System Environment/Daemons Size : 368577 License : BSD and GPLv2+ Signature : RSA/SHA256, Wed 25 Nov 2015 03:43:41 PM CET, Key ID 24c6a8a7f4a80eb5 Source RPM : iputils-20121221-7.el7.src.rpm Build Date : Fri 20 Nov 2015 08:12:19 PM CET Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem http://bugs.centos.org Vendor : CentOS URL : http://www.skbuff.net/iputils Summary : Network monitoring tools including ping Description : The iputils package contains basic utilities for monitoring a network, including ping. The ping command sends a series of ICMP protocol ECHO_REQUEST packets to a specified network host to discover whether the target machine is alive and receiving network traffic. ------------------------------------- imho it's a bug! without it ping not working from any docker container based on centos7.
I've not yet finished my first cup of coffee, but these appear to be the exact same package. The only difference I see in the output is the timezone used. Can you elaborate a bit more here?
On 02/10/2016 04:15 AM, Farkas Levente wrote:
hi, according to this bug https://bugzilla.redhat.com/show_bug.cgi?id=1142311 rh silently replace iputils with the same version with a fixed capabilities. unfortunately official base centos-7 (ie. latest 7.2) docker images are build with the wrong version, so these images should have to be rebuild with the proper version. currently in the official centos7 docker images:
# rpm -qi iputils Name : iputils Version : 20121221 Release : 7.el7 Architecture: x86_64 Install Date: Wed 23 Dec 2015 06:09:24 PM UTC Group : System Environment/Daemons Size : 368577 License : BSD and GPLv2+ Signature : RSA/SHA256, Wed 25 Nov 2015 02:43:41 PM UTC, Key ID 24c6a8a7f4a80eb5 Source RPM : iputils-20121221-7.el7.src.rpm Build Date : Fri 20 Nov 2015 07:12:19 PM UTC Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem http://bugs.centos.org Vendor : CentOS URL : http://www.skbuff.net/iputils Summary : Network monitoring tools including ping Description : The iputils package contains basic utilities for monitoring a network, including ping. The ping command sends a series of ICMP protocol ECHO_REQUEST packets to a specified network host to discover whether the target machine is alive and receiving network traffic.
while in the centos repo:
# rpm -qi iputils Name : iputils Version : 20121221 Release : 7.el7 Architecture: x86_64 Install Date: Tue 15 Dec 2015 03:15:22 PM CET Group : System Environment/Daemons Size : 368577 License : BSD and GPLv2+ Signature : RSA/SHA256, Wed 25 Nov 2015 03:43:41 PM CET, Key ID 24c6a8a7f4a80eb5 Source RPM : iputils-20121221-7.el7.src.rpm Build Date : Fri 20 Nov 2015 08:12:19 PM CET Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem http://bugs.centos.org Vendor : CentOS URL : http://www.skbuff.net/iputils Summary : Network monitoring tools including ping Description : The iputils package contains basic utilities for monitoring a network, including ping. The ping command sends a series of ICMP protocol ECHO_REQUEST packets to a specified network host to discover whether the target machine is alive and receiving network traffic.
imho it's a bug! without it ping not working from any docker container based on centos7.
On 10 Feb 09:06, Jim Perrin wrote:
I've not yet finished my first cup of coffee, but these appear to be the exact same package. The only difference I see in the output is the timezone used. Can you elaborate a bit more here?
On 02/10/2016 04:15 AM, Farkas Levente wrote:
hi, according to this bug https://bugzilla.redhat.com/show_bug.cgi?id=1142311
It looks like you did not read comment #14:
" yum reinstall iputils fixes the files. "
Your comment in bz does exactly that. It is not another package with the same version, it is just the fact that you reinstall it that fixes that.
gr,
On 02/10/2016 04:13 PM, Julien Pivotto wrote:
On 10 Feb 09:06, Jim Perrin wrote:
I've not yet finished my first cup of coffee, but these appear to be the exact same package. The only difference I see in the output is the timezone used. Can you elaborate a bit more here?
On 02/10/2016 04:15 AM, Farkas Levente wrote:
hi, according to this bug https://bugzilla.redhat.com/show_bug.cgi?id=1142311
It looks like you did not read comment #14:
" yum reinstall iputils fixes the files. "
Your comment in bz does exactly that. It is not another package with the same version, it is just the fact that you reinstall it that fixes that.
than why not fix the official base centos image to contain the right iputils or do whatever the reinstall did. anyway what the hell happened during reinstall since there is nothing like that in iputils pre/post install scripts!???
imho if the official base centos image is not working properly then it's a bug!
or write an official centos docker image howto as: Start each Dockerfile with: RUN rpm -e iputils && yum install iputils
so imho the subject of this email still vaild!
On 02/10/2016 04:18 PM, Farkas Levente wrote:
than why not fix the official base centos image to contain the right iputils or do whatever the reinstall did. anyway what the hell happened during reinstall since there is nothing like that in iputils pre/post install scripts!???
I actually got around to testing this today, and it appears to work fine without modification. I've tested this on both a centos and fedora host per the same instructions in the bz:
+[jperrin@ferrata ~]$ docker run -it centos ping -c 5 google.com Unable to find image 'centos:latest' locally Trying to pull repository docker.io/library/centos ... latest: Pulling from library/centos Digest: sha256:8072bc7c66c3d5b633c3fddfc2bf12d5b4c2623f7004d9eed6aae70e0e99fbd7 Status: Downloaded newer image for docker.io/centos:latest
PING google.com (216.58.218.206) 56(84) bytes of data. 64 bytes from dfw06s47-in-f14.1e100.net (216.58.218.206): icmp_seq=1 ttl=53 time=15.8 ms 64 bytes from dfw06s47-in-f206.1e100.net (216.58.218.206): icmp_seq=2 ttl=53 time=14.9 ms 64 bytes from dfw06s47-in-f206.1e100.net (216.58.218.206): icmp_seq=3 ttl=53 time=14.8 ms 64 bytes from dfw06s47-in-f206.1e100.net (216.58.218.206): icmp_seq=4 ttl=53 time=15.3 ms
imho if the official base centos image is not working properly then it's a bug!
It's working fine.
or write an official centos docker image howto as: Start each Dockerfile with: RUN rpm -e iputils && yum install iputils
No. That's an absurd workaround, not a fix. The fix (were it not working) would be to remove the package from the base container.
so imho the subject of this email still vaild!
It doesn't appear so.
On 02/11/2016 12:41 AM, Jim Perrin wrote:
On 02/10/2016 04:18 PM, Farkas Levente wrote:
than why not fix the official base centos image to contain the right iputils or do whatever the reinstall did. anyway what the hell happened during reinstall since there is nothing like that in iputils pre/post install scripts!???
I actually got around to testing this today, and it appears to work fine without modification. I've tested this on both a centos and fedora host per the same instructions in the bz:
+[jperrin@ferrata ~]$ docker run -it centos ping -c 5 google.com
because this is the wrong way to test!!! please follow my description! in the above way you run ping as root, but you should have to run as a non-root user!
imho if the official base centos image is not working properly then it's a bug!
It's working fine.
no it's not!
so imho the subject of this email still vaild!
It doesn't appear so.
so it is!
On 02/11/2016 01:29 AM, Farkas Levente wrote:
+[jperrin@ferrata ~]$ docker run -it centos ping -c 5 google.com
because this is the wrong way to test!!! please follow my description! in the above way you run ping as root, but you should have to run as a non-root user!
Okay, so here's the issue after yesterday's digging. It appears that virt-tar-out strips file capabilities, which results in a container with ping not working as you found. I can work around this by using tar directly, and passing --xattrs to preserve the capabilities data. This works if I import the tarball directly into docker, however this results in an archive that docker's ADD command does not recognize as a local tar archive for unpacking. Since the ADD command is crucial for the base container build process, this is a bit of a blocker.
This appears to be a bug in docker, and I'll be filing it upstream. However this leads us back to one of the two original fixes.
Until this is resolved upstream, I can either remove the package, or leave it in a partly broken state. Which would you prefer?
On 02/12/2016 03:07 PM, Jim Perrin wrote:
On 02/11/2016 01:29 AM, Farkas Levente wrote:
+[jperrin@ferrata ~]$ docker run -it centos ping -c 5 google.com
because this is the wrong way to test!!! please follow my description! in the above way you run ping as root, but you should have to run as a non-root user!
Okay, so here's the issue after yesterday's digging. It appears that virt-tar-out strips file capabilities, which results in a container with ping not working as you found. I can work around this by using tar directly, and passing --xattrs to preserve the capabilities data. This works if I import the tarball directly into docker, however this results in an archive that docker's ADD command does not recognize as a local tar archive for unpacking. Since the ADD command is crucial for the base container build process, this is a bit of a blocker.
This appears to be a bug in docker, and I'll be filing it upstream. However this leads us back to one of the two original fixes.
Until this is resolved upstream, I can either remove the package, or leave it in a partly broken state. Which would you prefer?
imho ping is not essential in the base image so removing it and everybody install how need it is a better solution than keep a well known broken image.
but that's just my 2c.
So, the easy fix for this (and one that aligns with a previous rh bugzilla ticket) is to remove iputils from the base container.
With this package removed, installing it will allow the package to function as expected. The problem is one of socializing the removal of the package from the base container. This has traditionally bitten us whenever we've pruned things from the container.
On 02/10/2016 04:15 AM, Farkas Levente wrote:
hi, according to this bug https://bugzilla.redhat.com/show_bug.cgi?id=1142311 rh silently replace iputils with the same version with a fixed capabilities. unfortunately official base centos-7 (ie. latest 7.2) docker images are build with the wrong version, so these images should have to be rebuild with the proper version. currently in the official centos7 docker images:
# rpm -qi iputils Name : iputils Version : 20121221 Release : 7.el7 Architecture: x86_64 Install Date: Wed 23 Dec 2015 06:09:24 PM UTC Group : System Environment/Daemons Size : 368577 License : BSD and GPLv2+ Signature : RSA/SHA256, Wed 25 Nov 2015 02:43:41 PM UTC, Key ID 24c6a8a7f4a80eb5 Source RPM : iputils-20121221-7.el7.src.rpm Build Date : Fri 20 Nov 2015 07:12:19 PM UTC Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem http://bugs.centos.org Vendor : CentOS URL : http://www.skbuff.net/iputils Summary : Network monitoring tools including ping Description : The iputils package contains basic utilities for monitoring a network, including ping. The ping command sends a series of ICMP protocol ECHO_REQUEST packets to a specified network host to discover whether the target machine is alive and receiving network traffic.
while in the centos repo:
# rpm -qi iputils Name : iputils Version : 20121221 Release : 7.el7 Architecture: x86_64 Install Date: Tue 15 Dec 2015 03:15:22 PM CET Group : System Environment/Daemons Size : 368577 License : BSD and GPLv2+ Signature : RSA/SHA256, Wed 25 Nov 2015 03:43:41 PM CET, Key ID 24c6a8a7f4a80eb5 Source RPM : iputils-20121221-7.el7.src.rpm Build Date : Fri 20 Nov 2015 08:12:19 PM CET Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem http://bugs.centos.org Vendor : CentOS URL : http://www.skbuff.net/iputils Summary : Network monitoring tools including ping Description : The iputils package contains basic utilities for monitoring a network, including ping. The ping command sends a series of ICMP protocol ECHO_REQUEST packets to a specified network host to discover whether the target machine is alive and receiving network traffic.
imho it's a bug! without it ping not working from any docker container based on centos7.
-
Farkas Levente -
Jim Perrin -
Julien Pivotto