Re: [CentOS-devel] [atomic] official centos-7 docker image are wrong - devel

11 Feb 2016

      ----- Original Message -----
...
From: "Eric Paris" eparis@redhat.com
To: "Farkas Levente" lfarkas@lfarkas.org, "CentOS devel" centos-devel@centos.org, atomic@projectatomic.io
Sent: Wednesday, February 10, 2016 5:00:31 PM
Subject: Re: [atomic] official centos-7 docker image are wrong
I'm willing to bet one week's pay that RH didn't silently release the
same version twice with different code...
Wasn't there a problem that one of the base image build systems somehow
didn't support file caps and so the caps were being silently lost?
Maybe something about squashfs not understanding filecaps and rpm not
considering that a permanent failure... Very very hazy...
There was this:
http://www.projectatomic.io/blog/2015/04/problems-with-ping-in-containers-on...
...
I know I remember this bug in the back of my head...
In any case if you look in the centos base image (after installing
attr)
# getfattr -n security.capability /usr/bin/ping
/usr/bin/ping: security.capability: No such attribute
# rpm -V iputils
........P    /usr/bin/ping
........P    /usr/bin/ping6
........P    /usr/sbin/arping
........P    /usr/sbin/clockdiff
So while the right version/rpm was installed the actual bits in the
base image aren't what the rpm says they should be! The bug is in how
the base image is created...  I don't know where, but just building it
again will likely just keep doing the wrong thing...
I know this will trigger someone's mind who looking into this months
and months ago...
-Eric
On Wed, 2016-02-10 at 11:15 +0100, Farkas Levente wrote:
...
hi,
according to this bug
https://bugzilla.redhat.com/show_bug.cgi?id=1142311
rh silently replace iputils with the same version with a fixed
capabilities.
unfortunately official base centos-7 (ie. latest 7.2) docker images
are
build with the wrong version, so these images should have to be
rebuild
with the proper version.
currently in the official centos7 docker images:

# rpm -qi iputils
Name        : iputils
Version     : 20121221
Release     : 7.el7
Architecture: x86_64
Install Date: Wed 23 Dec 2015 06:09:24 PM UTC
Group       : System Environment/Daemons
Size        : 368577
License     : BSD and GPLv2+
Signature   : RSA/SHA256, Wed 25 Nov 2015 02:43:41 PM UTC, Key ID
24c6a8a7f4a80eb5
Source RPM  : iputils-20121221-7.el7.src.rpm
Build Date  : Fri 20 Nov 2015 07:12:19 PM UTC
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem http://bugs.centos.org
Vendor      : CentOS
URL         : http://www.skbuff.net/iputils
Summary     : Network monitoring tools including ping
Description :
The iputils package contains basic utilities for monitoring a
network,
including ping. The ping command sends a series of ICMP protocol
ECHO_REQUEST packets to a specified network host to discover whether
the target machine is alive and receiving network traffic.

while in the centos repo:
# rpm -qi iputils
Name        : iputils
Version     : 20121221
Release     : 7.el7
Architecture: x86_64
Install Date: Tue 15 Dec 2015 03:15:22 PM CET
Group       : System Environment/Daemons
Size        : 368577
License     : BSD and GPLv2+
Signature   : RSA/SHA256, Wed 25 Nov 2015 03:43:41 PM CET, Key ID
24c6a8a7f4a80eb5
Source RPM  : iputils-20121221-7.el7.src.rpm
Build Date  : Fri 20 Nov 2015 08:12:19 PM CET
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem http://bugs.centos.org
Vendor      : CentOS
URL         : http://www.skbuff.net/iputils
Summary     : Network monitoring tools including ping
Description :
The iputils package contains basic utilities for monitoring a
network,
including ping. The ping command sends a series of ICMP protocol
ECHO_REQUEST packets to a specified network host to discover whether
the target machine is alive and receiving network traffic.

imho it's a bug! without it ping not working from any docker
container
based on centos7.