[CentOS-devel] [atomic] official centos-7 docker image are wrong

Jason Brooks

jbrooks at redhat.com
Thu Feb 11 02:40:56 UTC 2016



----- Original Message -----
> From: "Eric Paris" <eparis at redhat.com>
> To: "Farkas Levente" <lfarkas at lfarkas.org>, "CentOS devel" <centos-devel at centos.org>, atomic at projectatomic.io
> Sent: Wednesday, February 10, 2016 5:00:31 PM
> Subject: Re: [atomic] official centos-7 docker image are wrong
> 
> I'm willing to bet one week's pay that RH didn't silently release the
> same version twice with different code...
> 
> Wasn't there a problem that one of the base image build systems somehow
> didn't support file caps and so the caps were being silently lost?
> Maybe something about squashfs not understanding filecaps and rpm not
> considering that a permanent failure... Very very hazy...

There was this:

http://www.projectatomic.io/blog/2015/04/problems-with-ping-in-containers-on-atomic-hosts/

> 
> I know I remember this bug in the back of my head...
> 
> In any case if you look in the centos base image (after installing
> attr)
> 
> # getfattr -n security.capability /usr/bin/ping
> /usr/bin/ping: security.capability: No such attribute
> 
> # rpm -V iputils
> ........P    /usr/bin/ping
> ........P    /usr/bin/ping6
> ........P    /usr/sbin/arping
> ........P    /usr/sbin/clockdiff
> 
> So while the right version/rpm was installed the actual bits in the
> base image aren't what the rpm says they should be! The bug is in how
> the base image is created...  I don't know where, but just building it
> again will likely just keep doing the wrong thing...
> 
> I know this will trigger someone's mind who looking into this months
> and months ago...
> 
> -Eric
> 
> On Wed, 2016-02-10 at 11:15 +0100, Farkas Levente wrote:
> > hi,
> > according to this bug
> > https://bugzilla.redhat.com/show_bug.cgi?id=1142311
> > rh silently replace iputils with the same version with a fixed
> > capabilities.
> > unfortunately official base centos-7 (ie. latest 7.2) docker images
> > are
> > build with the wrong version, so these images should have to be
> > rebuild
> > with the proper version.
> > currently in the official centos7 docker images:
> > -------------------------------------
> > # rpm -qi iputils
> > Name        : iputils
> > Version     : 20121221
> > Release     : 7.el7
> > Architecture: x86_64
> > Install Date: Wed 23 Dec 2015 06:09:24 PM UTC
> > Group       : System Environment/Daemons
> > Size        : 368577
> > License     : BSD and GPLv2+
> > Signature   : RSA/SHA256, Wed 25 Nov 2015 02:43:41 PM UTC, Key ID
> > 24c6a8a7f4a80eb5
> > Source RPM  : iputils-20121221-7.el7.src.rpm
> > Build Date  : Fri 20 Nov 2015 07:12:19 PM UTC
> > Build Host  : worker1.bsys.centos.org
> > Relocations : (not relocatable)
> > Packager    : CentOS BuildSystem <http://bugs.centos.org>
> > Vendor      : CentOS
> > URL         : http://www.skbuff.net/iputils
> > Summary     : Network monitoring tools including ping
> > Description :
> > The iputils package contains basic utilities for monitoring a
> > network,
> > including ping. The ping command sends a series of ICMP protocol
> > ECHO_REQUEST packets to a specified network host to discover whether
> > the target machine is alive and receiving network traffic.
> > -------------------------------------
> > 
> > while in the centos repo:
> > -------------------------------------
> > # rpm -qi iputils
> > Name        : iputils
> > Version     : 20121221
> > Release     : 7.el7
> > Architecture: x86_64
> > Install Date: Tue 15 Dec 2015 03:15:22 PM CET
> > Group       : System Environment/Daemons
> > Size        : 368577
> > License     : BSD and GPLv2+
> > Signature   : RSA/SHA256, Wed 25 Nov 2015 03:43:41 PM CET, Key ID
> > 24c6a8a7f4a80eb5
> > Source RPM  : iputils-20121221-7.el7.src.rpm
> > Build Date  : Fri 20 Nov 2015 08:12:19 PM CET
> > Build Host  : worker1.bsys.centos.org
> > Relocations : (not relocatable)
> > Packager    : CentOS BuildSystem <http://bugs.centos.org>
> > Vendor      : CentOS
> > URL         : http://www.skbuff.net/iputils
> > Summary     : Network monitoring tools including ping
> > Description :
> > The iputils package contains basic utilities for monitoring a
> > network,
> > including ping. The ping command sends a series of ICMP protocol
> > ECHO_REQUEST packets to a specified network host to discover whether
> > the target machine is alive and receiving network traffic.
> > -------------------------------------
> > imho it's a bug! without it ping not working from any docker
> > container
> > based on centos7.
> > 
> 
>



More information about the CentOS-devel mailing list