----- Original Message ----- > From: "Eric Paris" <eparis at redhat.com> > To: "Farkas Levente" <lfarkas at lfarkas.org>, "CentOS devel" <centos-devel at centos.org>, atomic at projectatomic.io > Sent: Wednesday, February 10, 2016 5:00:31 PM > Subject: Re: [atomic] official centos-7 docker image are wrong > > I'm willing to bet one week's pay that RH didn't silently release the > same version twice with different code... > > Wasn't there a problem that one of the base image build systems somehow > didn't support file caps and so the caps were being silently lost? > Maybe something about squashfs not understanding filecaps and rpm not > considering that a permanent failure... Very very hazy... There was this: http://www.projectatomic.io/blog/2015/04/problems-with-ping-in-containers-on-atomic-hosts/ > > I know I remember this bug in the back of my head... > > In any case if you look in the centos base image (after installing > attr) > > # getfattr -n security.capability /usr/bin/ping > /usr/bin/ping: security.capability: No such attribute > > # rpm -V iputils > ........P /usr/bin/ping > ........P /usr/bin/ping6 > ........P /usr/sbin/arping > ........P /usr/sbin/clockdiff > > So while the right version/rpm was installed the actual bits in the > base image aren't what the rpm says they should be! The bug is in how > the base image is created... I don't know where, but just building it > again will likely just keep doing the wrong thing... > > I know this will trigger someone's mind who looking into this months > and months ago... > > -Eric > > On Wed, 2016-02-10 at 11:15 +0100, Farkas Levente wrote: > > hi, > > according to this bug > > https://bugzilla.redhat.com/show_bug.cgi?id=1142311 > > rh silently replace iputils with the same version with a fixed > > capabilities. > > unfortunately official base centos-7 (ie. latest 7.2) docker images > > are > > build with the wrong version, so these images should have to be > > rebuild > > with the proper version. > > currently in the official centos7 docker images: > > ------------------------------------- > > # rpm -qi iputils > > Name : iputils > > Version : 20121221 > > Release : 7.el7 > > Architecture: x86_64 > > Install Date: Wed 23 Dec 2015 06:09:24 PM UTC > > Group : System Environment/Daemons > > Size : 368577 > > License : BSD and GPLv2+ > > Signature : RSA/SHA256, Wed 25 Nov 2015 02:43:41 PM UTC, Key ID > > 24c6a8a7f4a80eb5 > > Source RPM : iputils-20121221-7.el7.src.rpm > > Build Date : Fri 20 Nov 2015 07:12:19 PM UTC > > Build Host : worker1.bsys.centos.org > > Relocations : (not relocatable) > > Packager : CentOS BuildSystem <http://bugs.centos.org> > > Vendor : CentOS > > URL : http://www.skbuff.net/iputils > > Summary : Network monitoring tools including ping > > Description : > > The iputils package contains basic utilities for monitoring a > > network, > > including ping. The ping command sends a series of ICMP protocol > > ECHO_REQUEST packets to a specified network host to discover whether > > the target machine is alive and receiving network traffic. > > ------------------------------------- > > > > while in the centos repo: > > ------------------------------------- > > # rpm -qi iputils > > Name : iputils > > Version : 20121221 > > Release : 7.el7 > > Architecture: x86_64 > > Install Date: Tue 15 Dec 2015 03:15:22 PM CET > > Group : System Environment/Daemons > > Size : 368577 > > License : BSD and GPLv2+ > > Signature : RSA/SHA256, Wed 25 Nov 2015 03:43:41 PM CET, Key ID > > 24c6a8a7f4a80eb5 > > Source RPM : iputils-20121221-7.el7.src.rpm > > Build Date : Fri 20 Nov 2015 08:12:19 PM CET > > Build Host : worker1.bsys.centos.org > > Relocations : (not relocatable) > > Packager : CentOS BuildSystem <http://bugs.centos.org> > > Vendor : CentOS > > URL : http://www.skbuff.net/iputils > > Summary : Network monitoring tools including ping > > Description : > > The iputils package contains basic utilities for monitoring a > > network, > > including ping. The ping command sends a series of ICMP protocol > > ECHO_REQUEST packets to a specified network host to discover whether > > the target machine is alive and receiving network traffic. > > ------------------------------------- > > imho it's a bug! without it ping not working from any docker > > container > > based on centos7. > > > >