[CentOS-devel] official centos-7 docker image are wrong

Fri Feb 12 14:07:14 UTC 2016
Jim Perrin <jperrin at centos.org>


On 02/11/2016 01:29 AM, Farkas Levente wrote:

>>
>> +[jperrin at ferrata ~]$ docker run -it centos ping -c 5 google.com
> 
> because this is the wrong way to test!!!
> please follow my description!
> in the above way you run ping as root, but you should have to run as a
> non-root user!

Okay, so here's the issue after yesterday's digging. It appears that
virt-tar-out strips file capabilities, which results in a container with
ping not working as you found. I can work around this by using tar
directly, and passing --xattrs to preserve the capabilities data. This
works if I import the tarball directly into docker,  however this
results in an archive that docker's ADD command does not recognize as a
local tar archive for unpacking. Since the ADD command is crucial for
the base container build process, this is a bit of a blocker.

This appears to be a bug in docker, and I'll be filing it upstream.
However this leads us back to one of the two original fixes.

Until this is resolved upstream, I can either remove the package, or
leave it in a partly broken state. Which would you prefer?



-- 
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77