Univention Bugzilla – Bug 56649
80_docker/73_app_listener_integration fails: Debian:stable incompatible with seccomp
Last modified: 2024-02-28 11:39:01 CET
test/ucs-test/tests/80_docker/73_app_listener_integration fails since 3m: <https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestJoin/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=backup/testReport/80_docker/73_app_listener_integration/backup092/> test/ucs-test/tests/80_docker/73_app_listener_integration:195 > DockerImage='docker-test.software-univention.de/debian:stable', This is now "Debain 12 Bookworm", where glibc uses newer syscalls not allowed by ancient "secccomp" as shipped with UCS 4.4-9. Running such a new container on old docker produces very strange looking errors: # docker run --rm debian:stable apt-get -qq update W: GPG error: http://deb.debian.org/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481 E: The repository 'http://deb.debian.org/debian stable InRelease' is not signed. W: GPG error: http://deb.debian.org/debian stable-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 E: The repository 'http://deb.debian.org/debian stable-updates InRelease' is not signed. W: GPG error: http://deb.debian.org/debian-security stable-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8 E: The repository 'http://deb.debian.org/debian-security stable-security InRelease' is not signed. E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true' E: Sub-process returned an error code Using `--security-opt seccomp:unconfined` makes it work, but this it not an option for Apps. 1. The image "debian:stable" should not be used as it is a moving target, which is updates weekly. 2. Even though "docker-test.software-univention.de/debian:stable" is not updated weekly and some "stale version from the past", it still should not be used as it references the external resource "deb.debian.org" which is not controlled by us and thus is again a moving target: "apt-get update" might fail for network issues or (in the distant future) may fail as the PGP key of that image will have expired.
ssh -t docker sudo -s docker pull python:3.7-slim-buster docker tag python:3.7-slim-buster docker-test-upload.software-univention.de/python:3.7-slim-buster docker push docker-test-upload.software-univention.de/python:3.7-slim-buster docker pull python:3.7-slim-bullseye docker tag python:3.7-slim-bullseye docker-test-upload.software-univention.de/python:3.7-slim-bullseye docker push docker-test-upload.software-univention.de/python:3.7-slim-bullseye [4.4-9] b926b609bf test(80_docker/80_docker_pull_via_proxy_http) test/ucs-test/tests/80_docker/80_docker_pull_via_proxy_http | 42 ++++----------------------------- 1 file changed, 4 insertions(+), 38 deletions(-) [4.4-9] 16017d9e1b test(80_docker/73_app_listener_integration) test/ucs-test/debian/changelog | 6 ++ test/ucs-test/tests/80_docker/73_app_listener_integration | 155 +++++++++++++++------------------- 2 files changed, 74 insertions(+), 87 deletions(-) Package: ucs-test Version: 9.0.7-99 Branch: ucs_4.4-0 Scope: errata4.4-9 [5.0-5] b865a0f917 test(80_docker/80_docker_pull_via_proxy_http) test/ucs-test/tests/80_docker/80_docker_pull_via_proxy_http.py | 40 +++--------------------------- 1 file changed, 3 insertions(+), 37 deletions(-) [5.0-5] 56b30dfdf6 test(80_docker/73_app_listener_integration) test/ucs-test/debian/changelog | 6 ++ test/ucs-test/tests/80_docker/73_app_listener_integration.py | 134 +++++++++++--------------- test/ucs-test/tests/80_docker/dockertest.py | 160 +++++++++++++------------------ 3 files changed, 132 insertions(+), 168 deletions(-) Package: ucs-test Version: 10.0.19-14 Branch: ucs_5.0-0 Scope: errata5.0-5