First Last Prev Next    This bug is not in your last search results.
Bug 56649 - 80_docker/73_app_listener_integration fails: Debian:stable incompatible with seccomp
80_docker/73_app_listener_integration fails: Debian:stable incompatible with ...
Status: RESOLVED FIXED
Product: UCS Test
Classification: Unclassified
Component: Docker
unspecified
Other Linux
: P5 normal (vote)
: ---
Assigned To: Philipp Hahn
:
Depends on: 57093 45426 55360
Blocks:
  Show dependency treegraph
 
Reported: 2023-09-25 14:01 CEST by Philipp Hahn
Modified: 2024-02-28 11:39 CET (History)
0 users

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2023-09-25 14:01:41 CEST 
test/ucs-test/tests/80_docker/73_app_listener_integration fails since 3m: <https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestJoin/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=backup/testReport/80_docker/73_app_listener_integration/backup092/>

test/ucs-test/tests/80_docker/73_app_listener_integration:195
> DockerImage='docker-test.software-univention.de/debian:stable',

This is now "Debain 12 Bookworm", where glibc uses newer syscalls not allowed by ancient "secccomp" as shipped with UCS 4.4-9.
Running such a new container on old docker produces very strange looking errors:

# docker run --rm debian:stable apt-get -qq update
W: GPG error: http://deb.debian.org/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
E: The repository 'http://deb.debian.org/debian stable InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian stable-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian stable-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security stable-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
E: The repository 'http://deb.debian.org/debian-security stable-security InRelease' is not signed.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code


Using `--security-opt seccomp:unconfined` makes it work, but this it not an option for Apps.


1. The image "debian:stable" should not be used as it is a moving target, which is updates weekly.
2. Even though "docker-test.software-univention.de/debian:stable" is not updated weekly and some "stale version from the past", it still should not be used as it references the external resource "deb.debian.org" which is not controlled by us and thus is again a moving target: "apt-get update" might fail for network issues or (in the distant future) may fail as the PGP key of that image will have expired.
Comment 1 Philipp Hahn univentionstaff 2023-09-27 07:18:45 CEST 
ssh -t docker sudo -s

docker pull python:3.7-slim-buster
docker tag python:3.7-slim-buster docker-test-upload.software-univention.de/python:3.7-slim-buster
docker push docker-test-upload.software-univention.de/python:3.7-slim-buster

docker pull python:3.7-slim-bullseye
docker tag python:3.7-slim-bullseye docker-test-upload.software-univention.de/python:3.7-slim-bullseye
docker push docker-test-upload.software-univention.de/python:3.7-slim-bullseye

[4.4-9] b926b609bf test(80_docker/80_docker_pull_via_proxy_http)
 test/ucs-test/tests/80_docker/80_docker_pull_via_proxy_http | 42 ++++-----------------------------
 1 file changed, 4 insertions(+), 38 deletions(-)

[4.4-9] 16017d9e1b test(80_docker/73_app_listener_integration)
 test/ucs-test/debian/changelog                            |   6 ++
 test/ucs-test/tests/80_docker/73_app_listener_integration | 155 +++++++++++++++-------------------
 2 files changed, 74 insertions(+), 87 deletions(-)

Package: ucs-test
Version: 9.0.7-99
Branch: ucs_4.4-0
Scope: errata4.4-9

[5.0-5] b865a0f917 test(80_docker/80_docker_pull_via_proxy_http)
 test/ucs-test/tests/80_docker/80_docker_pull_via_proxy_http.py | 40 +++---------------------------
 1 file changed, 3 insertions(+), 37 deletions(-)

[5.0-5] 56b30dfdf6 test(80_docker/73_app_listener_integration)
 test/ucs-test/debian/changelog                               |   6 ++
 test/ucs-test/tests/80_docker/73_app_listener_integration.py | 134 +++++++++++---------------
 test/ucs-test/tests/80_docker/dockertest.py                  | 160 +++++++++++++------------------
 3 files changed, 132 insertions(+), 168 deletions(-)

Package: ucs-test
Version: 10.0.19-14
Branch: ucs_5.0-0
Scope: errata5.0-5
First Last Prev Next    This bug is not in your last search results.