Hey Jim -- Eric's right. Something's up with the attributes on the iputils files that are in the base centos image. I found that the "centos tools image" does not exhibit this behavior.
[root@dhcp23-177 ~]# docker run -it centos rpm -V iputils ........P /usr/bin/ping ........P /usr/bin/ping6 ........P /usr/sbin/arping ........P /usr/sbin/clockdiff Those were the 4 files touched by the patch that fixed the issue in the original bugzilla. [root@dhcp23-177 ~]# docker run -it centos/tools rpm -V iputils [root@dhcp23-177 ~]# And Levente's reproducer looks better when using the tools image. root@dhcp23-177 ~]# docker run -it centos/tools bash [root@af28656bfae7 /]# adduser test [root@af28656bfae7 /]# su - test [test@af28656bfae7 ~]$ ping google.com PING google.com (216.58.217.142) 56(84) bytes of data. 64 bytes from iad23s43-in-f14.1e100.net (216.58.217.142): icmp_seq=1 ttl=52 time=12.2 ms ^C --- google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms Note that as root in the base centos container, ping works fine. It's only when you adduser and run ping as non-root that the issue shows up. On Wed, Feb 10, 2016 at 11:48 PM, Eric Paris <[email protected]> wrote: > On Wed, 2016-02-10 at 21:40 -0500, Jason Brooks wrote: > > > > ----- Original Message ----- > > > From: "Eric Paris" <[email protected]> > > > To: "Farkas Levente" <[email protected]>, "CentOS devel" <centos- > > > [email protected]>, [email protected] > > > Sent: Wednesday, February 10, 2016 5:00:31 PM > > > Subject: Re: [atomic] official centos-7 docker image are wrong > > > > > > I'm willing to bet one week's pay that RH didn't silently release > > > the > > > same version twice with different code... > > > > > > Wasn't there a problem that one of the base image build systems > > > somehow > > > didn't support file caps and so the caps were being silently lost? > > > Maybe something about squashfs not understanding filecaps and rpm > > > not > > > considering that a permanent failure... Very very hazy... > > > > There was this: > > > > http://www.projectatomic.io/blog/2015/04/problems-with-ping-in- > > containers-on-atomic-hosts/ > > Yeah, I (sorta) remember those issues too, but don't think that is it > either. ping in the centos images doesn't have any file caps... In > that case the problem was it had CAP_EFFECTIVE set and shouldn't have. > > My money would be on the environment where the iputils binary was > installed which differs between Centos and RHEL... (but a much much > smaller amount of money) > > -Eric > > > > > > > I know I remember this bug in the back of my head... > > > > > > In any case if you look in the centos base image (after installing > > > attr) > > > > > > # getfattr -n security.capability /usr/bin/ping > > > /usr/bin/ping: security.capability: No such attribute > > > > > > # rpm -V iputils > > > ........P /usr/bin/ping > > > ........P /usr/bin/ping6 > > > ........P /usr/sbin/arping > > > ........P /usr/sbin/clockdiff > > > > > > So while the right version/rpm was installed the actual bits in the > > > base image aren't what the rpm says they should be! The bug is in > > > how > > > the base image is created... I don't know where, but just building > > > it > > > again will likely just keep doing the wrong thing... > > > > > > I know this will trigger someone's mind who looking into this > > > months > > > and months ago... > > > > > > -Eric > > > > > > On Wed, 2016-02-10 at 11:15 +0100, Farkas Levente wrote: > > > > hi, > > > > according to this bug > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1142311 > > > > rh silently replace iputils with the same version with a fixed > > > > capabilities. > > > > unfortunately official base centos-7 (ie. latest 7.2) docker > > > > images > > > > are > > > > build with the wrong version, so these images should have to be > > > > rebuild > > > > with the proper version. > > > > currently in the official centos7 docker images: > > > > ------------------------------------- > > > > # rpm -qi iputils > > > > Name : iputils > > > > Version : 20121221 > > > > Release : 7.el7 > > > > Architecture: x86_64 > > > > Install Date: Wed 23 Dec 2015 06:09:24 PM UTC > > > > Group : System Environment/Daemons > > > > Size : 368577 > > > > License : BSD and GPLv2+ > > > > Signature : RSA/SHA256, Wed 25 Nov 2015 02:43:41 PM UTC, Key ID > > > > 24c6a8a7f4a80eb5 > > > > Source RPM : iputils-20121221-7.el7.src.rpm > > > > Build Date : Fri 20 Nov 2015 07:12:19 PM UTC > > > > Build Host : worker1.bsys.centos.org > > > > Relocations : (not relocatable) > > > > Packager : CentOS BuildSystem <http://bugs.centos.org> > > > > Vendor : CentOS > > > > URL : http://www.skbuff.net/iputils > > > > Summary : Network monitoring tools including ping > > > > Description : > > > > The iputils package contains basic utilities for monitoring a > > > > network, > > > > including ping. The ping command sends a series of ICMP protocol > > > > ECHO_REQUEST packets to a specified network host to discover > > > > whether > > > > the target machine is alive and receiving network traffic. > > > > ------------------------------------- > > > > > > > > while in the centos repo: > > > > ------------------------------------- > > > > # rpm -qi iputils > > > > Name : iputils > > > > Version : 20121221 > > > > Release : 7.el7 > > > > Architecture: x86_64 > > > > Install Date: Tue 15 Dec 2015 03:15:22 PM CET > > > > Group : System Environment/Daemons > > > > Size : 368577 > > > > License : BSD and GPLv2+ > > > > Signature : RSA/SHA256, Wed 25 Nov 2015 03:43:41 PM CET, Key ID > > > > 24c6a8a7f4a80eb5 > > > > Source RPM : iputils-20121221-7.el7.src.rpm > > > > Build Date : Fri 20 Nov 2015 08:12:19 PM CET > > > > Build Host : worker1.bsys.centos.org > > > > Relocations : (not relocatable) > > > > Packager : CentOS BuildSystem <http://bugs.centos.org> > > > > Vendor : CentOS > > > > URL : http://www.skbuff.net/iputils > > > > Summary : Network monitoring tools including ping > > > > Description : > > > > The iputils package contains basic utilities for monitoring a > > > > network, > > > > including ping. The ping command sends a series of ICMP protocol > > > > ECHO_REQUEST packets to a specified network host to discover > > > > whether > > > > the target machine is alive and receiving network traffic. > > > > ------------------------------------- > > > > imho it's a bug! without it ping not working from any docker > > > > container > > > > based on centos7. > > > > > > > > > > > > > > -- -- Jeremy Eder
