Yeah, I'm seeing that now. This is interesting though, as the images have all been made the same way. I'm using livemedia-creator to generate a disk image, and virt-tar-out to package it up. This is how we've done the centos-6 and 7 containers for a while now, but your rpm commands give me a bit more to go on. I'll poke at it a few different ways to see what's going on.
On 02/11/2016 05:49 AM, Jeremy Eder wrote: > Hey Jim -- > > Eric's right. Something's up with the attributes on the iputils files that > are in the base centos image. I found that the "centos tools image" does > not exhibit this behavior. > > [root@dhcp23-177 ~]# docker run -it centos rpm -V iputils > ........P /usr/bin/ping > ........P /usr/bin/ping6 > ........P /usr/sbin/arping > ........P /usr/sbin/clockdiff > > Those were the 4 files touched by the patch that fixed the issue in the > original bugzilla. > > [root@dhcp23-177 ~]# docker run -it centos/tools rpm -V iputils > [root@dhcp23-177 ~]# > > And Levente's reproducer looks better when using the tools image. > > root@dhcp23-177 ~]# docker run -it centos/tools bash > [root@af28656bfae7 /]# adduser test > [root@af28656bfae7 /]# su - test > [test@af28656bfae7 ~]$ ping google.com > PING google.com (216.58.217.142) 56(84) bytes of data. > 64 bytes from iad23s43-in-f14.1e100.net (216.58.217.142): icmp_seq=1 ttl=52 > time=12.2 ms > ^C > --- google.com ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > > Note that as root in the base centos container, ping works fine. It's only > when you adduser and run ping as non-root that the issue shows up. > > > > On Wed, Feb 10, 2016 at 11:48 PM, Eric Paris <[email protected]> wrote: > >> On Wed, 2016-02-10 at 21:40 -0500, Jason Brooks wrote: >>> >>> ----- Original Message ----- >>>> From: "Eric Paris" <[email protected]> >>>> To: "Farkas Levente" <[email protected]>, "CentOS devel" <centos- >>>> [email protected]>, [email protected] >>>> Sent: Wednesday, February 10, 2016 5:00:31 PM >>>> Subject: Re: [atomic] official centos-7 docker image are wrong >>>> >>>> I'm willing to bet one week's pay that RH didn't silently release >>>> the >>>> same version twice with different code... >>>> >>>> Wasn't there a problem that one of the base image build systems >>>> somehow >>>> didn't support file caps and so the caps were being silently lost? >>>> Maybe something about squashfs not understanding filecaps and rpm >>>> not >>>> considering that a permanent failure... Very very hazy... >>> >>> There was this: >>> >>> http://www.projectatomic.io/blog/2015/04/problems-with-ping-in- >>> containers-on-atomic-hosts/ >> >> Yeah, I (sorta) remember those issues too, but don't think that is it >> either. ping in the centos images doesn't have any file caps... In >> that case the problem was it had CAP_EFFECTIVE set and shouldn't have. >> >> My money would be on the environment where the iputils binary was >> installed which differs between Centos and RHEL... (but a much much >> smaller amount of money) >> >> -Eric >> >>>> >>>> I know I remember this bug in the back of my head... >>>> >>>> In any case if you look in the centos base image (after installing >>>> attr) >>>> >>>> # getfattr -n security.capability /usr/bin/ping >>>> /usr/bin/ping: security.capability: No such attribute >>>> >>>> # rpm -V iputils >>>> ........P /usr/bin/ping >>>> ........P /usr/bin/ping6 >>>> ........P /usr/sbin/arping >>>> ........P /usr/sbin/clockdiff >>>> >>>> So while the right version/rpm was installed the actual bits in the >>>> base image aren't what the rpm says they should be! The bug is in >>>> how >>>> the base image is created... I don't know where, but just building >>>> it >>>> again will likely just keep doing the wrong thing... >>>> >>>> I know this will trigger someone's mind who looking into this >>>> months >>>> and months ago... >>>> >>>> -Eric >>>> >>>> On Wed, 2016-02-10 at 11:15 +0100, Farkas Levente wrote: >>>>> hi, >>>>> according to this bug >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1142311 >>>>> rh silently replace iputils with the same version with a fixed >>>>> capabilities. >>>>> unfortunately official base centos-7 (ie. latest 7.2) docker >>>>> images >>>>> are >>>>> build with the wrong version, so these images should have to be >>>>> rebuild >>>>> with the proper version. >>>>> currently in the official centos7 docker images: >>>>> ------------------------------------- >>>>> # rpm -qi iputils >>>>> Name : iputils >>>>> Version : 20121221 >>>>> Release : 7.el7 >>>>> Architecture: x86_64 >>>>> Install Date: Wed 23 Dec 2015 06:09:24 PM UTC >>>>> Group : System Environment/Daemons >>>>> Size : 368577 >>>>> License : BSD and GPLv2+ >>>>> Signature : RSA/SHA256, Wed 25 Nov 2015 02:43:41 PM UTC, Key ID >>>>> 24c6a8a7f4a80eb5 >>>>> Source RPM : iputils-20121221-7.el7.src.rpm >>>>> Build Date : Fri 20 Nov 2015 07:12:19 PM UTC >>>>> Build Host : worker1.bsys.centos.org >>>>> Relocations : (not relocatable) >>>>> Packager : CentOS BuildSystem <http://bugs.centos.org> >>>>> Vendor : CentOS >>>>> URL : http://www.skbuff.net/iputils >>>>> Summary : Network monitoring tools including ping >>>>> Description : >>>>> The iputils package contains basic utilities for monitoring a >>>>> network, >>>>> including ping. The ping command sends a series of ICMP protocol >>>>> ECHO_REQUEST packets to a specified network host to discover >>>>> whether >>>>> the target machine is alive and receiving network traffic. >>>>> ------------------------------------- >>>>> >>>>> while in the centos repo: >>>>> ------------------------------------- >>>>> # rpm -qi iputils >>>>> Name : iputils >>>>> Version : 20121221 >>>>> Release : 7.el7 >>>>> Architecture: x86_64 >>>>> Install Date: Tue 15 Dec 2015 03:15:22 PM CET >>>>> Group : System Environment/Daemons >>>>> Size : 368577 >>>>> License : BSD and GPLv2+ >>>>> Signature : RSA/SHA256, Wed 25 Nov 2015 03:43:41 PM CET, Key ID >>>>> 24c6a8a7f4a80eb5 >>>>> Source RPM : iputils-20121221-7.el7.src.rpm >>>>> Build Date : Fri 20 Nov 2015 08:12:19 PM CET >>>>> Build Host : worker1.bsys.centos.org >>>>> Relocations : (not relocatable) >>>>> Packager : CentOS BuildSystem <http://bugs.centos.org> >>>>> Vendor : CentOS >>>>> URL : http://www.skbuff.net/iputils >>>>> Summary : Network monitoring tools including ping >>>>> Description : >>>>> The iputils package contains basic utilities for monitoring a >>>>> network, >>>>> including ping. The ping command sends a series of ICMP protocol >>>>> ECHO_REQUEST packets to a specified network host to discover >>>>> whether >>>>> the target machine is alive and receiving network traffic. >>>>> ------------------------------------- >>>>> imho it's a bug! without it ping not working from any docker >>>>> container >>>>> based on centos7. >>>>> >>>> >>>> >>> >> >> > > -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77
