-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Latest stable release 3602.2.0 introduces docker ownership issue; chown does not work for docker builds #1203
Comments
Go 1.18 is already EOL, so no security update at all. Since upstream docker projects already have Go 1.19, Flatcar should also have that. See also https://github.com/moby/moby/blob/5d6db842238e3c4f5f9fb9ad70ea46b35227d084/Dockerfile#L6. (cherry picked from commit 93a8983) Signed-off-by: Jeremi Piotrowski <[email protected]> Fixes: flatcar/Flatcar#1203
Thanks for the report. Opened a PR and will make sure its part of the next stable release. |
This is already fixed in Flatcar >=3619.0.0. |
Can you tell me more about how this is impacting you? What we could do is halt the rollout of stable-3602 until it's fixed, i'm looking to see if that is a viable way forward. |
Our software uses flatcar as the image for hosting Docker. Our build & test pipeline uses latest stable as the targeted version of flatcar. Latest stable is not compatible with the approach we use to interact with docker due to this issue, and our pipeline has broken as a result. In production environments we have specific pinned versions only, and are not affected. We have swapped our build & test to target LTS to resolve pipeline issues, but will need to find another way of testing compatibility with flatcar stable if this is a longer-term thing. We are affected in GCP, not Azure, so if you could rollback latest in GCP that would resolve the issue for us too I expect. |
I have raised #1205 in order to pin against a previous |
I've documented how we're affected above. If we didn't have a particularly diligent operations team, who insisted on controlling the specific version we're using in production via a private repo, then we'd have downtime right now from following the recommendations in the flatcar docs. https://www.flatcar.org/docs/latest/installing/cloud/gcp/
Also, the link in this section that provides instructions to remove the auto-updates is broken (404)
|
I'm sorry for this issue making it into stable. The 3602 release was baking in beta for 4 months and this went unnoticed. Are you able to temporarily switch to either beta (unaffected) or pin to the previous flatcar stable release on your end (#1205 (comment))? Does that work for you? We would fast path a fixed 3602 stable release with an eta of next week.
I've filed a PR to fix the docs flatcar-archive/flatcar-docs#341. |
Not a problem, our Ops team kept us safe, just wanted to be clear on impact and potential impact.
We're using LTS now, and it's working. We're looking at options to test compatibility with different flatcar versions in the background so we get advance warning in future before pipelines start failing.
That's great, thank you.
I didn't realise it was just a bad link, thanks, looks like it points to https://www.flatcar.org/docs/latest/setup/releases/update-strategies/ |
@Exelscior @Threadache thanks for the report: I added a test case to our test suite to prevent this kind of regression to happen again (flatcar/mantle#462). |
@Exelscior hello, we just released a new Flatcar Stable version (3602.2.1) which should solve your issue. Can you confirm? |
@tormath1 I can confirm that Flatcar Stable version (3602.2.1) resolves the issue. |
Description
Since the latest stable release update to 3602.2.0 for Microsoft Azure from our previous version 3510.2.8 for Microsoft Azure, the docker runtime has been updated to version 20.10.24 from version 20.10.23 prior.
With the current stable version, docker builds and runs seem to omit ownership information during filesystem extraction and all files are owned by root regardless of chown usage during building.
Impact
Building container images and running them on the current stable version of Flatcar leads most likely to permission denied errors on non-root containers attempting to write files as all files belong to root regardless of chown commands during building.
Environment and steps to reproduce
To reproduce the bug:
a.
docker run --name bug-test alpine ls -l /etc/shadow
This command will show that file is owned by root:shadow (UID/GID 0/42)
b.
docker export bug-test | tar tv etc/shadow
This command will show that it is owned by UID/GID 0/0
Expected behavior
To show intended behaviour:
a.
docker run --name bug-test alpine ls -l /etc/shadow
This command will show that file is owned by root:shadow (UID/GID 0/42)
b.
docker export bug-test | tar tv etc/shadow
This command will show that it is owned by UID/GID 0/42
Additional information
We have currently resolved this with a forced rollback to Flatcar 3510.2.8 for Microsoft Azure.
After more searching this seems to be the exact same bug that Ubuntu release had back in August as referenced here : https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2029523/
The text was updated successfully, but these errors were encountered: