Bug 1012952

Summary: docker: error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file
Product: [Fedora] Fedora Reporter: Marek Goldmann <mgoldman>
Component: docker-ioAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bressers, dwalsh, goeran, jkeck, lsm5, mattdm, mgoldman
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-31 05:19:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
strace from rpm installation of httpd in a container
none
Remove setfcap from lxc.cap.drop none

Description Marek Goldmann 2013-09-27 12:35:41 UTC 
Description of problem:

When installing (using yum) some packages docker fails with error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file

If we're trying to install such package (httpd for example) in docker run environment - we have a workaround which is to specify "-privileged=true" option to the run command.

Unfortunately we cannot do this when running the install inside a Dockerfile ( RUN command). This fails the build:

 ---> Running in 087750726dfd
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.4.6-2.fc20 will be installed
--> Processing Dependency: httpd-tools = 2.4.6-2.fc20 for package: httpd-2.4.6-2.fc20.x86_64
--> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.4.6-2.fc20.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-2.fc20.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-2.fc20.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-2.fc20.x86_64
---> Package mod_cluster.x86_64 0:1.2.6-1.fc20 will be installed
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-2.fc20 will be installed
---> Package apr-util.x86_64 0:1.5.2-4.fc20 will be installed
---> Package fedora-logos.noarch 0:19.0.4-3.fc20 will be installed
---> Package httpd-tools.x86_64 0:2.4.6-2.fc20 will be installed
---> Package mailcap.noarch 0:2.1.41-2.fc20 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package           Arch        Version               Repository            Size
================================================================================
Installing:
 httpd             x86_64      2.4.6-2.fc20          fedora               1.2 M
 mod_cluster       x86_64      1.2.6-1.fc20          updates-testing       68 k
Installing for dependencies:
 apr               x86_64      1.4.8-2.fc20          fedora               100 k
 apr-util          x86_64      1.5.2-4.fc20          fedora                90 k
 fedora-logos      noarch      19.0.4-3.fc20         fedora               8.7 M
 httpd-tools       x86_64      2.4.6-2.fc20          fedora                76 k
 mailcap           noarch      2.1.41-2.fc20         fedora                31 k

Transaction Summary
================================================================================
Install  2 Packages (+5 Dependent packages)

Total download size: 10 M
Installed size: 13 M
Downloading packages:
warning: /var/cache/yum/x86_64/20/fedora/packages/apr-1.4.8-2.fc20.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 246110c1: NOKEY
Public key for apr-1.4.8-2.fc20.x86_64.rpm is not installed
Public key for mod_cluster-1.2.6-1.fc20.x86_64.rpm is not installed
--------------------------------------------------------------------------------
Total                                           2.6 MB/s |  10 MB     00:03     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-x86_64
Importing GPG key 0x246110C1:
 Userid     : "Fedora (20) <fedora>"
 Fingerprint: c7c9 a9c8 9153 f201 83ce 7cba 2eb1 61fa 2461 10c1
 Package    : fedora-release-20-0.7.noarch (@fedora/$releasever)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-x86_64
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : apr-1.4.8-2.fc20.x86_64                                      1/7 
  Installing : apr-util-1.5.2-4.fc20.x86_64                                 2/7 
  Installing : httpd-tools-2.4.6-2.fc20.x86_64                              3/7 
  Installing : mailcap-2.1.41-2.fc20.noarch                                 4/7 
  Installing : fedora-logos-19.0.4-3.fc20.noarch                            5/7 
  Installing : httpd-2.4.6-2.fc20.x86_64                                    6/7Error unpacking rpm package httpd-2.4.6-2.fc20.x86_64
 
error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file
  Installing : mod_cluster-1.2.6-1.fc20.x86_64                              7/7 
error: httpd-2.4.6-2.fc20.x86_64: install failed
  Verifying  : httpd-tools-2.4.6-2.fc20.x86_64                              1/7 
  Verifying  : fedora-logos-19.0.4-3.fc20.noarch                            2/7 
  Verifying  : mailcap-2.1.41-2.fc20.noarch                                 3/7 
  Verifying  : apr-1.4.8-2.fc20.x86_64                                      4/7 
  Verifying  : apr-util-1.5.2-4.fc20.x86_64                                 5/7 
  Verifying  : mod_cluster-1.2.6-1.fc20.x86_64                              6/7 
  Verifying  : httpd-2.4.6-2.fc20.x86_64                                    7/7 

Installed:
  mod_cluster.x86_64 0:1.2.6-1.fc20                                             

Dependency Installed:
  apr.x86_64 0:1.4.8-2.fc20               apr-util.x86_64 0:1.5.2-4.fc20       
  fedora-logos.noarch 0:19.0.4-3.fc20     httpd-tools.x86_64 0:2.4.6-2.fc20    
  mailcap.noarch 0:2.1.41-2.fc20         

Failed:
  httpd.x86_64 0:2.4.6-2.fc20                                                   

Complete!
Error build: The command [/bin/sh -c yum install -y httpd mod_cluster] returned a non-zero code: 1
The command [/bin/sh -c yum install -y httpd mod_cluster] returned a non-zero code: 1
Comment 1 Marek Goldmann 2013-09-27 14:07:48 UTC 
Created attachment 803970 [details]
strace from rpm installation of httpd in a container

Attaching a strace log where where can see that the issue is in setting "security.capability" attribute with the "\x01\x00\x00\x02\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" value for /usr/sbin/suexec file.

=====================

ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0
lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0
removexattr("/usr/sbin/suexec", "security.capability") = -1 EPERM (Operation not permitted)
rename("/usr/sbin/suexec;52458e7c", "/usr/sbin/suexec") = 0
getuid()                                = 0
getuid()                                = 0
chown("/usr/sbin/suexec", 0, 48)        = 0
chmod("/usr/sbin/suexec", 0510)         = 0
utime("/usr/sbin/suexec", [2013/09/27-13:22:45, 2013/09/27-13:22:45]) = 0
getuid()                                = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0
lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0
setxattr("/usr/sbin/suexec", "security.capability", "\x01\x00\x00\x02\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 20, 0) = -1 EPERM (Operation not permitted)
close(23)                               = 0
munmap(0x7f4a8238d000, 4096

=====================


The filesystem is mounted like this:

/dev/mapper/docker-39fbe6132eb8f36bf6ef24024b0762ddc28a145f26f944ad16d827addd3a2916 on / type ext4 (rw,relatime,discard,stripe=64,data=ordered)
Comment 2 Marek Goldmann 2013-09-27 14:24:31 UTC 
I think that this is related to blocking linux capabilities:

https://github.com/dotcloud/docker/blob/5a01f7485c6df95f747e08d2cad3d4c934b811bc/lxc_template.go#L114

Especially we see there "setfcap" listed which is required to run setxattr() on files. Maybe we can drop "setfcap" from the template to make it work?

BTW: There is a different option: "lxc.cap.drop" coming: http://sourceforge.net/mailarchive/message.php?msg_id=31054627
Comment 3 Matthew Miller 2013-09-27 15:07:28 UTC 
We need someone with security expertise to review, but I think the general sense is that allowing setfcap in non-privileged mode should be okay.
Comment 4 Marek Goldmann 2013-09-27 16:59:39 UTC 
Created attachment 804061 [details]
Remove setfcap from lxc.cap.drop

I can confirm that removing setfcap from lxc.cap.drop fixes this issue. I'm attaching a patch that can be applied against Rawhide directly.

Hope someone can confirm that it's safe to do so.
Comment 5 Daniel Walsh 2013-09-28 10:42:03 UTC 
I would not confirm that it is safe. 

BUT, since you are allowing setting a file to 4755 ROOT/ROOT, this is less unsafe, although I always believed that adding setuid or setgid permissions on a file should be governed by setfcap...

We do not currently allow this in virt-sandbox containers, but we don't do installs there.
Comment 6 Matthew Miller 2013-09-30 12:23:21 UTC 
"less unsafe" seems like the magic words here.
Comment 7 Marek Goldmann 2013-10-03 09:04:50 UTC 
I have applied this patch and a docker-io package is available in my repo: http://goldmann.fedorapeople.org/repos/docker.repo Grab version >= 0.6.3-2.