Bug 1536129

Summary: rh-python36 base image violates the certified container rpm_verify_successful test
Product: Red Hat Software Collections Reporter: Paul Christensen <pchriste>
Component: rh-python36-containerAssignee: Tomas Orsava <torsava>
Status: CLOSED RAWHIDE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: medium Docs Contact: Lenka Špačková <lkuprova>
Priority: high    
Version: rh-python36CC: bcook, cstratak, hhorak, jorton, mcyprian, pchriste, python-maint, torsava
Target Milestone: alpha   
Target Release: 3.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-12 09:26:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
rpm -Va output of rh-python36-python-libs-3.6.3-1.el7.x86_64 none

Description Paul Christensen 2018-01-18 16:48:15 UTC 
Created attachment 1382974 [details]
rpm -Va output of rh-python36-python-libs-3.6.3-1.el7.x86_64

Description of problem:

When building a docker image using python-36-rhel7 as a base, the resulting image will fail to pass the certification scan. The failure is in the rpm_verify_successful test and is caused by invalid permissions on multiple files which have permissions of 664 where is should be a 644.

Output example:

RHEL system:

[root@RHEL72-20160609]# ls -al /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py

-rw-r--r--. 1 root root 36231 Oct  5 17:28 /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py

Example in container:

(app-root) ls -al /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py

-rw-rw-r--. 1 root root 36231 Oct  6 00:28 /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py



I'm not sure why this is happening. It may be similar to this BZ:

https://bugzilla.redhat.com/show_bug.cgi?id=1481808


Version-Release number of selected component (if applicable):


Packages affected:

rh-python36-python-libs-3.6.3-1.el7.x86_64
rh-python36-python-devel-3.6.3-1.el7.x86_64



How reproducible:

100% reproducable


Steps to Reproduce:
1. Build image using FROM registry.access.redhat.com/rhscl/python-36-rhel7
2.docker run -it -t <image name> /bin/bash
3. rpm -Va 

Actual results:

See attachement


Expected results:

No output


Additional info:
Comment 5 Michal Cyprian 2018-02-02 13:54:22 UTC 
I am looking into this, I still don't know what might be the origin of the issue.
Comment 7 Michal Cyprian 2018-02-03 20:45:03 UTC 
An virtual environment is created under APP_ROOT (/opt/app-root/), so /opt/app-root/lib64/python3.6/codecs.py is a symlink to /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py. fix-permissions script [0] is executed during docker build and it applies chmod to symlinked python libraries under APP_ROOT. This is the reason why are permissions of scl files changed.

[0] https://github.com/sclorg/s2i-base-container/blob/master/core/root/usr/bin/fix-permissions
Comment 9 Michal Cyprian 2018-02-13 06:39:51 UTC 
Fixes were pushed to GitHub repositories:
    - base-container https://github.com/sclorg/s2i-base-container/pull/154

    - python-container https://github.com/sclorg/s2i-python-container/pull/245#issuecomment-364867925

rh-python36 component (and other versions) should have the right permission values after next rebuild.
Comment 11 Michal Cyprian 2018-04-12 09:26:34 UTC 
There are no files from rh-python36-python-* in output of rpm -Va command in the current images. Closing this.