Bug 1655214
| Summary: | docker exec does not work with registry.access.redhat.com/rhel7:7.3 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | docker | Assignee: | Frantisek Kluknavsky <fkluknav> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.6 | CC: | aabhishe, amurdaca, arghosh, bugzilla.redhat.com, chaoyang, ddarrah, dornelas, erjones, fshaikh, hasuzuki, jarle.bjorgeengen, jmalde, jpazdziora, lmohanty, lsm5, lxia, marc, maschmid, mharri, mickael.canevet, mikael.barbero, mpatel, nils.ketelsen, pavel, philipp.dallig, pkubat, pthomas, rhbz, ruben, santiago, sardella, subhat, swami, tatsuya, tomade, travi, uobergfe, wehe, william, wmeng, xxia, ykonotopov |
| Target Milestone: | rc | Keywords: | Extras, Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | docker-1.13.1-88.git07f3374.el7_6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause:
The docker-runc binary used by docker shipped in 7.6.1 Extras was built with an older version of golang which had a bug leading to a crash in certain FIPS modes.
Consequence: docker didn't work with some images.
Fix: a new docker package with docker-runc has been built with an updated golang dependency to take care of FIPS compliance.
Result: docker works as expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-12-06 19:57:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1186913, 1636853 | ||
|
Description
Jan Pazdziora (Red Hat)
2018-12-01 09:44:06 UTC
I can reproduce. Some images are working, and some other don't: Working images: - registry.access.redhat.com/rhel7:7.4 - registry.access.redhat.com/rhel7:7.5 - registry.access.redhat.com/rhel7:7.6 - centos:7 Not working images: - registry.access.redhat.com/rhel7:7.3 - debian:9 - ubuntu:18.04 It used to work on RHEL 7.5 The problem is also present with images - registry.fedoraproject.org/fedora:rawhide - registry.fedoraproject.org/fedora:29 - registry.fedoraproject.org/fedora:28 So it looks like anything that is not recent registry.access.redhat.com/rhel7 or centos image is not usable by latest docker. Let me increate the severity and priority of this bug. Lokesh, is this a duplicate of Bug 1650512 - podman exec faile with "panic: boringcrypto: not in FIPS mode" ? Sorry, I meant is this related? The runc BZ is already closed with errata. *** Bug 1655975 has been marked as a duplicate of this bug. *** *** Bug 1655971 has been marked as a duplicate of this bug. *** More images could be affected - for example I can reproduce this bug with image https://hub.docker.com/r/andyshinn/dnsmasq/. This issue is also mentioned on SO: https://stackoverflow.com/questions/53605666/cant-execute-bash-in-docker-container *** Bug 1656119 has been marked as a duplicate of this bug. *** We see this issue with centos 6.x based containers as well. Downgrade workaround works. Also upgrading to docker-1.13.1-87.git07f3374.el7.x86_64.rpm worked as well. We picked the rpms from https://cbs.centos.org/koji/buildinfo?buildID=24652 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3796 PID=docker inspect --format {{.State.Pid}} <name of container>
nsenter --target $PID --mount --uts --ipc --net --pid /bin/sh
Is a possible temporary workaround to this issue
|