Bug 1012952 - docker: error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file
docker: error: unpacking of archive failed on file /usr/sbin/suexec: cpio: ca...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: docker-io (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lokesh Mandvekar
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-27 08:35 EDT by Marek Goldmann
Modified: 2014-07-01 18:59 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-31 01:19:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace from rpm installation of httpd in a container (544.36 KB, text/plain)
2013-09-27 10:07 EDT, Marek Goldmann
no flags Details
Remove setfcap from lxc.cap.drop (3.34 KB, patch)
2013-09-27 12:59 EDT, Marek Goldmann
no flags Details | Diff

  None (edit)
Description Marek Goldmann 2013-09-27 08:35:41 EDT
Description of problem:

When installing (using yum) some packages docker fails with error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file

If we're trying to install such package (httpd for example) in docker run environment - we have a workaround which is to specify "-privileged=true" option to the run command.

Unfortunately we cannot do this when running the install inside a Dockerfile ( RUN command). This fails the build:

 ---> Running in 087750726dfd
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.4.6-2.fc20 will be installed
--> Processing Dependency: httpd-tools = 2.4.6-2.fc20 for package: httpd-2.4.6-2.fc20.x86_64
--> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.4.6-2.fc20.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-2.fc20.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-2.fc20.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-2.fc20.x86_64
---> Package mod_cluster.x86_64 0:1.2.6-1.fc20 will be installed
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-2.fc20 will be installed
---> Package apr-util.x86_64 0:1.5.2-4.fc20 will be installed
---> Package fedora-logos.noarch 0:19.0.4-3.fc20 will be installed
---> Package httpd-tools.x86_64 0:2.4.6-2.fc20 will be installed
---> Package mailcap.noarch 0:2.1.41-2.fc20 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package           Arch        Version               Repository            Size
================================================================================
Installing:
 httpd             x86_64      2.4.6-2.fc20          fedora               1.2 M
 mod_cluster       x86_64      1.2.6-1.fc20          updates-testing       68 k
Installing for dependencies:
 apr               x86_64      1.4.8-2.fc20          fedora               100 k
 apr-util          x86_64      1.5.2-4.fc20          fedora                90 k
 fedora-logos      noarch      19.0.4-3.fc20         fedora               8.7 M
 httpd-tools       x86_64      2.4.6-2.fc20          fedora                76 k
 mailcap           noarch      2.1.41-2.fc20         fedora                31 k

Transaction Summary
================================================================================
Install  2 Packages (+5 Dependent packages)

Total download size: 10 M
Installed size: 13 M
Downloading packages:
warning: /var/cache/yum/x86_64/20/fedora/packages/apr-1.4.8-2.fc20.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 246110c1: NOKEY
Public key for apr-1.4.8-2.fc20.x86_64.rpm is not installed
Public key for mod_cluster-1.2.6-1.fc20.x86_64.rpm is not installed
--------------------------------------------------------------------------------
Total                                           2.6 MB/s |  10 MB     00:03     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-x86_64
Importing GPG key 0x246110C1:
 Userid     : "Fedora (20) <fedora@fedoraproject.org>"
 Fingerprint: c7c9 a9c8 9153 f201 83ce 7cba 2eb1 61fa 2461 10c1
 Package    : fedora-release-20-0.7.noarch (@fedora/$releasever)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-x86_64
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : apr-1.4.8-2.fc20.x86_64                                      1/7 
  Installing : apr-util-1.5.2-4.fc20.x86_64                                 2/7 
  Installing : httpd-tools-2.4.6-2.fc20.x86_64                              3/7 
  Installing : mailcap-2.1.41-2.fc20.noarch                                 4/7 
  Installing : fedora-logos-19.0.4-3.fc20.noarch                            5/7 
  Installing : httpd-2.4.6-2.fc20.x86_64                                    6/7Error unpacking rpm package httpd-2.4.6-2.fc20.x86_64
 
error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file
  Installing : mod_cluster-1.2.6-1.fc20.x86_64                              7/7 
error: httpd-2.4.6-2.fc20.x86_64: install failed
  Verifying  : httpd-tools-2.4.6-2.fc20.x86_64                              1/7 
  Verifying  : fedora-logos-19.0.4-3.fc20.noarch                            2/7 
  Verifying  : mailcap-2.1.41-2.fc20.noarch                                 3/7 
  Verifying  : apr-1.4.8-2.fc20.x86_64                                      4/7 
  Verifying  : apr-util-1.5.2-4.fc20.x86_64                                 5/7 
  Verifying  : mod_cluster-1.2.6-1.fc20.x86_64                              6/7 
  Verifying  : httpd-2.4.6-2.fc20.x86_64                                    7/7 

Installed:
  mod_cluster.x86_64 0:1.2.6-1.fc20                                             

Dependency Installed:
  apr.x86_64 0:1.4.8-2.fc20               apr-util.x86_64 0:1.5.2-4.fc20       
  fedora-logos.noarch 0:19.0.4-3.fc20     httpd-tools.x86_64 0:2.4.6-2.fc20    
  mailcap.noarch 0:2.1.41-2.fc20         

Failed:
  httpd.x86_64 0:2.4.6-2.fc20                                                   

Complete!
Error build: The command [/bin/sh -c yum install -y httpd mod_cluster] returned a non-zero code: 1
The command [/bin/sh -c yum install -y httpd mod_cluster] returned a non-zero code: 1
Comment 1 Marek Goldmann 2013-09-27 10:07:48 EDT
Created attachment 803970 [details]
strace from rpm installation of httpd in a container

Attaching a strace log where where can see that the issue is in setting "security.capability" attribute with the "\x01\x00\x00\x02\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" value for /usr/sbin/suexec file.

=====================

ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0
lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0
removexattr("/usr/sbin/suexec", "security.capability") = -1 EPERM (Operation not permitted)
rename("/usr/sbin/suexec;52458e7c", "/usr/sbin/suexec") = 0
getuid()                                = 0
getuid()                                = 0
chown("/usr/sbin/suexec", 0, 48)        = 0
chmod("/usr/sbin/suexec", 0510)         = 0
utime("/usr/sbin/suexec", [2013/09/27-13:22:45, 2013/09/27-13:22:45]) = 0
getuid()                                = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0
lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0
setxattr("/usr/sbin/suexec", "security.capability", "\x01\x00\x00\x02\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 20, 0) = -1 EPERM (Operation not permitted)
close(23)                               = 0
munmap(0x7f4a8238d000, 4096

=====================


The filesystem is mounted like this:

/dev/mapper/docker-39fbe6132eb8f36bf6ef24024b0762ddc28a145f26f944ad16d827addd3a2916 on / type ext4 (rw,relatime,discard,stripe=64,data=ordered)
Comment 2 Marek Goldmann 2013-09-27 10:24:31 EDT
I think that this is related to blocking linux capabilities:

https://github.com/dotcloud/docker/blob/5a01f7485c6df95f747e08d2cad3d4c934b811bc/lxc_template.go#L114

Especially we see there "setfcap" listed which is required to run setxattr() on files. Maybe we can drop "setfcap" from the template to make it work?

BTW: There is a different option: "lxc.cap.drop" coming: http://sourceforge.net/mailarchive/message.php?msg_id=31054627
Comment 3 Matthew Miller 2013-09-27 11:07:28 EDT
We need someone with security expertise to review, but I think the general sense is that allowing setfcap in non-privileged mode should be okay.
Comment 4 Marek Goldmann 2013-09-27 12:59:39 EDT
Created attachment 804061 [details]
Remove setfcap from lxc.cap.drop

I can confirm that removing setfcap from lxc.cap.drop fixes this issue. I'm attaching a patch that can be applied against Rawhide directly.

Hope someone can confirm that it's safe to do so.
Comment 5 Daniel Walsh 2013-09-28 06:42:03 EDT
I would not confirm that it is safe. 

BUT, since you are allowing setting a file to 4755 ROOT/ROOT, this is less unsafe, although I always believed that adding setuid or setgid permissions on a file should be governed by setfcap...

We do not currently allow this in virt-sandbox containers, but we don't do installs there.
Comment 6 Matthew Miller 2013-09-30 08:23:21 EDT
"less unsafe" seems like the magic words here.
Comment 7 Marek Goldmann 2013-10-03 05:04:50 EDT
I have applied this patch and a docker-io package is available in my repo: http://goldmann.fedorapeople.org/repos/docker.repo Grab version >= 0.6.3-2.

Note You need to log in before you can comment on or make changes to this bug.