Bug 1187077 - Fedora:latest docker image yum won't update
Summary: Fedora:latest docker image yum won't update
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: docker-io
Version: 21
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-29 10:07 UTC by Joe Borg
Modified: 2015-09-16 15:01 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-03 12:19:21 UTC
Type: Bug


Attachments (Terms of Use)

Description Joe Borg 2015-01-29 10:07:23 UTC
Description of problem:
I cannot install from or update yum inside Docker.

RUN yum install make automake gcc gcc-c++ kernel-devel tar wget
 ---> Running in 04cdfe47b7ac


 One of the configured repositories failed (Fedora 21 - x86_64),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Disable the repository, so yum won't use it by default. Yum will then
        just ignore the repository until you permanently enable it again or use
        --enablerepo for temporary usage:

            yum-config-manager --disable fedora

     4. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=fedora.skip_if_unavailable=true

Cannot retrieve metalink for repository: fedora/21/x86_64. Please verify its path and try again

Version-Release number of selected component (if applicable):
Docker 1.4.1
Fedora:latest

How reproducible:
Seems rare, but I can find others with the issue (e.g. https://registry.hub.docker.com/_/fedora/ see comment from crackcomm)

Steps to Reproduce:
1. Take any examples https://github.com/fedora-cloud/Fedora-Dockerfiles
2. docker build an example
3. Wait for yum update / install

Actual results:
Yum errors and exits.

Expected results:
Yum update / install

Comment 1 Lokesh Mandvekar 2015-01-31 04:59:25 UTC
Do you see this problem on fedora:rawhide or fedora:20 as well?

re: fedora:latest, it'd have been great to know if you're able to ping an IP address successfully from a fedora:latest container, but looks like ping isn't available by default in fedora:latest and even upon installation I see /usr/bin/ping: Operation not permitted. This is something that we/I need to sort out with rel-eng.

So instead, please try this on rawhide instead:

$ sudo docker run -it fedora:rawhide bash
$ ping 8.8.8.8

..and let me know how that goes.

also, could you post your /etc/resolv.conf from the host, fedora:latest and fedora:rawhide.

Comment 2 Josef Cacek 2015-04-01 21:04:57 UTC
Reopening. (me too)
Seems like an SSL problem when connecting to mirrors.fedoraproject.org

I'm trying fedora:rawhide from Ubuntu (14.04) host:

$ docker run -it fedora:rawhide bash
bash-4.3# yum update


 One of the configured repositories failed (Fedora - Rawhide - Developmental packages for the next Fedora release),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Disable the repository, so yum won't use it by default. Yum will then
        just ignore the repository until you permanently enable it again or use
        --enablerepo for temporary usage:

            yum-config-manager --disable rawhide

     4. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=rawhide.skip_if_unavailable=true

Cannot retrieve metalink for repository: rawhide/x86_64. Please verify its path and try again
bash-4.3# cat /etc/resolv.conf 
nameserver 8.8.8.8
nameserver 8.8.4.4
search jck
bash-4.3# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=11.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=10.1 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 10.140/10.571/11.002/0.431 ms

bash-4.3# curl 'https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-rawhide&arch=x86_64'
curl: (35) SSL received a record that exceeded the maximum permissible length.
bash-4.3# curl -v 'https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-rawhide&arch=x86_64'
* Hostname was NOT found in DNS cache
*   Trying 140.211.169.196...
* Connected to mirrors.fedoraproject.org (140.211.169.196) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.

Comment 3 Daniel Walsh 2015-04-14 20:02:12 UTC
I don't see this as being a docker package issue, but an issue with the Fedora Container or the Mirror site.

Comment 4 Keith Sharp 2015-04-23 13:29:38 UTC
I'm seeing this as well (fully updated F21 VM).  It seems to be a interaction between the docker build process and some bad data on the mirrors.

As an experiment I tried to build the same Dockerfile on a fully update Centos 7 VM and saw the following errors:

Step 2 : RUN yum -y update && yum clean all
 ---> Running in 09b44b3a5c6e
http://fedora.mirrors.ovh.net/linux/updates/21/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml does not match metalink for updates
Trying other mirror.
Resolving Dependencies
--> Running transaction check

...snipped for brevity...

Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
http://ftp.heanet.ie/pub/fedora/linux/updates/21/x86_64/p/python-2.7.8-9.fc21.x86_64.rpm: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
--------------------------------------------------------------------------------
Total                                              183 kB/s |  65 MB  06:02     
Running transaction check

...snipped for brevity...

Complete!
Cleaning repos: fedora updates
Cleaning up everything
 ---> a766dc1ef52c
Removing intermediate container 09b44b3a5c6e
Successfully built a766dc1ef52c

As you can see the build eventually succeeded, though it took a very long time.

Comment 5 Daniel Walsh 2015-04-23 14:38:28 UTC
Again, this is not a docker issue.

Comment 6 Dmitry Voytik 2015-04-28 13:14:07 UTC
Try this:
systemctl restart firewalld  && systemctl restart docker

Comment 7 André Rainho 2015-09-16 15:01:22 UTC
You can solve it running "yum clean all" before the "yum update"
I my case i add it on a Dockerfile

FROM fedora:21
RUN yum clean all && yum update -y && yum upgrade -y


Note You need to log in before you can comment on or make changes to this bug.