Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1481808

Summary: The nodejs-4-rhel7 base image violates the certified container rpm_verify_successful test
Product: Red Hat Software Collections Reporter: Cameron Brunner <brunner>
Component: s2i-core-containerAssignee: Petr Kubat <pkubat>
Status: CLOSED ERRATA QA Contact: David Jež <djez>
Severity: high Docs Contact: Lenka Špačková <lkuprova>
Priority: unspecified    
Version: unspecifiedCC: bcook, brunner, djez, jorton
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-23 08:37:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cameron Brunner 2017-08-15 19:03:26 UTC
Description of problem:

When building a docker image using nodejs-4-rhel7 as a base the resulting image will fail to pass the certification scan.  The failure is in the rpm_verify_successful test and is caused by invalid permissions on the /usr/bin directory (755 instead of 555).

The nodejs-4-rhel7 image should be rebuilt with the proper permissions on /usr/bin

Version-Release number of selected component (if applicable):

The f88cc44c902f image built 2 weeks ago shows this problem
The fbeb44aa2290 image built 7 weeks ago does not have this problem

How reproducible:

100% reproducible.

Steps to Reproduce:
1.  Run the following command:

    $docker run -u root --rm -it registry.access.redhat.com/rhscl/nodejs-4-rhel7 -- bash -c 'rpm -V filesystem; echo $?'

Actual results:
.M.......    /usr/bin
1

Expected results:
0

Additional info:
I worked around this for my submission by adding 'chmod 555 /usr/bin' in my Dockerfile.  With this workaround the certification scan passed.

Comment 3 Joe Orton 2017-10-05 08:31:29 UTC
Is this happening because of the line in rhscl/s2i-core-rhel7 doing:

COPY ./root/ /

which modifies /usr/bin?

Even for the rhel7 image I get:

sudo docker run -u root --rm registry.access.redhat.com/rhel7 rpm -V filesystem
.M.......    /

... so I'm surprised this is failing certification testing.

Comment 5 Petr Kubat 2017-10-05 08:50:08 UTC
Thanks for the report, we are aware of this issue. As Joe correctly pointed out this is happening due to how we copy in the files during docker build.

We are currently looking for the best way of dealing with this (likely going to use something similar to `rpm --setperms filesystem`) but we aim to have this fixed by the next time the images get rebuilt.

Comment 6 Cameron Brunner 2017-10-05 17:07:16 UTC
Thanks for the update; I am looking forward to the fix!

Comment 8 Petr Kubat 2017-10-09 10:52:30 UTC
(In reply to Joe Orton from comment #3)
> Even for the rhel7 image I get:
> 
> sudo docker run -u root --rm registry.access.redhat.com/rhel7 rpm -V
> filesystem
> .M.......    /
> 
> ... so I'm surprised this is failing certification testing.

I also ran into this while investigating the issue and it seems that this is caused only on some of docker's storage drivers (I can reproduce on overlay2). Docker seems to ignore any changes made to the permissions of '/' so it is stuck with the 755 value, making rpm verification complain. This does not seem to happen when 'devicemapper' is used.

I have opened up a bug report agains docker to hopefully get this fixed (bug 1499755).

Upstream PR that fixes wrong permissions on '/usr' (and other directories) can be found over here:
https://github.com/sclorg/s2i-base-container/pull/134

Comment 12 errata-xmlrpc 2017-10-23 08:37:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3000