1536129 – rh-python36 base image violates the certified container rpm_verify_successful test

Bug 1536129 - rh-python36 base image violates the certified container rpm_verify_successful test

Summary: rh-python36 base image violates the certified container rpm_verify_successful...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Software Collections
Classification:	Red Hat
Component:	rh-python36-container
Sub Component:
Version:	rh-python36
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	alpha
Target Release:	3.1
Assignee:	Tomas Orsava
QA Contact:	BaseOS QE - Apps
Docs Contact:	Lenka Špačková
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-18 16:48 UTC by Paul Christensen
Modified:	2018-04-12 09:26 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-12 09:26:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
rpm -Va output of rh-python36-python-libs-3.6.3-1.el7.x86_64 (62.46 KB, text/plain) 2018-01-18 16:48 UTC, Paul Christensen	no flags	Details
View All

Description Paul Christensen 2018-01-18 16:48:15 UTC

Created attachment 1382974 [details]
rpm -Va output of rh-python36-python-libs-3.6.3-1.el7.x86_64

Description of problem:

When building a docker image using python-36-rhel7 as a base, the resulting image will fail to pass the certification scan. The failure is in the rpm_verify_successful test and is caused by invalid permissions on multiple files which have permissions of 664 where is should be a 644.

Output example:

RHEL system:

[root@RHEL72-20160609]# ls -al /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py

-rw-r--r--. 1 root root 36231 Oct  5 17:28 /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py

Example in container:

(app-root) ls -al /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py

-rw-rw-r--. 1 root root 36231 Oct  6 00:28 /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py



I'm not sure why this is happening. It may be similar to this BZ:

https://bugzilla.redhat.com/show_bug.cgi?id=1481808


Version-Release number of selected component (if applicable):


Packages affected:

rh-python36-python-libs-3.6.3-1.el7.x86_64
rh-python36-python-devel-3.6.3-1.el7.x86_64



How reproducible:

100% reproducable


Steps to Reproduce:
1. Build image using FROM registry.access.redhat.com/rhscl/python-36-rhel7
2.docker run -it -t <image name> /bin/bash
3. rpm -Va 

Actual results:

See attachement


Expected results:

No output


Additional info:

Comment 5 Michal Cyprian 2018-02-02 13:54:22 UTC

I am looking into this, I still don't know what might be the origin of the issue.

Comment 7 Michal Cyprian 2018-02-03 20:45:03 UTC

An virtual environment is created under APP_ROOT (/opt/app-root/), so /opt/app-root/lib64/python3.6/codecs.py is a symlink to /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py. fix-permissions script [0] is executed during docker build and it applies chmod to symlinked python libraries under APP_ROOT. This is the reason why are permissions of scl files changed.

[0] https://github.com/sclorg/s2i-base-container/blob/master/core/root/usr/bin/fix-permissions

Comment 9 Michal Cyprian 2018-02-13 06:39:51 UTC

Fixes were pushed to GitHub repositories:
    - base-container https://github.com/sclorg/s2i-base-container/pull/154

    - python-container https://github.com/sclorg/s2i-python-container/pull/245#issuecomment-364867925

rh-python36 component (and other versions) should have the right permission values after next rebuild.

Comment 11 Michal Cyprian 2018-04-12 09:26:34 UTC

There are no files from rh-python36-python-* in output of rpm -Va command in the current images. Closing this.

Note You need to log in before you can comment on or make changes to this bug.