Created attachment 1382974 [details] rpm -Va output of rh-python36-python-libs-3.6.3-1.el7.x86_64 Description of problem: When building a docker image using python-36-rhel7 as a base, the resulting image will fail to pass the certification scan. The failure is in the rpm_verify_successful test and is caused by invalid permissions on multiple files which have permissions of 664 where is should be a 644. Output example: RHEL system: [root@RHEL72-20160609]# ls -al /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py -rw-r--r--. 1 root root 36231 Oct 5 17:28 /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py Example in container: (app-root) ls -al /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py -rw-rw-r--. 1 root root 36231 Oct 6 00:28 /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py I'm not sure why this is happening. It may be similar to this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1481808 Version-Release number of selected component (if applicable): Packages affected: rh-python36-python-libs-3.6.3-1.el7.x86_64 rh-python36-python-devel-3.6.3-1.el7.x86_64 How reproducible: 100% reproducable Steps to Reproduce: 1. Build image using FROM registry.access.redhat.com/rhscl/python-36-rhel7 2.docker run -it -t <image name> /bin/bash 3. rpm -Va Actual results: See attachement Expected results: No output Additional info:
I am looking into this, I still don't know what might be the origin of the issue.
An virtual environment is created under APP_ROOT (/opt/app-root/), so /opt/app-root/lib64/python3.6/codecs.py is a symlink to /opt/rh/rh-python36/root/usr/lib64/python3.6/codecs.py. fix-permissions script [0] is executed during docker build and it applies chmod to symlinked python libraries under APP_ROOT. This is the reason why are permissions of scl files changed. [0] https://github.com/sclorg/s2i-base-container/blob/master/core/root/usr/bin/fix-permissions
Fixes were pushed to GitHub repositories: - base-container https://github.com/sclorg/s2i-base-container/pull/154 - python-container https://github.com/sclorg/s2i-python-container/pull/245#issuecomment-364867925 rh-python36 component (and other versions) should have the right permission values after next rebuild.
There are no files from rh-python36-python-* in output of rpm -Va command in the current images. Closing this.