View Issue Details

IDProjectCategoryView StatusLast Update
0007480CentOS-7yumpublic2014-10-17 14:03
Reporterjgangemi Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Summary0007480: systemd-208-11.el7_0.2.x86_64 fails to install in docker
Descriptionthe systemd-208-11.el7_0.2.x86_64 dependency installation for openjdk fails with the following error:

unpacking of archive failed on file /usr/bin/systemd-detect-virt: cpio: cap_set_file

i *think* this may have been caused by a recent image update as i have a coworker whose last centos image pull was from ~5/6 weeks back (give or take) and he was able to build an image successfully. after doing a pull and updating to the latest image, he receives the same error.
Steps To Reproducemake a Dockerfile w/ the following contents:

FROM centos
RUN yum install -y systemd-208-11.el7_0.2.x86_64


and try to build an image, it will fail w/ the above error.
TagsNo tags attached.
abrt_hash
URL

Activities

Evolution

Evolution

2014-08-09 00:45

reporter   ~0020634

This is currently an upstream issue with systemd breakage inside containers. I've been in discussions with several fedora and rh developers to coordinate a fix, as the fedora images currently suffer the same issue.

The interim work-around will be to provide a 'fake-systemd' package that replaces the broken systemd in docker images. I've got the fakesystemd package built, and I'll try to have an image put together early next week for testing.

If you need to fall back to centos6 in the meantime, you can use:
FROM centos:centos6

instead of FROM centos
Evolution

Evolution

2014-08-11 15:59

reporter   ~0020660

There are a few things at work here. The first is the problem of systemd inside containers. systemd is included by default, however it's not functional for a number of reasons.

The second is the cap_set_file issue, which is outside the control of the image. this is security within the docker binary itself. Please see for example-> https://github.com/docker/docker/issues/5928

The current work-around for the cap_set_file issue is to run the container as --privileged, which is admittedly not nice.

If you'd like to try an alternate container, I've packaged the 'fake-systemd' container for testing at http://people.centos.org/jperrin/docker/
jgangemi

jgangemi

2014-08-11 16:31

reporter   ~0020661

thanks for the update.

i saw the docker issue along with a few others (https://github.com/docker/docker/issues/6980) but got lost in the sea of comments on 'who broke what' and had a hard time telling if the issue was fixed, etc.

i tried using 'privileged' to do a manual install of the rpm but it still failed with the same error. given that i need to build this image from a Dockerfile, it's a moot point anyway.

the fact that a co-worker was able to create an image from an older version of the cento7 image led me to believe it was an issue on the centos side.

either way, thank you for taking care of this!!
xeor

xeor

2014-08-11 19:39

reporter   ~0020663

The priority of this issue should be bumped. Currently, running "FROM centos" in docker (that defaults to centos:latest, hence centos:centos7) images in docker is hard. Many packages depends on updating systemd, which its not able to do because of this error. Many packages fails..

Running "strace /usr/bin/systemd-detect-virt" shows the error..

stat("/proc/1/root", 0x7fff7e2abe20) = -1 EACCES (Permission denied)
writev(2, [{"Failed to check for virtualizati"..., 53}, {"\n", 1}], 2Failed to check for virtualization: Permission denied) = 54
Evolution

Evolution

2014-08-11 20:02

reporter   ~0020664

Our options for resolving this are reasonably limited as we are not the upstream for systemd, and the same errors exist in the fedora images as well. Bumping the priority only means I'll tell you more emphatically that we're not the upstream for systemd.

xeor, did you try the linked container image with systemd swapped out?
xeor

xeor

2014-08-11 20:20

reporter   ~0020665

Sorry, I didn’t try the docker image you provided.
Since I want my docker images to be built using Dockerfiles and upstream, I will work around the problem in the meantime, trying to avoid the packages depending on systemd, or running centos:centos6.

Thanks
Rockj

Rockj

2014-08-15 12:42

reporter   ~0020686

*leaving a note, hopefully this adds me to subscriber list and I get email notifications on changes as I didn't find any subscription button with my access level reporter*
Evolution

Evolution

2014-08-25 19:18

reporter   ~0020750

There will be a new build at the end of this week which addresses the systemd issue.
Evolution

Evolution

2014-10-17 14:03

reporter   ~0021174

This issue has been resolved for containers on CentOS hosts by using fakesystemd.

For boot2docker or other hosts, you may need to use the --cap-add option to docker in order to enable permissions that some packages expect, such as set_file. As a shotgun approach, running the container as --privileged on boot2docker works fine, but isn't really the proper answer.

Issue History

Date Modified Username Field Change
2014-08-08 20:50 jgangemi New Issue
2014-08-09 00:45 Evolution Note Added: 0020634
2014-08-11 15:59 Evolution Note Added: 0020660
2014-08-11 16:31 jgangemi Note Added: 0020661
2014-08-11 19:39 xeor Note Added: 0020663
2014-08-11 20:02 Evolution Note Added: 0020664
2014-08-11 20:20 xeor Note Added: 0020665
2014-08-15 12:42 Rockj Note Added: 0020686
2014-08-25 19:18 Evolution Note Added: 0020750
2014-10-17 14:03 Evolution Note Added: 0021174
2014-10-17 14:03 Evolution Status new => resolved
2014-10-17 14:03 Evolution Resolution open => fixed
2014-10-20 12:14 shengvvvvv Issue cloned: 0007714