https://blog.coderkang.top/en/tags/apt-update/ Recent content in Apt Update on Kang's Blog Hugo -- gohugo.io en Mon, 05 Jun 2023 00:00:00 +0000 https://blog.coderkang.top/en/p/docker_apt_update_gpg_issue/ Mon, 05 Jun 2023 00:00:00 +0000 https://blog.coderkang.top/en/p/docker_apt_update_gpg_issue/ <h2 id="cause">Cause </h2><p>After investigation, it was identified that Ubuntu 21.10 and Fedora 35 began using glibc 2.34 and higher versions. In glibc 2.34, a new system call named <code>clone3</code> was introduced. Normally, Docker intercepts all system calls in containers and determines how to handle them. If Docker lacks specific policies for a particular system call, its default policy returns a &ldquo;Permission Denied&rdquo; error to the container. However, when glibc receives this error, it does NOT fallback to alternative methods. It would only attempt fallback procedures if the response indicated &ldquo;This system call is unavailable.&rdquo;</p> <h2 id="solutions">Solutions </h2><h3 id="solution-1">Solution 1 </h3><p>Add the following parameter when running the container to bypass Docker&rsquo;s system call restrictions:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">--security-opt <span class="nv">seccomp</span><span class="o">=</span>unconfined </span></span></code></pre></td></tr></table> </div> </div><p><strong>Important caveats</strong>:</p> <ol> <li>This compromises container security.</li> <li>This parameter cannot be used during image builds. Refer to Solution 2 for alternatives.</li> </ol> <h3 id="solution-2">Solution 2 </h3><p>Upgrade Docker to version 20.10.8 or higher (&gt;20.10.8).</p> <p><strong>Production environment considerations</strong>:</p> <ul> <li>Upgrading Docker versions in production may be challenging.</li> <li>When building images, avoid using Ubuntu 21.10, Fedora 35, or newer as base images, and verify if derived images are affected.</li> <li>Most official images are based on Debian - confirm Debian-based image compatibility to ensure they aren&rsquo;t impacted by this issue.</li> </ul> <h3 id="solution-3">Solution 3 </h3><p>Upgrade <code>runc</code>.</p> <p><a class="link" href="https://github.com/opencontainers/runc/releases/" target="_blank" rel="noopener" >https://github.com/opencontainers/runc/releases/</a></p> <p>Check the runc version before upgrading using <strong>docker version</strong>:</p> <p><img alt="img" class="gallery-image" data-flex-basis="444px" data-flex-grow="185" height="541" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://blog.coderkang.top/p/docker_apt_update_gpg_issue/uda096-0.png" srcset="https://blog.coderkang.top/p/docker_apt_update_gpg_issue/uda096-0_hu_ea966affbd28af5e.png 800w, https://blog.coderkang.top/p/docker_apt_update_gpg_issue/uda096-0.png 1003w" width="1003"></p> <p><strong>1. Select version 1.0.0-rc95 and download runc.amd64</strong></p> <p><img alt="img" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px"></p> <p><strong>2. Upload the file to the server, rename it, and grant permissions</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">mv runc.amd64 runc <span class="o">&amp;&amp;</span> chmod +x runc </span></span></code></pre></td></tr></table> </div> </div><p><strong>3. Back up the existing runc</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">which runc </span></span><span class="line"><span class="cl">mv </span></span></code></pre></td></tr></table> </div> </div><p><strong>4. Stop Docker</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">systemctl stop docker </span></span></code></pre></td></tr></table> </div> </div><p><strong>5. Replace with the new runc version</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">cp runc /usr/bin/runc </span></span></code></pre></td></tr></table> </div> </div><p><strong>6. Start Docker</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">systemctl start docker </span></span></code></pre></td></tr></table> </div> </div><p><strong>7. Verify if runc was upgraded successfully</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">docker version </span></span></code></pre></td></tr></table> </div> </div>