Closed ianw closed 2 years ago
it looks like the Debian package is using an old version of github.com/opencontainers/runtime-tools
.
AddProcessEnv
is not using addEnv
since:
commit 3967c4654461e6673d2418e05678bcda4bf51b2f
Author: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed Aug 19 13:18:19 2020 +0200
vendor: update opencontainers/runtime-spec
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@siretart PTAL
Sine this is is a debian issue you should report this to the distro specific bug tracker.
Looks like the latest github.com/opencontainers/runtime-tools
tag is from 2019, I guess there are using this instead.
@siretart sorry if it was already discussed in the past and I am not aware of the outcome but is there anything we can do to use the same version of the modules we ship and avoid such kind of issues?
Had the same problem this morning with the last podman update for Debian sid. Upgrading to podman 4 from experimental solved my issue.
@giuseppe you can track the versions of containers/runtime-tools
in Debian at https://tracker.debian.org/pkg/golang-github-opencontainers-runtime-tools. As you can see, it is packaging the lastest upstream release.
Any chance you can assist with having a new upstream release so that podman doesn't need to vendor unreleased versions? That would help me a lot. https://github.com/opencontainers/runtime-tools/issues/702 might be a good starting point, not sure where it got stuck.
Alternatively, you could help me by pointing out specific upstream commits that I could backport to the debian package (as you can see from 0.9.0+dfsg-4, I've been doing that e.g. for cd1349b7c47e9def74bee83f6cec88c5c3413e65 but evidently more changes are needed).
we can address the runtime-tools issue for now, but I am more worried about the fact the Go modules we use and test are different than the ones used on Debian. We could be more diligent and use only released tags, but we have no control over the indirect dependencies.
I somehow understand why it is done but it defeats the only advantage of Go binaries static linking.
it looks like the Debian package is using an old version of
github.com/opencontainers/runtime-tools
.AddProcessEnv is not using addEnv [...]
@giuseppe I think it is a bit more complicated than that, I did backport that relevant change: https://sources.debian.org/src/golang-github-opencontainers-runtime-tools/0.9.0%2Bdfsg-4/debian/patches/ProcessEnvPerformance.patch/ -- so the addEnv
function is used in the debian package.
Unfortunately, it appears to be not sufficient, and probably additional patches are necessary to avoid this crash.
Actually, I think the comment in https://github.com/containers/podman/blob/f65f3320e1124c94db053c1f811487920ae2a70e/libpod/container_internal_linux.go#L1529-L1531 is referring to exactly this crash.
I'm backporting upstream commit a42c131c80fc8c7220687c56cf4384a224572ca0 which reverts the usage to the deprecated API. Initial testing confirms that this avoids the crash. Go figure! (pun intended)
Our CI jobs have started failing with
Several different types of builds have started failing with this. Concentrating on one type [1] the last successful build was [2] yesterday.
It looks like there has been a minor point-update of podman in Debian in that time, e.g. [3] (failing)
versus [4] (passing)
This seems to be about the only difference. It seems this is a release to fix a CVE [5]
I haven't managed to track this down further yet, but it felt more like a generic issue than something Debian specific; we run from unstable because we need some other features so might be some early testers of this.
[1] https://zuul.opendev.org/t/openstack/builds?job_name=dib-nodepool-functional-openstack-fedora-35-containerfile-src&project=openstack/diskimage-builder [2] https://zuul.opendev.org/t/openstack/build/7fe19006ea0543afab58d56b206c70ed [3] https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_7de/838863/2/check/nodepool-build-image-siblings/7de1ad4/job-output.txt [4] https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_806/836228/10/check/nodepool-build-image-siblings/806f881/job-output.txt [5] https://tracker.debian.org/news/1320098/accepted-libpod-347ds1-1-source-into-unstable/