Podman: `dnf install -y` in a container gets `SIGPIPE` on GPG key import prompt
/kind bug
Description
Note: DNF is used here as an indicator of something going wrong with STDIN
When running dnf install -y inside a container, which has a repo with repo_gpgcheck=1, DNF tries to read from stdin on GPG key import (which it shouldn't, just a bug), and fails with Broken Pipe in some scenarios when TTY is not available, but it works fine in others. This seems due to some issue with stdin , and might be related to #4326.
Here are the 2 scenarios when it reproduces:
podman exec-ing (without-t)dnf install -yinside a runningfedora:31containerpodman run-ing (without-t)buildah run $container dnf install -yto build a nested container
I will file a bug against DNF also, as it, probably, shouldn't interact with stdin all with -y flag. Just would like to understand what goes wrong with stdin first.
Steps to reproduce the issue:
Scenario # 1 (fails):
Trying to install a package, after adding a signed repo, by exec-ing into a running container.
$ podman run --name test -d fedora:31 tail -f /dev/null
4379e9c4e9271bf1cbd60eca0dbe760d5a9be31253469b5c757bff33b0ab9866
$ podman cp --pause=false kubernetes.repo test:/etc/yum.repos.d/
$ podman exec test dnf install -y vim
Fedora Modular 31 - x86_64 2.0 MB/s | 5.2 MB 00:02
Fedora Modular 31 - x86_64 - Updates 197 kB/s | 1.2 MB 00:06
Fedora 31 - x86_64 - Updates 2.8 MB/s | 5.8 MB 00:02
Fedora 31 - x86_64 3.1 MB/s | 71 MB 00:22
Kubernetes 310 B/s | 454 B 00:01
Kubernetes 7.6 kB/s | 1.8 kB 00:00
Importing GPG key 0xA7317B0F:
Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>"
Fingerprint: D0BC 747F D8CA F711 7500 D6FA 3746 C208 A731 7B0F
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Error: non zero exit code: 141: OCI runtime error
Scenario # 1 (succeeds):
Run podman exec -t instead:
$ podman exec -t test dnf install -y vim
Kubernetes 343 B/s | 454 B 00:01
Kubernetes 7.8 kB/s | 1.8 kB 00:00
Importing GPG key 0xBA07F4FB:
Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>"
Fingerprint: 54A6 47F9 048D 5688 D7DA 2ABE 6A03 0B21 BA07 F4FB
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Kubernetes 3.7 kB/s | 975 B 00:00
Importing GPG key 0x3E1BA8D5:
Userid : "Google Cloud Packages RPM Signing Key <[email protected]>"
Fingerprint: 3749 E1BA 95A8 6CE0 5454 6ED2 F09C 394C 3E1B A8D5
From : https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Kubernetes 39 kB/s | 78 kB 00:01
Dependencies resolved
...
Installed:
vim-enhanced-2:8.1.2198-1.fc31.x86_64 vim-common-2:8.1.2198-1.fc31.x86_64 vim-filesystem-2:8.1.2198-1.fc31.noarch gpm-libs-1.20.7-19.fc31.x86_64 which-2.21-15.fc31.x86_64
Complete!
Scenario # 2 (fails):
Run nested Buildah to build a Fedora-based by adding the signed repo and installing a package.
(--device /dev/fuse and --volume ./containers are required for Buildah-in-Podman to work)
$ mkdir containers
$ podman run \
--device /dev/fuse:rw \
--volume ./containers:/var/lib/containers:Z \
--volume ./kubernetes.repo:/kubernetes.repo:Z \
quay.io/buildah/stable \
bash -c \
"buildah from --name test fedora \
&& buildah copy test /kubernetes.repo /etc/yum.repos.d \
&& buildah run test dnf install -y vim"
Getting image source signatures
Copying blob sha256:d318c91bf2a81634e0283fb7e7362efdd7c21164b60b74498360756dc82a95d9
Copying config sha256:f0858ad3febdf45bb2e5501cb459affffacef081f79eaa436085c3b6d9bd46ca
Writing manifest to image destination
Storing signatures
test
5c27acc2a4fb9c0a14d146e47d1c816a496aaa3710ca21b62922f03b92f9e445
Fedora Modular 31 - x86_64 1.5 MB/s | 5.2 MB 00:03
Fedora Modular 31 - x86_64 - Updates 131 kB/s | 1.2 MB 00:09
Fedora 31 - x86_64 - Updates 1.9 MB/s | 5.8 MB 00:03
Fedora 31 - x86_64 1.1 MB/s | 71 MB 01:05
Kubernetes 325 B/s | 454 B 00:01
Kubernetes 7.6 kB/s | 1.8 kB 00:00
Importing GPG key 0xA7317B0F:
Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>"
Fingerprint: D0BC 747F D8CA F711 7500 D6FA 3746 C208 A731 7B0F
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
subprocess exited on broken pipe
subprocess exited with status 1
level=error msg="exit status 1"
Scenario # 2 (succeeds):
Use podman run -t instead:
$ podman run -t \
--device /dev/fuse:rw \
--volume ./containers:/var/lib/containers:Z \
--volume ./kubernetes.repo:/kubernetes.repo:Z \
quay.io/buildah/stable \
bash -c \
"buildah from --name test fedora \
&& buildah copy test /kubernetes.repo /etc/yum.repos.d \
&& buildah run test dnf install -y vim"
Getting image source signatures
Copying blob d318c91bf2a8 done
Copying config f0858ad3fe done
Writing manifest to image destination
Storing signatures
test
5c27acc2a4fb9c0a14d146e47d1c816a496aaa3710ca21b62922f03b92f9e445
Fedora Modular 31 - x86_64 1.4 MB/s | 5.2 MB 00:03
Fedora Modular 31 - x86_64 - Updates 576 kB/s | 1.2 MB 00:02
Fedora 31 - x86_64 - Updates 2.1 MB/s | 5.8 MB 00:02
Fedora 31 - x86_64 4.8 MB/s | 71 MB 00:14
Kubernetes 270 B/s | 454 B 00:01
Kubernetes 7.7 kB/s | 1.8 kB 00:00
Importing GPG key 0xA7317B0F:
Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>"
Fingerprint: D0BC 747F D8CA F711 7500 D6FA 3746 C208 A731 7B0F
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Importing GPG key 0xBA07F4FB:
Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>"
Fingerprint: 54A6 47F9 048D 5688 D7DA 2ABE 6A03 0B21 BA07 F4FB
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Kubernetes 3.9 kB/s | 975 B 00:00
Importing GPG key 0x3E1BA8D5:
Userid : "Google Cloud Packages RPM Signing Key <[email protected]>"
Fingerprint: 3749 E1BA 95A8 6CE0 5454 6ED2 F09C 394C 3E1B A8D5
From : https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Kubernetes 36 kB/s | 78 kB 00:02
Last metadata expiration check: 0:00:01 ago on Sun Nov 3 10:36:22 2019.
Dependencies resolved.
...
Installed:
vim-enhanced-2:8.1.2198-1.fc31.x86_64 vim-common-2:8.1.2198-1.fc31.x86_64 vim-filesystem-2:8.1.2198-1.fc31.noarch gpm-libs-1.20.7-19.fc31.x86_64 which-2.21-15.fc31.x86_64
Complete!
Scenario # 3 (succeeds):
Simply use podman run for DNF:
$ podman run -v ./kubernetes.repo:/etc/yum.repos.d/kubernetes.repo:Z fedora:31 dnf install -y vim
Fedora Modular 31 - x86_64 788 kB/s | 5.2 MB 00:06
Fedora Modular 31 - x86_64 - Updates 101 kB/s | 1.2 MB 00:12
Fedora 31 - x86_64 - Updates 3.0 MB/s | 5.8 MB 00:01
Fedora 31 - x86_64 3.2 MB/s | 71 MB 00:21
Kubernetes 289 B/s | 454 B 00:01
Kubernetes 7.5 kB/s | 1.8 kB 00:00
Importing GPG key 0xA7317B0F:
Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>"
Fingerprint: D0BC 747F D8CA F711 7500 D6FA 3746 C208 A731 7B0F
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Importing GPG key 0xBA07F4FB:
Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>"
Fingerprint: 54A6 47F9 048D 5688 D7DA 2ABE 6A03 0B21 BA07 F4FB
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Kubernetes 3.9 kB/s | 975 B 00:00
Importing GPG key 0x3E1BA8D5:
Userid : "Google Cloud Packages RPM Signing Key <[email protected]>"
Fingerprint: 3749 E1BA 95A8 6CE0 5454 6ED2 F09C 394C 3E1B A8D5
From : https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Kubernetes 37 kB/s | 78 kB 00:02
Last metadata expiration check: 0:00:02 ago on Sun Nov 3 10:51:54 2019.
Dependencies resolved.
...
Installed:
vim-enhanced-2:8.1.2198-1.fc31.x86_64 vim-common-2:8.1.2198-1.fc31.x86_64 vim-filesystem-2:8.1.2198-1.fc31.noarch gpm-libs-1.20.7-19.fc31.x86_64 which-2.21-15.fc31.x86_64
Complete!
The .repo file used: kubernetes.repo
Describe the results you received:
DNF exiting with code 141 (SIGPIPE).
Describe the results you expected:
The RPM package is installed and DNF exits with code 0.
Output of podman version:
Version: 1.6.2
RemoteAPI Version: 1
Go Version: go1.13.1
OS/Arch: linux/amd64
Output of podman info --debug:
debug:
compiler: gc
git commit: ""
go version: go1.13.1
podman version: 1.6.2
host:
BuildahVersion: 1.11.3
CgroupVersion: v2
Conmon:
package: conmon-2.0.2-1.fc31.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.2, commit: 186a550ba0866ce799d74006dab97969a2107979'
Distribution:
distribution: fedora
version: "31"
IDMappings:
gidmap:
- container_id: 0
host_id: 2505
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 2505
size: 1
- container_id: 1
host_id: 100000
size: 65536
MemFree: 518713344
MemTotal: 3137253376
OCIRuntime:
name: crun
package: crun-0.10.2-1.fc31.x86_64
path: /usr/bin/crun
version: |-
crun version 0.10.2
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
SwapFree: 0
SwapTotal: 0
arch: amd64
cpus: 2
eventlogger: journald
hostname: fossil.raine.ai
kernel: 5.3.7-301.fc31.x86_64
os: linux
rootless: true
slirp4netns:
Executable: /usr/bin/slirp4netns
Package: slirp4netns-0.4.0-20.1.dev.gitbbd6f25.fc31.x86_64
Version: |-
slirp4netns version 0.4.0-beta.3+dev
commit: bbd6f25c70d5db2a1cd3bfb0416a8db99a75ed7e
uptime: 68h 26m 32.86s (Approximately 2.83 days)
registries:
blocked: null
insecure: null
search:
- docker.io
- registry.fedoraproject.org
- quay.io
- registry.access.redhat.com
- registry.centos.org
store:
ConfigFile: /home/evelineraine/.config/containers/storage.conf
ContainerStore:
number: 38
GraphDriverName: overlay
GraphOptions:
overlay.mount_program:
Executable: /usr/bin/fuse-overlayfs
Package: fuse-overlayfs-0.6.5-2.fc31.x86_64
Version: |-
fusermount3 version: 3.6.2
fuse-overlayfs: version 0.6.5
FUSE library version 3.6.2
using FUSE kernel interface version 7.29
GraphRoot: /home/evelineraine/.local/share/containers/storage
GraphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 8
RunRoot: /run/user/2505
VolumePath: /home/evelineraine/.local/share/containers/storage/volumes
Package info (e.g. output of rpm -q podman or apt list podman):
podman-1.6.2-2.fc31.x86_64
Additional environment details (AWS, VirtualBox, physical, etc.):
OS: Fedora 31 Workstation
Hypervisor: VirtualBox
evelineraine
All 9 comments
@haircommander @mheon PTAL
rhatdan
on 4 Nov 2019
This issue had no activity for 30 days. In the absence of activity or the "do-not-close" label, the issue will be automatically closed within 7 days.
![github-actions[bot] picture](https://avatars2.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 5 Dec 2019
Still an issue... #dontclose
evelineraine
on 5 Dec 2019
@evelineraine thanks for the update, I've added the do-not-close label so this one won't time out.
TomSweeneyRedHat
on 5 Dec 2019
If it's any help, I am seeing this issue when i use a fedora VM with vagrant and do the update from the default provision script. I wonder if the issue exists elsewhere.
INFO interface: detail: f-01: + sudo -E dnf updateinfo -qy
f-01: + sudo -E dnf updateinfo -qy
DEBUG ssh: Sending SSH keep-alive... INFO interface: detail: Importing GPG key 0xA7317B0F: Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>"
Fingerprint: D0BC 747F D8CA F711 7500 D6FA 3746 C208 A731 7B0F
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
INFO interface: detail: f-01: Importing GPG key 0xA7317B0F:
f-01: Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>"
f-01: Fingerprint: D0BC 747F D8CA F711 7500 D6FA 3746 C208 A731 7B0F
f-01: From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
f-01: Importing GPG key 0xA7317B0F:
f-01: Userid : "Google Cloud Packages Automatic Signing Key <[email protected]>"
f-01: Fingerprint: D0BC 747F D8CA F711 7500 D6FA 3746 C208 A731 7B0F
f-01: From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
DEBUG ssh: Exit status: 141
ganeshmaharaj
on 4 Jan 2020
Same issue with docker and dnf.
yoctozepto
on 28 Jan 2020
Does this mean this issue has nothing to do with podman?
rhatdan
on 28 Jan 2020
Unless it shares the same buggy code with docker, could also be dnf.
yoctozepto
on 28 Jan 2020
I believe the problem is gpg which really wants a TTY. As shown above, it work when allocating a TTY for the container. If you want to run it without one, for instance, when building a container, you can set GPG_TTY=/dev/null in the environment. We had a similar issue lately in Buildah.
Since the issue is not related to Podman but ultimately a gpg issue, I am closing it.
vrothberg
on 31 Jan 2020
Related issues
kallisti5
路
49Comments
storrgie
路
63Comments
lsm5
路
142Comments
Conan-Kudo
路
91Comments
cevich
路
69Comments