-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uclibc BusyBox in Distroless debug images fails with "ls: Value too large for defined data type" #225
Comments
cc @tejal29 |
hmm not able to reproduce this
|
Same here. @xinau do you have any other info on how you reproduced this? |
Since I've done several package updates (kernel, util-linux, ...) in the mean time, they seem to have magically fixed the problem. I can't reproduce it anymore :( . Sry for bothering. |
I have the same issue on Docker for Mac
|
Works on Linux with |
Funny, on D4M, it sometimes works just after I restart Docker or remove all the images. And then it breaks again |
I ran into the same issue on Docker for Windows:
After I restart docker it seems to work, just as @dgageot already explained. (didn't have to remove any images). |
I'm seeing this running against a k8s cluster. It is intermittent, for some pods works fine, other give this error. Perhaps it could be related to how large the filesystem is which the container is on? |
I confirm this issue with docker 18.06.1-ce and gcr.io/distroless/java:debug (0507ea3dccb1). The restart of the docker daemon solves the issue. |
In my experience, the error "Value is too large for defined data type" is raised when a 32-bit application/library tries to access a file that has a 64-bit inode and overflows the 32-bit integer used to store the inode number. |
I confirm this issue with docker 18.06.1-ce on Mac.
|
The issue is the 64-bit inode.
This intermittently breaks on Microsoft Azure AKS Kubernetes with the distroless/java image w/ debug. A workaround is to do something like:
|
The 32-bit uclibc busybox does not support 64-bit inodes (see GoogleContainerTools/distroless#225) Signed-off-by: Don Bowman <don@agilicus.com>
I've filed a bug against busybox: https://bugs.busybox.net/show_bug.cgi?id=11651 @donbowman Distroless is pulling in the 1.27.1 version, and I wonder if recent binaries have fixed this issue. I have trouble reproducing this in-house, so is it possible for you to test the most recent 1.30.0 binary from https://busybox.net/downloads/binaries/? |
I've confirmed 1.30.0 from busybox.net has the same issue. |
The busybox dev is asking for more info for debugging: https://bugs.busybox.net/show_bug.cgi?id=11651#c5. If anyone can still reproduce this issue, please update the bug tracker. @donbowman |
done, i need to find a static strace and get a privileged container up to do this tho. |
|
|
@donbowman I saw your update on the busybox bug. Thanks for reporting. Let's see what the dev will say. |
I see the busybox bug got the lowest priority P5. If anyone is severely affected by this issue, I suggest to go to the busybox bug and increase awareness. |
the workaround is to use the glibc version https://github.com/docker-library/busybox/tree/master/glibc across the board i find a lot of things on kubernetes (e.g. helm charts) that use 'busybox' as an initcontainer that intermittently fail in azure because of this issue, its not just the debug distroless. |
@donbowman sounds like if this would be gone if we just pull in and install a busybox binary using glibc. Does busybox provide compiled binaries with glibc at https://busybox.net/downloads/binaries/? Doesn't seem like they do. I kind of heard that Kubernetes might be using distroless for some part of its workings (although I'm not sure). |
I am experiencing the same issue when running on GKE cluster
No issue running on Rancher 2.0 clusters
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
We are also affected - upvote +1 |
This is the issue in BusyBox. If you are affected, please go to the BusyBox Bug 11651 and upvote there. |
@chanseokoh |
Likely. The way I see it, this is a bug in BusyBox compiled with uclibc. Sounds like using a glibc BusyBox should be fine. And is Kaniko using or based on a debug Distroless image? Why are you using a debug image? |
I think some people are reporting their issue on a wrong repository only after googling with the apparent error message "Value too large for defined data type", not realizing that this is the Distroless repo. I've updated the issue title and hidden some comments seemingly unrelated to Distroless. |
is there some compelling reason we can't use the glibc busybox in here? it works, its compatible, those that use the :debug for whatever reason are happy? |
@donbowman I don't think there is. I think whatever approach that resolves this issue should be fine. Someone put up a PR (which has merge conflicts) to get BusyBox from the Debian package. However, it downgrades the version and misses some commands; maybe it is no longer the case with Debian 10, I don't know. Even so, it's for debug images, so it may not matter much. But maybe, just downloading the glibc version would be a simpler and easier way. Another person suggested switching to ToyBox. I think either solution can work. We appreciate community contributions. (I'm not going to work on fixing this myself, BTW.) |
@chanseokoh: many people around who want to use Q: Why anybody wants to use debug image? Q: How I met this issue? Q: How I managed to solve? I would be happy to help in changing the |
@alex1989hu thanks for the detailed explanation. It's really good to know that Kaniko is based on Distroless; didn't know that.
Thanks a lot. I am the most active "moderator" (not "maintainer"); I can gladly assist you. What's your plan? I think downloading the precompiled glibc BusyBox is the easiest and straightforward fix. |
Unrelated, the way Kaniko fetches BusyBox is inexplicably convoluted. Why getting it from a Distroless image after building it with |
/cc @tejal29 @tstromberg @samos123 what do you think? I think most of us wants to replace busybox but @chanseokoh points to a good question. Is it mandatory to use One of the kaniko related issue: GoogleContainerTools/kaniko#985 (comment) |
actually its not just debug, i believe the java distroless has busybox in it for non-debug. |
so If I update #380 to not conflict, and use current busybox from busybox.net (w/ glibc), all are good w/ that? I can take a look. |
No, all non-debug images do not have busybox. Particularly Java images have tests for this. distroless/java/testdata/java11_debian10.yaml Lines 15 to 17 in bd10624
If you get the glibc version from busybox.net, I think we can forget about #380. (#380 is for getting busybox from Debian.) Thanks for your help. |
UPDATE by @chanseokoh: this issue is specifically about the pre-built, buggy BusyBox binary compiled using uClibc embedded in the Distroless
:debug
Docker images (e.g.,gcr.io/distroless/java:debug
). The root cause is Bug 11651 in BusyBox.It seems like LargeFileSupport is disabled in the debug images.
According to the coreutils docs this error is caused by not enabling LargeFileSupport when compiling.
The default docker image doesn't seem to have this problem
The text was updated successfully, but these errors were encountered: