arm32v7/ubuntu:latest fails to update

[ilg-ul]

I used this Docker image for quite a while in Travis tests, but now I see it failing to update:

arm32v7/ubuntu:latest
https://github.com/xpack-dev-tools/pre-releases/releases/download/test/
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal InRelease' is not signed.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease' is not signed.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease' is not signed.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-security InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-security InRelease' is not signed.
The command "DEBUG= bash tests/scripts/docker-test.sh --32 arm32v7/ubuntu:latest https://github.com/xpack-dev-tools/pre-releases/releases/download/test/ " exited with 100.
4.56s$ DEBUG= bash tests/scripts/docker-test.sh --32 arm32v7/ubuntu:rolling https://github.com/xpack-dev-tools/pre-releases/releases/download/test/ 
Linux travis-job-xpack-dev-tool-ninja-build-xp-711068358 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:43:38 UTC 2020 aarch64 aarch64 aarch64 GNU/Linux
Unable to find image 'arm32v7/ubuntu:rolling' locally
rolling: Pulling from arm32v7/ubuntu
Digest: sha256:7ec8bcd4abd31f16afa768d99197777d68630dd04e36502b90211c30660fb2ed
Status: Downloaded newer image for arm32v7/ubuntu:rolling
arm32v7/ubuntu:rolling
https://github.com/xpack-dev-tools/pre-releases/releases/download/test/
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal InRelease' is not signed.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease' is not signed.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease' is not signed.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-security InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-security InRelease' is not signed.
The command "DEBUG= bash tests/scripts/docker-test.sh --32 arm32v7/ubuntu:rolling https://github.com/xpack-dev-tools/pre-releases/releases/download/test/ " exited with 100.

(the console is a bit out of order, but this shouldn't be a problem)

[tianon]

I'm not able to reproduce, so I wonder if this is possibly related to debuerreotype/docker-debian-artifacts#97 / moby/moby#40739 ?

[tianon]

Confirmed, I tested on an arm64 native box, and was able to reproduce, and after adding --security-opt seccomp:unconfined, it works, so it's definitely an instance of moby/moby#40739. 😞

[ilg-ul]

I'm not familiar with that issue, but I used this Docker image in hundreds of Travis runs so far, without problems.

Was the image updated recently?

[tianon]

Yes, the image is updated roughly every 30 days (it's :latest, after all...). The underlying issue is filed at moby/moby#40734, which was related to updating, but now that the base image is updated to include that libc6 change/update, you end up seeing related errors much sooner (and more widespread).

[ilg-ul]

I understand that it is latest, but I hoped it is 'latest functional', not latest broken. :-(

Any idea when the image will be again functional? Should I remove it from the Travis test completely? (I use many 'latest' images, only this one failed).

[tianon]

Well to be clear, latest here means "latest release" (and even more specifically, the Ubuntu image uses it to mean "latest LTS release").

As for whether it's functional, the image is functional, but your environment (Travis) has an outdated libseccomp (and potentially outdated Docker, since it needs Docker 19.03.9 or newer to have the fix) which is not familiar with the system calls this newer libc6 is trying to use, and thus (not unreasonably) blocks them.

To fix this, you'll need to make sure your Docker version is newer than 19.03.9, and that you have a libseccomp version of 2.4.2 or higher.

Alternatively, you can use --security-opt seccomp:unconfined when running your containers in order to remove the seccomp filtering entirely (which might be an acceptable trade-off on infrastructure like Travis where you don't need to worry as much about the security implications of doing so).

[tianon]

(The next release of Debian is going to suffer from the same change -- see debuerreotype/docker-debian-artifacts#97.)

[ilg-ul]

--security-opt seccomp:unconfined

I confirm, with this workaround the Travis test passed.

Thank you,

Liviu

[antoinetran]

Hi, reproduced with CentOS 7.7 and libseccomp-2.3.1-3.el7.x86_64 . I did a OS update and apparently, the update to libseccomp-2.3.1-4.el7.x86_64 fixed the issue for info.