Docker image for Postgres 14 based on BookWarm is broken somehow
sirmax123 opened this issue ยท 10 comments
Updated docker image with tag postgres:14
is broken
Steps to reproduce:
- Existing Dockerfile, worked fine until today, just need to add postgis
FROM postgres:14
RUN apt-get update -y && apt-get install postgresql-14-postgis-3 -y
- Starting from today got an errors running
docker build
command:
<Skipped>
apt-get update
Get:1 http://deb.debian.org/debian bookworm InRelease [147 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Err:1 http://deb.debian.org/debian bookworm InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481
Err:2 http://deb.debian.org/debian bookworm-updates InRelease
<skipped>
- Actual result: Build Failed
- Expected result: extension is installed
Workaround:
Replace FROM postgres:14
with FROM postgres:14-bullseye
(not possible to fix in my upstream repo, so I have to use sed
in the build pipeline to do the fix on-the-fly)
have the same issue
I am unable to reproduce. I'd suggest updating docker and libseccomp on the host. Newer base OS's use newer system calls and an older libseccomp can block them since they are unknown to it. You can verify that it is libseccomp by running the bookworm image with --security-opt seccomp=unconfined
.
This is similar to the update to Ubuntu focal: docker-library/mongo#606 (comment)
Same as docker-library/python#837 (comment)
Related: #1099
It also breaks all our services when booting postgres:13
within our CircleCI pipelines. We're able to hotfix it for the moment by setting the image to postgres:13-bullseye
. The logs didn't tell us anything about the reason behind it. One service was crashing right away with exit code 2, and the other one timed out after 10 minutes.
Confirmed with @Chaoste , I am trying to build AMD64 version of postgres:13. I tested with 13+ and bullseye/bookworm. Does not like the update command. I also updated my Docker for Desktop on my Mac to see if that fixed things, but it did not.
Also running into this issue on ubuntu 18, docker 23.05-1. Dmesg says:
bash[6496]: segfault at 56473bc14000 ip 00007fb59281fb97 sp 00007fff8864a568 error 6 in libc.so.6[7fb5926f3000+155000]
[ 676.608738] Code: 00 00 c5 7d e7 8f 20 20 00 00 c5 7d e7 97 40 20 00 00 c5 7d e7 9f 60 20 00 00 c5 7d e7 a7 00 30 00 00 c5 7d e7 af 20 30 00 00 <c5> 7d e7 b7 40 30 00 00 c5 7d e7 bf 60 30 00 00 48 83 ef 80 ff c9
so it's bash that's segfaulting before the process even hits postgres
(basically the same comment as redis/docker-library-redis#365 (comment) and docker-library/python#837 (comment))
Root cause: it is very likely Docker with libseccomp
so a newer syscall used in Debian Bookworm packages/libs is being blocked.
libseccomp
lets you configure allowed syscalls for a process. Docker sets a default seccomp profile for all containers such that only certain syscalls are allowed and everything else is blocked (so, newer syscalls that are not yet known to libseccomp
or docker
are blocked).
- verify that it is
libseccomp
by running the Bookworm-based image with--security-opt seccomp=unconfined
- use only as a test; it is less secure to keep running them "unconfined"
- learn more: https://docs.docker.com/engine/security/seccomp/
- one fix:
- update
libseccomp
anddocker
on the host running the containers
- update
- one workaround:
- switch to the
*bullseye
images (in thepostgres
images, these will continue to be maintained/updated until the respective PostgreSQL end of life or the next Debian release, Debian Trixie)
- switch to the
I was referred from #1015 to this issue regarding an error involving around "pg_stat_tmp/global.stat": Permission Denied" error.
Is anyone having this issue? I've changed permissions multiple times for the file but it doesn't work unless I manually restart postgres14 then it works temporarily.
Regarding the fix proposed above by @yosifkit,
update libseccomp and docker on the host running the containers
Are there any specific versions to which both Docker
and libseccomp
should be updated to?
Maybe docker-library/official-images#16829 is helpful? At the very least, one of Docker 26.0.0, 25.0.3, 24.0.10, and 23.0.10, and likely libseccomp2 version 2.5.5+ (or the recently-Debian-backported 2.5.4-1+deb12u1; docker-library/official-images#16830 (comment)).