Docker image for Postgres 14 based on BookWarm is broken somehow

Question

Docker image for Postgres 14 based on BookWarm is broken somehow

sirmax123 opened this issue a year ago · 10 comments

Updated docker image with tag postgres:14 is broken

Steps to reproduce:

Existing Dockerfile, worked fine until today, just need to add postgis

FROM postgres:14

RUN apt-get update -y && apt-get install postgresql-14-postgis-3 -y

Starting from today got an errors running docker build command:

<Skipped>
apt-get  update
Get:1 http://deb.debian.org/debian bookworm InRelease [147 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Err:1 http://deb.debian.org/debian bookworm InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481
Err:2 http://deb.debian.org/debian bookworm-updates InRelease
<skipped>

Actual result: Build Failed
Expected result: extension is installed

Workaround:

Replace FROM postgres:14 with FROM postgres:14-bullseye
(not possible to fix in my upstream repo, so I have to use sed in the build pipeline to do the fix on-the-fly)

Answer 1 · 2023-06-15T18:50:45.000Z

have the same issue

Answer 2 · 2023-06-15T19:33:41.000Z

I am unable to reproduce. I'd suggest updating docker and libseccomp on the host. Newer base OS's use newer system calls and an older libseccomp can block them since they are unknown to it. You can verify that it is libseccomp by running the bookworm image with --security-opt seccomp=unconfined.

This is similar to the update to Ubuntu focal: docker-library/mongo#606 (comment)

Same as docker-library/python#837 (comment)

Related: #1099

Answer 3 · 2023-06-16T09:11:08.000Z

It also breaks all our services when booting postgres:13 within our CircleCI pipelines. We're able to hotfix it for the moment by setting the image to postgres:13-bullseye. The logs didn't tell us anything about the reason behind it. One service was crashing right away with exit code 2, and the other one timed out after 10 minutes.

Answer 4 · 2023-06-16T19:17:59.000Z

Confirmed with @Chaoste , I am trying to build AMD64 version of postgres:13. I tested with 13+ and bullseye/bookworm. Does not like the update command. I also updated my Docker for Desktop on my Mac to see if that fixed things, but it did not.

Answer 5 · 2023-06-16T21:47:52.000Z

Also running into this issue on ubuntu 18, docker 23.05-1. Dmesg says:

bash[6496]: segfault at 56473bc14000 ip 00007fb59281fb97 sp 00007fff8864a568 error 6 in libc.so.6[7fb5926f3000+155000]
[  676.608738] Code: 00 00 c5 7d e7 8f 20 20 00 00 c5 7d e7 97 40 20 00 00 c5 7d e7 9f 60 20 00 00 c5 7d e7 a7 00 30 00 00 c5 7d e7 af 20 30 00 00 <c5> 7d e7 b7 40 30 00 00 c5 7d e7 bf 60 30 00 00 48 83 ef 80 ff c9

so it's bash that's segfaulting before the process even hits postgres

Answer 6 · 2023-06-20T22:31:58.000Z

(basically the same comment as redis/docker-library-redis#365 (comment) and docker-library/python#837 (comment))

Root cause: it is very likely Docker with libseccomp so a newer syscall used in Debian Bookworm packages/libs is being blocked.

libseccomp lets you configure allowed syscalls for a process. Docker sets a default seccomp profile for all containers such that only certain syscalls are allowed and everything else is blocked (so, newer syscalls that are not yet known to libseccomp or docker are blocked).

verify that it is libseccomp by running the Bookworm-based image with --security-opt seccomp=unconfined
- use only as a test; it is less secure to keep running them "unconfined"
- learn more: https://docs.docker.com/engine/security/seccomp/
one fix:
- update libseccomp and docker on the host running the containers
one workaround:
- switch to the *bullseye images (in the postgres images, these will continue to be maintained/updated until the respective PostgreSQL end of life or the next Debian release, Debian Trixie)

Answer 7 · 2023-06-26T23:06:33.000Z

I was referred from #1015 to this issue regarding an error involving around "pg_stat_tmp/global.stat": Permission Denied" error.

Is anyone having this issue? I've changed permissions multiple times for the file but it doesn't work unless I manually restart postgres14 then it works temporarily.

Answer 8 · 2023-12-15T01:02:43.000Z

#1100 (comment)

Answer 9 · 2024-07-02T17:51:27.000Z

Regarding the fix proposed above by @yosifkit,

update libseccomp and docker on the host running the containers

Are there any specific versions to which both Docker and libseccomp should be updated to?

Answer 10 · 2024-07-02T21:35:12.000Z

Maybe docker-library/official-images#16829 is helpful? At the very least, one of Docker 26.0.0, 25.0.3, 24.0.10, and 23.0.10, and likely libseccomp2 version 2.5.5+ (or the recently-Debian-backported 2.5.4-1+deb12u1; docker-library/official-images#16830 (comment)).