python: `python:3.9` - Failed run `apt update` from the last version of the image
as titled
today morning we found that our builds failed
we are using python:3.9
when we run apt update the build failed
it looks that it fails because of the upgrade to bookworm
we get this errors
#5 [build 2/4] RUN apt-get update && apt-get install -y --no-install-recommends poppler-utils
#5 sha256:fdb97fe2ebc3fcf79626c6628756f871cc0d6b0fc02ba21a2949fe33d31a2373
#5 0.240 Get:1 http://deb.debian.org/debian bookworm InRelease [147 kB]
#5 0.247 Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
#5 0.248 Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
#5 0.277 Err:1 http://deb.debian.org/debian bookworm InRelease
#5 0.277 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481
#5 0.303 Err:2 http://deb.debian.org/debian bookworm-updates InRelease
#5 0.303 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
#5 0.329 Err:3 http://deb.debian.org/debian-security bookworm-security InRelease
#5 0.329 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
#5 0.330 Reading package lists...
#5 0.337 W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481
#5 0.337 E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
#5 0.337 W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
#5 0.337 E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
#5 0.337 W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
#5 0.337 E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.
#5 0.337 E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
#5 0.337 E: Sub-process returned an error cod
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 16
- Comments: 29 (6 by maintainers)
Commits related to this issue
- Pin debian release https://github.com/docker-library/python/issues/837 — committed to vulekamali/ocds-data-summary by jbothma 10 months ago
- Revert upgrade from bullseye to bookworm - we are being bitten by this issue on the Sussex VM deployment: https://github.com/docker-library/python/issues/837#issuecomment-1599640563 (other deployment... — committed to ds283/mps-project by ds283 9 months ago
(basically the same comment as https://github.com/docker-library/redis/issues/365#issuecomment-1599633849)
Root cause: it is Docker with
libseccompso a newer syscall used in Debian Bookworm packages/libs is being blocked. (Thanks for confirming @aebm)libseccomplets you configure allowed syscalls for a process. Docker sets a default seccomp profile for all containers such that only certain syscalls are allowed and everything else is blocked (so, newer syscalls that are not yet known tolibseccompordockerare blocked).libseccompby running the Bookworm-based image with--security-opt seccomp=unconfinedlibseccompanddockeron the host running the containers*bullseyeimages (in thepythonimages, these will continue to be maintained/updated until the respective Python end of life or the next Debian release, Debian Trixie)This broke our ci docker build jobs that used
python:3.9-slimWe used docker v24.0.2 to do the build.Can confirm that our builds were also impacted using
python:3.8-slim. Modifying topython:3.8-slim-bullseyeresolved the issue, so we’re temporarily using that until the issue is resolved.It seems like the pointers for the latest image tags are moved to bookworm. The
python:3.9-slim-bullseyemight work instead ofpython:3.9-slimor maybepython:3.9-slim-busterwill work too. The official 3.9 image github update shows that the version is updated frombustertobookworm.hitting us as well, using
python:3.7I am unable to reproduce. I’d suggest updating docker and libseccomp on the host. Newer base OS’s use newer system calls and an older libseccomp can block them since they are unknown to it. You can verify that it is libseccomp by running the bookworm image with
--security-opt seccomp=unconfined.This is similar to the update to Ubuntu focal: https://github.com/docker-library/mongo/issues/606#issuecomment-1424965831
@davidt99 on mac I found a workaround: exit 0, so
apt-get updatebecomesbash -c "apt-get update; exit 0". probably not proper solution but it works for nowThe proper fix is updating libseccomp2 (and Docker/runc) on your host. 👍