moby: Base Image that fails to run only on BTRFS with /bin/bash: error in loading shared libraries: libncurses.so.5: cannot stat shared object: Error 75
I’ve put the base image in question into a Gist for easy building/testing: https://gist.github.com/tianon/11230518 (ie, docker build -t test https://gist.github.com/11230518.git)
On my BTRFS system:
$ docker info
Containers: 17
Images: 418
Storage Driver: btrfs
Execution Driver: native-0.1
Kernel Version: 3.12.14-gentoo
Debug mode (server): true
Debug mode (client): false
Fds: 11
Goroutines: 16
EventsListeners: 0
Init SHA1: a0a847f0bde38dc71bea71f6d1ef7784aea2e8e9
Init Path: /usr/libexec/docker/dockerinit
Username: tianon
Registry: [https://index.docker.io/v1/]
$ docker version
Client version: 0.10.0-dev
Client API version: 1.11
Go version (client): go1.2
Git commit (client): 6b0f0af
Server version: 0.10.0-dev
Server API version: 1.11
Git commit (server): 6b0f0af
Go version (server): go1.2
Last stable version: 0.10.0
$ docker build -t test https://gist.github.com/11230518.git
Uploading context 25.82 MB
Uploading context
Step 0 : FROM scratch
---> 511136ea3c5a
Step 1 : ADD rootfs.tar.xz /
---> 6d0926382ac5
Removing intermediate container e09509bbe087
Step 2 : CMD ["/bin/bash"]
---> Running in 7e2fcad0d1bd
---> 10425905f4b6
Removing intermediate container 7e2fcad0d1bd
Successfully built 10425905f4b6
$ docker run -it --rm test
/bin/bash: error in loading shared libraries: libncurses.so.5: cannot stat shared object: Error 75
On my AUFS system:
$ docker info
Containers: 80
Images: 1228
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Dirs: 1705
Execution Driver: native-0.1
Kernel Version: 3.12.13-gentoo
Debug mode (server): true
Debug mode (client): false
Fds: 24
Goroutines: 84
EventsListeners: 0
Init SHA1: 83753cadf5c3033f8a6f59ace04e21b6bbb0466e
Init Path: /var/lib/docker/init/dockerinit-0.10.0-dev
Username: tianon
Registry: [https://index.docker.io/v1/]
$ docker version
Client version: 0.10.0-dev
Client API version: 1.11
Go version (client): go1.2
Git commit (client): 231f53f
Server version: 0.10.0-dev
Server API version: 1.11
Git commit (server): 24c4c3e
Go version (server): go1.2
Last stable version: 0.10.0
$ docker build -t test https://gist.github.com/11230518.git
Uploading context 25.82 MB
Uploading context
Step 0 : FROM scratch
---> 511136ea3c5a
Step 1 : ADD rootfs.tar.xz /
---> 40a11eba76e5
Removing intermediate container d6d0d0ea6b18
Step 2 : CMD ["/bin/bash"]
---> Running in 971adf3b03b6
---> 1009c758246e
Removing intermediate container 971adf3b03b6
Successfully built 1009c758246e
$ docker run -it --rm test
bash-2.03# cat /etc/debian_version
2.2
bash-2.03# exit
Here’s how I created the image filesystem:
# debootstrap --arch=i386 --include=iproute potato /tmp/docker-mkimage.Ifmq3BC6nl/rootfs http://archive.debian.org/debian
I: Retrieving Release
I: Retrieving Packages
I: Validating Packages
I: Found packages in base already in required: libdb2 textutils
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Found additional base dependencies: debconf perl-5.005
...
I: Extracting textutils...
I: Extracting update...
I: Extracting util-linux...
I: Extracting whiptail...
# echo set up a few of my other things like policy-rc.d, divert initctl, etc
Adding `local diversion of /sbin/initctl to /sbin/initctl.distrib'
# chroot /tmp/docker-mkimage.Ifmq3BC6nl/rootfs apt-get clean
# chroot /tmp/docker-mkimage.Ifmq3BC6nl/rootfs apt-get update
Hit http://archive.debian.org potato/main Packages
Get:1 http://archive.debian.org potato/main Release [95B]
Fetched 95B in 0s (511B/s)
Reading Package Lists...
Building Dependency Tree...
# chroot /tmp/docker-mkimage.Ifmq3BC6nl/rootfs apt-get dist-upgrade -y
Reading Package Lists...
Building Dependency Tree...
0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
# tar --numeric-owner -caf /tmp/docker-mkimage.Ifmq3BC6nl/rootfs.tar.xz -C /tmp/docker-mkimage.Ifmq3BC6nl/rootfs '--transform=s,^./,,' .
# echo write out Dockerfile seen at https://gist.github.com/tianon/11230518#file-dockerfile
FROM scratch
ADD rootfs.tar.xz /
CMD ["/bin/bash"]
About this issue
- Original URL
- State: closed
- Created 10 years ago
- Comments: 16 (15 by maintainers)
I’m still 100% in favor of leaving this closed, but to add more research details, I’ve managed to verify that this is (somehow) related to seccomp! I used Gentoo (since it’s trivial for me to recompile Docker there with and without seccomp to test), and it fails with seccomp enabled and works fine with seccomp disabled! 😱
There’s got to be some random old legacy syscall this ancient glibc is trying to invoke that either our default profile is blocking or that libseccomp can’t even handle.
I also tested with
--security-opt seccomp=unconfinedand even--privilegedand neither of those work, but as I understand it those really just apply a very relaxed profile and don’t disable the seccomp filter entirely, right? So this could technically be the same issue as what’s described in https://github.com/moby/moby/pull/36417#issuecomment-369266565 (ie, iflibseccompdoesn’t support a syscall, we can’t do anything to/with it)?(Also for what it’s worth, the Potato image is pushed to
debian/eol:potatoso anyone who wants to mess around with this can do so viadocker run -it --rm debian/eol:potatovery trivially. 😄)Edit: there’s something else or something more to it – just tried on another system and it did not work there… 😞 😕
A really cheeky workaround for this is to install
qemu-i386-staticviabinfmtand run all 32bit binaries via emulation instead of letting them run natively. 😂Makes sense; let’s keep it closed for now thanks!