Unable to update LXC container OS - "E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease' is not signed."

Bebe · April 16, 2022, 2:47pm

Hello,

I’m trying to perform update of lxc-container running with “Ubuntu 20.04.3 LTS”. But I’m getting the following error:

root@pihole:/usr/bin# apt-get update
Get:1 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [114 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [114 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal InRelease [265 kB]
Err:1 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
Unknown error executing apt-key
Err:2 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease
Unknown error executing apt-key
Err:3 http://ports.ubuntu.com/ubuntu-ports focal InRelease
Unknown error executing apt-key
Reading package lists… Done
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease: Unknown error executing apt-key
E: The repository ‘http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease’ is not signed.
…

After quick search I’ve found the problem might be caused by this issue with lib Seccomp:

github.com/moby/moby

Seccomp blocks install of "libc6" in Ubuntu 20.04 "focal" image on armhf (arm32v7)

opened 09:27AM - 25 Mar 20 UTC

thaJeztah

exp/expert kind/bug area/security/seccomp

Opening a tracking issue for this for further investigation. More details can be… found in: - https://github.com/docker/containerd-packaging/pull/151 (which I'm using as a debugging environment for this) - https://github.com/dotnet/dotnet-docker/issues/1747 - https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1867675 - (probably unrelated) https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1867431 ### Summary Ubuntu 20.04 ("focal") on armhf (arm32) currently has an issue where it looks like seccomp is blocking a syscall that's used when installing libc6: docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6' ... Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ... Checking for services that may need to be restarted... Checking init scripts... Checking for services that may need to be restarted... Checking init scripts... Nothing to restart. Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ... tar: ./control: Cannot utime: Operation not permitted tar: ./md5sums: Cannot utime: Operation not permitted tar: ./shlibs: Cannot utime: Operation not permitted tar: ./symbols: Cannot utime: Operation not permitted tar: ./triggers: Cannot utime: Operation not permitted tar: .: Cannot utime: Operation not permitted tar: Exiting with failure status due to previous errors dpkg-deb: error: tar subprocess returned error exit status 2 dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack): dpkg-deb --control subprocess returned error exit status 2 Errors were encountered while processing: /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb E: Sub-process /usr/bin/dpkg returned an error code (1) #### With seccomp disabled, installing `libc6` is succesfull ```bash docker pull arm32v7/ubuntu:focal && docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=unconfined arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6' ``` <details><summary>output of the above:</summary> ```console focal: Pulling from arm32v7/ubuntu Digest: sha256:18100e418054ebe1be0fff4e514183f28088a0db409df081c3233dd22dcf4a15 Status: Image is up to date for arm32v7/ubuntu:focal docker.io/arm32v7/ubuntu:focal Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [255 kB] Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [79.7 kB] Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [79.7 kB] Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [79.7 kB] Get:5 http://ports.ubuntu.com/ubuntu-ports focal/restricted armhf Packages [10.8 kB] Get:6 http://ports.ubuntu.com/ubuntu-ports focal/main armhf Packages [1236 kB] Get:7 http://ports.ubuntu.com/ubuntu-ports focal/universe armhf Packages [11.0 MB] Get:8 http://ports.ubuntu.com/ubuntu-ports focal/multiverse armhf Packages [141 kB] Fetched 12.9 MB in 5s (2427 kB/s) Reading package lists... Reading package lists... Building dependency tree... Reading state information... The following additional packages will be installed: gcc-10-base libc-bin libcrypt1 libgcc-s1 Suggested packages: manpages glibc-doc locales The following NEW packages will be installed: gcc-10-base libcrypt1 libgcc-s1 The following packages will be upgraded: libc-bin libc6 2 upgraded, 3 newly installed, 0 to remove and 55 not upgraded. Need to get 2770 kB of archives. After this operation, 618 kB of additional disk space will be used. Get:1 http://ports.ubuntu.com/ubuntu-ports focal/main armhf gcc-10-base armhf 10-20200324-1ubuntu1 [18.5 kB] Get:2 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libgcc-s1 armhf 10-20200324-1ubuntu1 [36.2 kB] Get:3 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libcrypt1 armhf 1:4.4.10-10ubuntu4 [93.5 kB] Get:4 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc6 armhf 2.31-0ubuntu6 [2133 kB] Get:5 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc-bin armhf 2.31-0ubuntu6 [489 kB] debconf: delaying package configuration, since apt-utils is not installed Fetched 2770 kB in 0s (10.7 MB/s) Selecting previously unselected package gcc-10-base:armhf. (Reading database ... 4126 files and directories currently installed.) Preparing to unpack .../gcc-10-base_10-20200324-1ubuntu1_armhf.deb ... Unpacking gcc-10-base:armhf (10-20200324-1ubuntu1) ... Setting up gcc-10-base:armhf (10-20200324-1ubuntu1) ... Selecting previously unselected package libgcc-s1:armhf. (Reading database ... 4132 files and directories currently installed.) Preparing to unpack .../libgcc-s1_10-20200324-1ubuntu1_armhf.deb ... Unpacking libgcc-s1:armhf (10-20200324-1ubuntu1) ... Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ... Setting up libgcc-s1:armhf (10-20200324-1ubuntu1) ... (Reading database ... 4134 files and directories currently installed.) Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ... Checking for services that may need to be restarted... Checking init scripts... Checking for services that may need to be restarted... Checking init scripts... Nothing to restart. Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ... Selecting previously unselected package libcrypt1:armhf. Preparing to unpack .../libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb ... Unpacking libcrypt1:armhf (1:4.4.10-10ubuntu4) ... Setting up libcrypt1:armhf (1:4.4.10-10ubuntu4) ... Setting up libc6:armhf (2.31-0ubuntu6) ... Checking for services that may need to be restarted... Checking init scripts... Nothing to restart. (Reading database ... 4137 files and directories currently installed.) Preparing to unpack .../libc-bin_2.31-0ubuntu6_armhf.deb ... Unpacking libc-bin (2.31-0ubuntu6) over (2.30-0ubuntu3) ... Setting up libc-bin (2.31-0ubuntu6) ... ``` </details> ### With seccomp enabled, installation fails: ```bash docker pull arm32v7/ubuntu:focal && docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6' ``` <details><summary>output of the above:</summary> ```console focal: Pulling from arm32v7/ubuntu Digest: sha256:18100e418054ebe1be0fff4e514183f28088a0db409df081c3233dd22dcf4a15 Status: Image is up to date for arm32v7/ubuntu:focal docker.io/arm32v7/ubuntu:focal Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [255 kB] Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [79.7 kB] Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [79.7 kB] Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [79.7 kB] Get:5 http://ports.ubuntu.com/ubuntu-ports focal/universe armhf Packages [11.0 MB] Get:6 http://ports.ubuntu.com/ubuntu-ports focal/restricted armhf Packages [10.8 kB] Get:7 http://ports.ubuntu.com/ubuntu-ports focal/main armhf Packages [1236 kB] Get:8 http://ports.ubuntu.com/ubuntu-ports focal/multiverse armhf Packages [141 kB] Fetched 12.9 MB in 6s (2183 kB/s) Reading package lists... Reading package lists... Building dependency tree... Reading state information... The following additional packages will be installed: gcc-10-base libc-bin libcrypt1 libgcc-s1 Suggested packages: manpages glibc-doc locales The following NEW packages will be installed: gcc-10-base libcrypt1 libgcc-s1 The following packages will be upgraded: libc-bin libc6 2 upgraded, 3 newly installed, 0 to remove and 55 not upgraded. Need to get 2770 kB of archives. After this operation, 618 kB of additional disk space will be used. Get:1 http://ports.ubuntu.com/ubuntu-ports focal/main armhf gcc-10-base armhf 10-20200324-1ubuntu1 [18.5 kB] Get:2 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libgcc-s1 armhf 10-20200324-1ubuntu1 [36.2 kB] Get:3 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libcrypt1 armhf 1:4.4.10-10ubuntu4 [93.5 kB] Get:4 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc6 armhf 2.31-0ubuntu6 [2133 kB] Get:5 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc-bin armhf 2.31-0ubuntu6 [489 kB] debconf: delaying package configuration, since apt-utils is not installed Fetched 2770 kB in 1s (5278 kB/s) Selecting previously unselected package gcc-10-base:armhf. (Reading database ... 4126 files and directories currently installed.) Preparing to unpack .../gcc-10-base_10-20200324-1ubuntu1_armhf.deb ... Unpacking gcc-10-base:armhf (10-20200324-1ubuntu1) ... Setting up gcc-10-base:armhf (10-20200324-1ubuntu1) ... Selecting previously unselected package libgcc-s1:armhf. (Reading database ... 4132 files and directories currently installed.) Preparing to unpack .../libgcc-s1_10-20200324-1ubuntu1_armhf.deb ... Unpacking libgcc-s1:armhf (10-20200324-1ubuntu1) ... Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ... Setting up libgcc-s1:armhf (10-20200324-1ubuntu1) ... (Reading database ... 4134 files and directories currently installed.) Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ... Checking for services that may need to be restarted... Checking init scripts... Checking for services that may need to be restarted... Checking init scripts... Nothing to restart. Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ... tar: ./control: Cannot utime: Operation not permitted tar: ./md5sums: Cannot utime: Operation not permitted tar: ./shlibs: Cannot utime: Operation not permitted tar: ./symbols: Cannot utime: Operation not permitted tar: ./triggers: Cannot utime: Operation not permitted tar: .: Cannot utime: Operation not permitted tar: Exiting with failure status due to previous errors dpkg-deb: error: tar subprocess returned error exit status 2 dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack): dpkg-deb --control subprocess returned error exit status 2 Errors were encountered while processing: /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb E: Sub-process /usr/bin/dpkg returned an error code (1) ``` </details> ### Information about the environment <details> <summary>docker version</summary> ```console Client: Docker Engine - Community Version: 19.03.5 API version: 1.40 Go version: go1.12.12 Git commit: 633a0ea Built: Wed Nov 13 07:38:47 2019 OS/Arch: linux/arm Experimental: false Server: Docker Engine - Community Engine: Version: 19.03.5 API version: 1.40 (minimum version 1.12) Go version: go1.12.12 Git commit: 633a0ea Built: Wed Nov 13 07:32:48 2019 OS/Arch: linux/arm Experimental: true containerd: Version: 1.2.10 GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339 runc: Version: 1.0.0-rc8+dev GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657 docker-init: Version: 0.18.0 GitCommit: fec3683 ``` </details> <details> <summary>docker info</summary> ``` Client: Debug Mode: false Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 0 Server Version: 19.03.5 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657 init version: fec3683 Security Options: apparmor seccomp Profile: default Kernel Version: 4.4.127-mainline-rev1 Operating System: Ubuntu 16.04.5 LTS OSType: linux Architecture: armv7l CPUs: 4 Total Memory: 1.974GiB Name: arm32v7-ubuntu-03 ID: W2ZP:3XMC:TH2A:OMPM:V542:GKAR:S6Q3:YKZC:QQHT:ERP2:LNHR:427E Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: true Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false ``` </details> <details> <summary>Output of `check-config.sh`:</summary> ```bash curl -fsSL https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh | bash info: reading kernel config from /proc/config.gz ... Generally Necessary: - cgroup hierarchy: properly mounted [/sys/fs/cgroup] - apparmor: enabled and tools installed - CONFIG_NAMESPACES: enabled - CONFIG_NET_NS: enabled - CONFIG_PID_NS: enabled - CONFIG_IPC_NS: enabled - CONFIG_UTS_NS: enabled - CONFIG_CGROUPS: enabled - CONFIG_CGROUP_CPUACCT: enabled - CONFIG_CGROUP_DEVICE: enabled - CONFIG_CGROUP_FREEZER: enabled - CONFIG_CGROUP_SCHED: enabled - CONFIG_CPUSETS: enabled - CONFIG_MEMCG: enabled - CONFIG_KEYS: enabled - CONFIG_VETH: enabled - CONFIG_BRIDGE: enabled (as module) - CONFIG_BRIDGE_NETFILTER: enabled (as module) - CONFIG_NF_NAT_IPV4: enabled (as module) - CONFIG_IP_NF_FILTER: enabled (as module) - CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module) - CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module) - CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module) - CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module) - CONFIG_IP_NF_NAT: enabled (as module) - CONFIG_NF_NAT: enabled (as module) - CONFIG_NF_NAT_NEEDED: enabled - CONFIG_POSIX_MQUEUE: enabled - CONFIG_DEVPTS_MULTIPLE_INSTANCES: enabled Optional Features: - CONFIG_USER_NS: enabled - CONFIG_SECCOMP: enabled - CONFIG_CGROUP_PIDS: enabled - CONFIG_MEMCG_SWAP: enabled - CONFIG_MEMCG_SWAP_ENABLED: enabled [1;30m(cgroup swap accounting is currently enabled) - CONFIG_MEMCG_KMEM: enabled - CONFIG_BLK_CGROUP: enabled - CONFIG_BLK_DEV_THROTTLING: enabled - CONFIG_IOSCHED_CFQ: enabled - CONFIG_CFQ_GROUP_IOSCHED: enabled - CONFIG_CGROUP_PERF: enabled - CONFIG_CGROUP_HUGETLB: missing - CONFIG_NET_CLS_CGROUP: enabled (as module) - CONFIG_CGROUP_NET_PRIO: enabled - CONFIG_CFS_BANDWIDTH: enabled - CONFIG_FAIR_GROUP_SCHED: enabled - CONFIG_RT_GROUP_SCHED: enabled - CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module) - CONFIG_IP_VS: enabled (as module) - CONFIG_IP_VS_NFCT: enabled - CONFIG_IP_VS_PROTO_TCP: enabled - CONFIG_IP_VS_PROTO_UDP: enabled - CONFIG_IP_VS_RR: enabled (as module) - CONFIG_EXT4_FS: enabled - CONFIG_EXT4_FS_POSIX_ACL: enabled - CONFIG_EXT4_FS_SECURITY: enabled - Network Drivers: - "overlay": - CONFIG_VXLAN: enabled (as module) - CONFIG_BRIDGE_VLAN_FILTERING: enabled Optional (for encrypted networks): - CONFIG_CRYPTO: enabled - CONFIG_CRYPTO_AEAD: enabled (as module) - CONFIG_CRYPTO_GCM: enabled (as module) - CONFIG_CRYPTO_SEQIV: enabled (as module) - CONFIG_CRYPTO_GHASH: enabled (as module) - CONFIG_XFRM: enabled - CONFIG_XFRM_USER: enabled (as module) - CONFIG_XFRM_ALGO: enabled - CONFIG_INET_ESP: enabled (as module) - CONFIG_INET_XFRM_MODE_TRANSPORT: enabled - "ipvlan": - CONFIG_IPVLAN: enabled (as module) - "macvlan": - CONFIG_MACVLAN: enabled (as module) - CONFIG_DUMMY: enabled (as module) - "ftp,tftp client in container": - CONFIG_NF_NAT_FTP: enabled (as module) - CONFIG_NF_CONNTRACK_FTP: enabled (as module) - CONFIG_NF_NAT_TFTP: enabled (as module) - CONFIG_NF_CONNTRACK_TFTP: enabled (as module) - Storage Drivers: - "aufs": - CONFIG_AUFS_FS: enabled (as module) - "btrfs": - CONFIG_BTRFS_FS: enabled (as module) - CONFIG_BTRFS_FS_POSIX_ACL: enabled - "devicemapper": - CONFIG_BLK_DEV_DM: enabled (as module) - CONFIG_DM_THIN_PROVISIONING: enabled (as module) - "overlay": - CONFIG_OVERLAY_FS: enabled (as module) - "zfs": - /dev/zfs: missing - zfs command: missing - zpool command: missing Limits: - /proc/sys/kernel/keys/root_maxkeys: 1000000 ``` </details>

I get it from this forum:

As I don’t want to install manually additional library to Turris Omnia. Maybe better to run the container as privileged temporary just for the update process, so it will be running under root. But how can I achieve that? I do not see such option for lxc-start nor in lxc.container.conf.

Thank you.

petrprochy · April 19, 2022, 9:25pm

IMHO I think LXC container is not same as Docker container. Container is always run as root user.
I tried fresh installation of Ubuntu Focal from Turris repo and “apt update” works correctly. Actual is installed libseccomp2 v2.5.1.

What version is actual installed? Is any error in /var/log/apt/ directory?

Of course you can install libseccomp2 package locally via dpkg tool.

Bebe · April 20, 2022, 6:14pm

I’ve already installed the latest one, but I’m still getting the same error.

root@pihole:~# dpkg -l |grep libseccomp
ii libseccomp2:armhf 2.5.3-2 armhf high level interface to Linux seccomp filter

There is no error visible within logs in /var/log/apt…
But since I’m running just pihole on that container, I decided to deploy new container in between with debian 11. Update is working fine there.
So might be this Ubuntu installation had some troubles. I’ll keep it installed and try some other thing to fix it.

petrprochy · April 21, 2022, 9:31am

Hmm, what keys are installed for apt? Execute apt-key list. I have installed this keys:
root@LXCNAME:~# apt-key list
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) ftpmaster@ubuntu.com

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

Bebe · April 22, 2022, 9:01pm

Looks like there is some trouble with installed packages:

root@pihole:~# apt-key list
E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation

I can see the following:

root@pihole:~# apt-cache search gnupg
gpgv - GNU privacy guard - signature verification tool
libgpg-error0 - GnuPG development runtime library
libhogweed5 - low level cryptographic library (public-key cryptos)
libnettle7 - low level cryptographic library (symmetric and one-way cryptos)
ubuntu-keyring - GnuPG keys of the Ubuntu archive

petrprochy · April 25, 2022, 8:54pm

OK, so can you execute apt-get in verbose mode?
apt-get -oDebug::pkgAcquire::Worker=1 update 2>&1 | sed ‘s/%20/ /g; s/%0a/ /g’

In log file are interesting this lines:
→ gpgv:600 URI Acquire URI: gpgv:/var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal_InRelease Filename: /var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal_InRelease Target-Release: focal Target-Type: index Target-Base-URI: Index of /ubuntu-ports/dists/focal Target-Repo-URI: Index of /ubuntu-ports Target-Site: http://ports.ubuntu.com/ubuntu-ports Index-File: true Maximum-Size: 10000000 Last-Modified: Thu, 23 Apr 2020 17:34:17 GMT Fail-Ignore: true
Hit:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease
← gpgv:201 URI Done GPGVOutput: GOODSIG 3B4FE6ACC0B21F32 GOODSIG 871920D1991BC93C Signed-By: 790BC7277767219C42C86F933B4FE6ACC0B21F32! F6ECB3762474EDA9D21B7022871920D1991BC93C! Filename: /var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal_InRelease URI: gpgv:/var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal_InRelease

Bebe · May 3, 2022, 8:16pm

sorry for later response…
I ran it in debug mode as you suggested, here are the lines you wanted to see.
For all gpgv:600 URI, the response is same:

→ gpgv:600 URI Acquire URI: gpgv:/var/lib/apt/lists/partial/ports.ubuntu.com_ubuntu-ports_dists_focal-security_InRelease Filename: /var/lib/apt/lists/partial/ports.ubuntu.com_ubuntu-ports_dists_focal-security_InRelease Target-Release: focal-security Target-Type: index Target-Base-URI: Index of /ubuntu-ports/dists/focal-security Target-Repo-URI: Index of /ubuntu-ports Target-Site: http://ports.ubuntu.com/ubuntu-ports Index-File: true Maximum-Size: 10000000 Fail-Ignore: true
Err:1 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
Unknown error executing apt-key
← gpgv:400 URI Failure Message: Unknown error executing apt-key URI: gpgv:/var/lib/apt/lists/partial/ports.ubuntu.com_ubuntu-ports_dists_focal-security_InRelease

No other error is thrown.

petrprochy · May 4, 2022, 8:29pm

What version is install of apt? Is installed any gpg package? Check via dpkg -l | grep keyword

I have in LXC installed this packages:

root@LXCNAME:/var/log/apt# dpkg -l | grep -E -e "apt|gpg"
ii  apt                            2.0.6                        armhf        commandline package manager
ii  apt-utils                      2.0.6                        armhf        package management related utility programs
ii  aptitude                       0.8.12-1ubuntu4              armhf        terminal-based package manager
ii  aptitude-common                0.8.12-1ubuntu4              all          architecture independent files for the aptitude package manager
ii  gpgv                           2.2.19-3ubuntu2.1            armhf        GNU privacy guard - signature verification tool
ii  libapt-pkg6.0:armhf            2.0.6                        armhf        package management runtime library
ii  libgpg-error0:armhf            1.37-1                       armhf        GnuPG development runtime library
ii  python-apt-common              2.0.0ubuntu0.20.04.7         all          Python interface to libapt-pkg (locales)
ii  python3-apt                    2.0.0ubuntu0.20.04.7         armhf        Python 3 interface to libapt-pkg

Bebe · May 5, 2022, 7:15pm

Looks like the version is the same:

root@pihole:~# dpkg -l |grep -E "apt|gpg"
ii  apt                         2.0.6                             armhf        commandline package manager
ii  apt-transport-https         2.0.6                             all          transitional package for https support
ii  apt-utils                   2.0.6                             armhf        package management related utility programs
ii  gpgv                        2.2.19-3ubuntu2.1                 armhf        GNU privacy guard - signature verification tool
ii  libapt-pkg6.0:armhf         2.0.6                             armhf        package management runtime library
ii  libgpg-error0:armhf         1.37-1                            armhf        GnuPG development runtime library

petrprochy · May 6, 2022, 7:05pm

Ok, so second chance. Try call apt-get with this options:

apt-get -oDebug::Acquire::gpgv=1 update

I have this result of of one part:

Hit:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease
inside VerifyGetSigners
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [114 kB]
Preparing to exec:  /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.AWaUo7 /tmp/apt.data.g2vPl8
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [114 kB]
Read: [GNUPG:] NEWSIG

Read: [GNUPG:] KEY_CONSIDERED 790BC7277767219C42C86F933B4FE6ACC0B21F32 0

Read: [GNUPG:] SIG_ID ZFgbfrBIfmPmMkl7QrbQKd6p5Es 2020-04-23 1587663257

Read: [GNUPG:] KEY_CONSIDERED 790BC7277767219C42C86F933B4FE6ACC0B21F32 0

Read: [GNUPG:] GOODSIG 3B4FE6ACC0B21F32 Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>

Got GOODSIG 3B4FE6ACC0B21F32 !
Read: [GNUPG:] VALIDSIG 790BC7277767219C42C86F933B4FE6ACC0B21F32 2020-04-23 1587663257 0 4 0 1 10 01 790BC7277767219C42C86F933B4FE6ACC0B21F32

Got trusted VALIDSIG, key ID: 790BC7277767219C42C86F933B4FE6ACC0B21F32
Read: [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23

Read: [GNUPG:] NEWSIG

Read: [GNUPG:] KEY_CONSIDERED F6ECB3762474EDA9D21B7022871920D1991BC93C 0

Read: [GNUPG:] SIG_ID Xr4bMtWp5CXUImKlL/AAd/+isKA 2020-04-23 1587663257

Read: [GNUPG:] KEY_CONSIDERED F6ECB3762474EDA9D21B7022871920D1991BC93C 0

Read: [GNUPG:] GOODSIG 871920D1991BC93C Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

Got GOODSIG 871920D1991BC93C !
Read: [GNUPG:] VALIDSIG F6ECB3762474EDA9D21B7022871920D1991BC93C 2020-04-23 1587663257 0 4 0 1 10 01 F6ECB3762474EDA9D21B7022871920D1991BC93C

Got trusted VALIDSIG, key ID: F6ECB3762474EDA9D21B7022871920D1991BC93C
Read: [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23

gpgv exited with status 0
Summary:
  Good: GOODSIG 3B4FE6ACC0B21F32, GOODSIG 871920D1991BC93C
  Valid: 790BC7277767219C42C86F933B4FE6ACC0B21F32, F6ECB3762474EDA9D21B7022871920D1991BC93C
  Bad:
  Worthless:
  SoonWorthless:
  NoPubKey:
  Signed-By: 790BC7277767219C42C86F933B4FE6ACC0B21F32!, F6ECB3762474EDA9D21B7022871920D1991BC93C!
  NODATA: no
apt-key succeeded

I hope that result of this gets more info of issue.

Bebe · May 10, 2022, 8:15pm

Again without deeper details…
at least I cannot find what is the exit code 135 for gpgv

Get:1 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [114 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [114 kB]
0% [Working]inside VerifyGetSigners
Preparing to exec:  /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.3HumH9 /tmp/apt.data.g5UIXa
Get:3 http://ports.ubuntu.com/ubuntu-ports focal InRelease [265 kB]
0% [Working]gpgv exited with status 135                                                                                                                                                              
Summary:
  Good: 
  Valid: 
  Bad: 
  Worthless: 
  SoonWorthless: 
  NoPubKey: 
  Signed-By: 
  NODATA: no
Err:1 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
  Unknown error executing apt-key

petrprochy · May 10, 2022, 9:08pm

OK, so call apt-key directly, for ex.:

apt-key verify /var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal-security_InRelease

I get this result:

gpgv: Signature made Fri May  6 18:05:20 2022 UTC
gpgv:                using RSA key 3B4FE6ACC0B21F32
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>"
gpgv: Signature made Fri May  6 18:05:20 2022 UTC
gpgv:                using RSA key 871920D1991BC93C
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>"

Bebe · May 21, 2022, 2:48pm

I get just this, but together with it I can see the new dmesg entry…

root@pihole:~# apt-key verify /var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal-security_InRelease 
Bus error
root@pihole:~# dmesg |tail -1
[823182.664441] BTRFS warning (device sda1): csum failed root 5 ino 1986 off 90112 csum 0x1dd40ceb expected csum 0x12994098 mirror 1

So this looks like the issue might be caused by failed blocks on USB key where containers are stored. And maybe some binaries/libraries are sitting on these corrupted blocks…
I’ll try to check the usb offline when I’ll be at home.

Bebe · May 25, 2022, 5:07pm

So yes, there are some checksum errors on FS level. As this is just container and I’ve already migrated to new one, I think this topic might be closed. I don’t think this could be fixed (at least for sure not on that container wich is already affected). Hard to say what exactly is corrupted there. Probably some part of usb key is worn out and caused issues on btrfs level.
It is quite old usb key. I’m redirecting os logging on usb keys to ram by default, but you never know…

Thanks a lot for your help and patience.

$ sudo btrfs check -p --check-data-csum /dev/sdb1
Opening filesystem to check...
Checking filesystem on /dev/sdb1
UUID: bcbb6ed7-3760-41ae-8ece-ed02481a5d67
[1/7] checking root items                      (0:00:02 elapsed, 198283 items checked)
[2/7] checking extents                         (0:00:06 elapsed, 4768 items checked)
block group 3452960768 has wrong amount of free space, free space cache has 222867456 block group has 250429440
failed to load free space cache for block group 3452960768
[3/7] checking free space cache                (0:00:00 elapsed, 9 items checked)
[4/7] checking fs roots                        (0:00:01 elapsed, 3282 items checked)
mirror 1 bytenr 425459712 csum 0x09fa5474 expected csum 0x538c7c4b032 items checked)
mirror 1 bytenr 425463808 csum 0x0c6a6ae4 expected csum 0xb201f83c
mirror 1 bytenr 425467904 csum 0xe790515b expected csum 0xba00c1fa
mirror 1 bytenr 425472000 csum 0xeb0cd41d expected csum 0x98409912
[5/7] checking csums against data              (0:02:46 elapsed, 56482 items checked)
ERROR: errors found in csum tree
[6/7] checking root refs                       (0:00:00 elapsed, 4 items checked)
[7/7] checking quota groups skipped (not enabled on this FS)
found 3669475328 bytes used, error(s) found
total csum bytes: 3495104
total tree bytes: 77971456
total fs tree bytes: 54018048
total extent tree bytes: 17989632
btree space waste bytes: 12461938
file data blocks allocated: 3788791808
 referenced 2703204352

petrprochy · May 25, 2022, 7:16pm

It’s fine to see that problem is solved.

You can call btrfs scrub command:

btrfs scrub start -B /

And in syslog you will see which files are corrupted. I see broken files on openSUSE, so on Ubuntu can be too.

system · May 28, 2022, 7:16pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.