Bebe
April 16, 2022, 2:47pm
1
Hello,
I’m trying to perform update of lxc-container running with “Ubuntu 20.04.3 LTS”. But I’m getting the following error:
root@pihole:/usr/bin# apt-get update
Get:1 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [114 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [114 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal InRelease [265 kB]
Err:1 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
Unknown error executing apt-key
Err:2 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease
Unknown error executing apt-key
Err:3 http://ports.ubuntu.com/ubuntu-ports focal InRelease
Unknown error executing apt-key
Reading package lists… Done
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease: Unknown error executing apt-key
E: The repository ‘http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease’ is not signed.
…
After quick search I’ve found the problem might be caused by this issue with lib Seccomp:
opened 09:27AM - 25 Mar 20 UTC
exp/expert
kind/bug
area/security/seccomp
Opening a tracking issue for this for further investigation. More details can be… found in:
- https://github.com/docker/containerd-packaging/pull/151 (which I'm using as a debugging environment for this)
- https://github.com/dotnet/dotnet-docker/issues/1747
- https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1867675
- (probably unrelated) https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1867431
### Summary
Ubuntu 20.04 ("focal") on armhf (arm32) currently has an issue where it looks like seccomp is blocking a syscall that's used when installing libc6:
docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'
...
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack):
dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
/var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
#### With seccomp disabled, installing `libc6` is succesfull
```bash
docker pull arm32v7/ubuntu:focal && docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=unconfined arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'
```
<details><summary>output of the above:</summary>
```console
focal: Pulling from arm32v7/ubuntu
Digest: sha256:18100e418054ebe1be0fff4e514183f28088a0db409df081c3233dd22dcf4a15
Status: Image is up to date for arm32v7/ubuntu:focal
docker.io/arm32v7/ubuntu:focal
Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [255 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [79.7 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [79.7 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [79.7 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/restricted armhf Packages [10.8 kB]
Get:6 http://ports.ubuntu.com/ubuntu-ports focal/main armhf Packages [1236 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports focal/universe armhf Packages [11.0 MB]
Get:8 http://ports.ubuntu.com/ubuntu-ports focal/multiverse armhf Packages [141 kB]
Fetched 12.9 MB in 5s (2427 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
gcc-10-base libc-bin libcrypt1 libgcc-s1
Suggested packages:
manpages glibc-doc locales
The following NEW packages will be installed:
gcc-10-base libcrypt1 libgcc-s1
The following packages will be upgraded:
libc-bin libc6
2 upgraded, 3 newly installed, 0 to remove and 55 not upgraded.
Need to get 2770 kB of archives.
After this operation, 618 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports focal/main armhf gcc-10-base armhf 10-20200324-1ubuntu1 [18.5 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libgcc-s1 armhf 10-20200324-1ubuntu1 [36.2 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libcrypt1 armhf 1:4.4.10-10ubuntu4 [93.5 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc6 armhf 2.31-0ubuntu6 [2133 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc-bin armhf 2.31-0ubuntu6 [489 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 2770 kB in 0s (10.7 MB/s)
Selecting previously unselected package gcc-10-base:armhf.
(Reading database ... 4126 files and directories currently installed.)
Preparing to unpack .../gcc-10-base_10-20200324-1ubuntu1_armhf.deb ...
Unpacking gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Setting up gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Selecting previously unselected package libgcc-s1:armhf.
(Reading database ... 4132 files and directories currently installed.)
Preparing to unpack .../libgcc-s1_10-20200324-1ubuntu1_armhf.deb ...
Unpacking libgcc-s1:armhf (10-20200324-1ubuntu1) ...
Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ...
Setting up libgcc-s1:armhf (10-20200324-1ubuntu1) ...
(Reading database ... 4134 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
Selecting previously unselected package libcrypt1:armhf.
Preparing to unpack .../libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb ...
Unpacking libcrypt1:armhf (1:4.4.10-10ubuntu4) ...
Setting up libcrypt1:armhf (1:4.4.10-10ubuntu4) ...
Setting up libc6:armhf (2.31-0ubuntu6) ...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
(Reading database ... 4137 files and directories currently installed.)
Preparing to unpack .../libc-bin_2.31-0ubuntu6_armhf.deb ...
Unpacking libc-bin (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
Setting up libc-bin (2.31-0ubuntu6) ...
```
</details>
### With seccomp enabled, installation fails:
```bash
docker pull arm32v7/ubuntu:focal && docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'
```
<details><summary>output of the above:</summary>
```console
focal: Pulling from arm32v7/ubuntu
Digest: sha256:18100e418054ebe1be0fff4e514183f28088a0db409df081c3233dd22dcf4a15
Status: Image is up to date for arm32v7/ubuntu:focal
docker.io/arm32v7/ubuntu:focal
Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [255 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [79.7 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [79.7 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [79.7 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/universe armhf Packages [11.0 MB]
Get:6 http://ports.ubuntu.com/ubuntu-ports focal/restricted armhf Packages [10.8 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports focal/main armhf Packages [1236 kB]
Get:8 http://ports.ubuntu.com/ubuntu-ports focal/multiverse armhf Packages [141 kB]
Fetched 12.9 MB in 6s (2183 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
gcc-10-base libc-bin libcrypt1 libgcc-s1
Suggested packages:
manpages glibc-doc locales
The following NEW packages will be installed:
gcc-10-base libcrypt1 libgcc-s1
The following packages will be upgraded:
libc-bin libc6
2 upgraded, 3 newly installed, 0 to remove and 55 not upgraded.
Need to get 2770 kB of archives.
After this operation, 618 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports focal/main armhf gcc-10-base armhf 10-20200324-1ubuntu1 [18.5 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libgcc-s1 armhf 10-20200324-1ubuntu1 [36.2 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libcrypt1 armhf 1:4.4.10-10ubuntu4 [93.5 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc6 armhf 2.31-0ubuntu6 [2133 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc-bin armhf 2.31-0ubuntu6 [489 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 2770 kB in 1s (5278 kB/s)
Selecting previously unselected package gcc-10-base:armhf.
(Reading database ... 4126 files and directories currently installed.)
Preparing to unpack .../gcc-10-base_10-20200324-1ubuntu1_armhf.deb ...
Unpacking gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Setting up gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Selecting previously unselected package libgcc-s1:armhf.
(Reading database ... 4132 files and directories currently installed.)
Preparing to unpack .../libgcc-s1_10-20200324-1ubuntu1_armhf.deb ...
Unpacking libgcc-s1:armhf (10-20200324-1ubuntu1) ...
Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ...
Setting up libgcc-s1:armhf (10-20200324-1ubuntu1) ...
(Reading database ... 4134 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack):
dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
/var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
```
</details>
### Information about the environment
<details>
<summary>docker version</summary>
```console
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:38:47 2019
OS/Arch: linux/arm
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:32:48 2019
OS/Arch: linux/arm
Experimental: true
containerd:
Version: 1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
```
</details>
<details>
<summary>docker info</summary>
```
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.127-mainline-rev1
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: armv7l
CPUs: 4
Total Memory: 1.974GiB
Name: arm32v7-ubuntu-03
ID: W2ZP:3XMC:TH2A:OMPM:V542:GKAR:S6Q3:YKZC:QQHT:ERP2:LNHR:427E
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
```
</details>
<details>
<summary>Output of `check-config.sh`:</summary>
```bash
curl -fsSL https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh | bash
info: reading kernel config from /proc/config.gz ...
Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_NF_NAT_IPV4: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_NF_NAT_NEEDED: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_DEVPTS_MULTIPLE_INSTANCES: enabled
Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: enabled
- CONFIG_MEMCG_SWAP_ENABLED: enabled
[1;30m(cgroup swap accounting is currently enabled)
- CONFIG_MEMCG_KMEM: enabled
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_IOSCHED_CFQ: enabled
- CONFIG_CFQ_GROUP_IOSCHED: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: missing
- CONFIG_NET_CLS_CGROUP: enabled (as module)
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: enabled
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
- "overlay":
- CONFIG_VXLAN: enabled (as module)
- CONFIG_BRIDGE_VLAN_FILTERING: enabled
Optional (for encrypted networks):
- CONFIG_CRYPTO: enabled
- CONFIG_CRYPTO_AEAD: enabled (as module)
- CONFIG_CRYPTO_GCM: enabled (as module)
- CONFIG_CRYPTO_SEQIV: enabled (as module)
- CONFIG_CRYPTO_GHASH: enabled (as module)
- CONFIG_XFRM: enabled
- CONFIG_XFRM_USER: enabled (as module)
- CONFIG_XFRM_ALGO: enabled
- CONFIG_INET_ESP: enabled (as module)
- CONFIG_INET_XFRM_MODE_TRANSPORT: enabled
- "ipvlan":
- CONFIG_IPVLAN: enabled (as module)
- "macvlan":
- CONFIG_MACVLAN: enabled (as module)
- CONFIG_DUMMY: enabled (as module)
- "ftp,tftp client in container":
- CONFIG_NF_NAT_FTP: enabled (as module)
- CONFIG_NF_CONNTRACK_FTP: enabled (as module)
- CONFIG_NF_NAT_TFTP: enabled (as module)
- CONFIG_NF_CONNTRACK_TFTP: enabled (as module)
- Storage Drivers:
- "aufs":
- CONFIG_AUFS_FS: enabled (as module)
- "btrfs":
- CONFIG_BTRFS_FS: enabled (as module)
- CONFIG_BTRFS_FS_POSIX_ACL: enabled
- "devicemapper":
- CONFIG_BLK_DEV_DM: enabled (as module)
- CONFIG_DM_THIN_PROVISIONING: enabled (as module)
- "overlay":
- CONFIG_OVERLAY_FS: enabled (as module)
- "zfs":
- /dev/zfs: missing
- zfs command: missing
- zpool command: missing
Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000
```
</details>
I get it from this forum:
As I don’t want to install manually additional library to Turris Omnia. Maybe better to run the container as privileged temporary just for the update process, so it will be running under root. But how can I achieve that? I do not see such option for lxc-start nor in lxc.container.conf.
Thank you.
IMHO I think LXC container is not same as Docker container. Container is always run as root user.
I tried fresh installation of Ubuntu Focal from Turris repo and “apt update” works correctly. Actual is installed libseccomp2 v2.5.1.
What version is actual installed? Is any error in /var/log/apt/ directory?
Of course you can install libseccomp2 package locally via dpkg tool.
Bebe
April 20, 2022, 6:14pm
3
I’ve already installed the latest one, but I’m still getting the same error.
root@pihole:~# dpkg -l |grep libseccomp
ii libseccomp2:armhf 2.5.3-2 armhf high level interface to Linux seccomp filter
There is no error visible within logs in /var/log/apt…
But since I’m running just pihole on that container, I decided to deploy new container in between with debian 11. Update is working fine there.
So might be this Ubuntu installation had some troubles. I’ll keep it installed and try some other thing to fix it.
Hmm, what keys are installed for apt? Execute apt-key list. I have installed this keys:
root@LXCNAME:~# apt-key list
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) ftpmaster@ubuntu.com
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>
Bebe
April 22, 2022, 9:01pm
5
Looks like there is some trouble with installed packages:
root@pihole:~# apt-key list
E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
I can see the following:
root@pihole:~# apt-cache search gnupg
gpgv - GNU privacy guard - signature verification tool
libgpg-error0 - GnuPG development runtime library
libhogweed5 - low level cryptographic library (public-key cryptos)
libnettle7 - low level cryptographic library (symmetric and one-way cryptos)
ubuntu-keyring - GnuPG keys of the Ubuntu archive
OK, so can you execute apt-get in verbose mode?
apt-get -oDebug::pkgAcquire::Worker=1 update 2>&1 | sed ‘s/%20/ /g; s/%0a/ /g’
In log file are interesting this lines:
→ gpgv:600 URI Acquire URI: gpgv:/var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal_InRelease Filename: /var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal_InRelease Target-Release: focal Target-Type: index Target-Base-URI: Index of /ubuntu-ports/dists/focal Target-Repo-URI: Index of /ubuntu-ports Target-Site: http://ports.ubuntu.com/ubuntu-ports Index-File: true Maximum-Size: 10000000 Last-Modified: Thu, 23 Apr 2020 17:34:17 GMT Fail-Ignore: true
Hit:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease
← gpgv:201 URI Done GPGVOutput: GOODSIG 3B4FE6ACC0B21F32 GOODSIG 871920D1991BC93C Signed-By: 790BC7277767219C42C86F933B4FE6ACC0B21F32! F6ECB3762474EDA9D21B7022871920D1991BC93C! Filename: /var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal_InRelease URI: gpgv:/var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal_InRelease
Bebe
May 3, 2022, 8:16pm
7
sorry for later response…
I ran it in debug mode as you suggested, here are the lines you wanted to see.
For all gpgv:600 URI, the response is same:
→ gpgv:600 URI Acquire URI: gpgv:/var/lib/apt/lists/partial/ports.ubuntu.com_ubuntu-ports_dists_focal-security_InRelease Filename: /var/lib/apt/lists/partial/ports.ubuntu.com_ubuntu-ports_dists_focal-security_InRelease Target-Release: focal-security Target-Type: index Target-Base-URI: Index of /ubuntu-ports/dists/focal-security Target-Repo-URI: Index of /ubuntu-ports Target-Site: http://ports.ubuntu.com/ubuntu-ports Index-File: true Maximum-Size: 10000000 Fail-Ignore: true
Err:1 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
Unknown error executing apt-key
← gpgv:400 URI Failure Message: Unknown error executing apt-key URI: gpgv:/var/lib/apt/lists/partial/ports.ubuntu.com_ubuntu-ports_dists_focal-security_InRelease
No other error is thrown.
What version is install of apt? Is installed any gpg package? Check via dpkg -l | grep keyword
I have in LXC installed this packages:
root@LXCNAME:/var/log/apt# dpkg -l | grep -E -e "apt|gpg"
ii apt 2.0.6 armhf commandline package manager
ii apt-utils 2.0.6 armhf package management related utility programs
ii aptitude 0.8.12-1ubuntu4 armhf terminal-based package manager
ii aptitude-common 0.8.12-1ubuntu4 all architecture independent files for the aptitude package manager
ii gpgv 2.2.19-3ubuntu2.1 armhf GNU privacy guard - signature verification tool
ii libapt-pkg6.0:armhf 2.0.6 armhf package management runtime library
ii libgpg-error0:armhf 1.37-1 armhf GnuPG development runtime library
ii python-apt-common 2.0.0ubuntu0.20.04.7 all Python interface to libapt-pkg (locales)
ii python3-apt 2.0.0ubuntu0.20.04.7 armhf Python 3 interface to libapt-pkg
Bebe
May 5, 2022, 7:15pm
9
Looks like the version is the same:
root@pihole:~# dpkg -l |grep -E "apt|gpg"
ii apt 2.0.6 armhf commandline package manager
ii apt-transport-https 2.0.6 all transitional package for https support
ii apt-utils 2.0.6 armhf package management related utility programs
ii gpgv 2.2.19-3ubuntu2.1 armhf GNU privacy guard - signature verification tool
ii libapt-pkg6.0:armhf 2.0.6 armhf package management runtime library
ii libgpg-error0:armhf 1.37-1 armhf GnuPG development runtime library
Ok, so second chance. Try call apt-get with this options:
apt-get -oDebug::Acquire::gpgv=1 update
I have this result of of one part:
Hit:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease
inside VerifyGetSigners
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [114 kB]
Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.AWaUo7 /tmp/apt.data.g2vPl8
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [114 kB]
Read: [GNUPG:] NEWSIG
Read: [GNUPG:] KEY_CONSIDERED 790BC7277767219C42C86F933B4FE6ACC0B21F32 0
Read: [GNUPG:] SIG_ID ZFgbfrBIfmPmMkl7QrbQKd6p5Es 2020-04-23 1587663257
Read: [GNUPG:] KEY_CONSIDERED 790BC7277767219C42C86F933B4FE6ACC0B21F32 0
Read: [GNUPG:] GOODSIG 3B4FE6ACC0B21F32 Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
Got GOODSIG 3B4FE6ACC0B21F32 !
Read: [GNUPG:] VALIDSIG 790BC7277767219C42C86F933B4FE6ACC0B21F32 2020-04-23 1587663257 0 4 0 1 10 01 790BC7277767219C42C86F933B4FE6ACC0B21F32
Got trusted VALIDSIG, key ID: 790BC7277767219C42C86F933B4FE6ACC0B21F32
Read: [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
Read: [GNUPG:] NEWSIG
Read: [GNUPG:] KEY_CONSIDERED F6ECB3762474EDA9D21B7022871920D1991BC93C 0
Read: [GNUPG:] SIG_ID Xr4bMtWp5CXUImKlL/AAd/+isKA 2020-04-23 1587663257
Read: [GNUPG:] KEY_CONSIDERED F6ECB3762474EDA9D21B7022871920D1991BC93C 0
Read: [GNUPG:] GOODSIG 871920D1991BC93C Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>
Got GOODSIG 871920D1991BC93C !
Read: [GNUPG:] VALIDSIG F6ECB3762474EDA9D21B7022871920D1991BC93C 2020-04-23 1587663257 0 4 0 1 10 01 F6ECB3762474EDA9D21B7022871920D1991BC93C
Got trusted VALIDSIG, key ID: F6ECB3762474EDA9D21B7022871920D1991BC93C
Read: [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
gpgv exited with status 0
Summary:
Good: GOODSIG 3B4FE6ACC0B21F32, GOODSIG 871920D1991BC93C
Valid: 790BC7277767219C42C86F933B4FE6ACC0B21F32, F6ECB3762474EDA9D21B7022871920D1991BC93C
Bad:
Worthless:
SoonWorthless:
NoPubKey:
Signed-By: 790BC7277767219C42C86F933B4FE6ACC0B21F32!, F6ECB3762474EDA9D21B7022871920D1991BC93C!
NODATA: no
apt-key succeeded
I hope that result of this gets more info of issue.
Bebe
May 10, 2022, 8:15pm
11
Again without deeper details…
at least I cannot find what is the exit code 135 for gpgv
Get:1 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [114 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [114 kB]
0% [Working]inside VerifyGetSigners
Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.3HumH9 /tmp/apt.data.g5UIXa
Get:3 http://ports.ubuntu.com/ubuntu-ports focal InRelease [265 kB]
0% [Working]gpgv exited with status 135
Summary:
Good:
Valid:
Bad:
Worthless:
SoonWorthless:
NoPubKey:
Signed-By:
NODATA: no
Err:1 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
Unknown error executing apt-key
OK, so call apt-key directly, for ex.:
apt-key verify /var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal-security_InRelease
I get this result:
gpgv: Signature made Fri May 6 18:05:20 2022 UTC
gpgv: using RSA key 3B4FE6ACC0B21F32
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>"
gpgv: Signature made Fri May 6 18:05:20 2022 UTC
gpgv: using RSA key 871920D1991BC93C
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>"
Bebe
May 21, 2022, 2:48pm
13
I get just this, but together with it I can see the new dmesg entry…
root@pihole:~# apt-key verify /var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_focal-security_InRelease
Bus error
root@pihole:~# dmesg |tail -1
[823182.664441] BTRFS warning (device sda1): csum failed root 5 ino 1986 off 90112 csum 0x1dd40ceb expected csum 0x12994098 mirror 1
So this looks like the issue might be caused by failed blocks on USB key where containers are stored. And maybe some binaries/libraries are sitting on these corrupted blocks…
I’ll try to check the usb offline when I’ll be at home.
Bebe
May 25, 2022, 4:04pm
14
So yes, there are some checksum errors on FS level. As this is just container and I’ve already migrated to new one, I think this topic might be closed. I don’t think this could be fixed (at least for sure not on that container wich is already affected). Hard to say what exactly is corrupted there. Probably some part of usb key is worn out and caused issues on btrfs level.
It is quite old usb key. I’m redirecting os logging on usb keys to ram by default, but you never know…
Thanks a lot for your help and patience.
$ sudo btrfs check -p --check-data-csum /dev/sdb1
Opening filesystem to check...
Checking filesystem on /dev/sdb1
UUID: bcbb6ed7-3760-41ae-8ece-ed02481a5d67
[1/7] checking root items (0:00:02 elapsed, 198283 items checked)
[2/7] checking extents (0:00:06 elapsed, 4768 items checked)
block group 3452960768 has wrong amount of free space, free space cache has 222867456 block group has 250429440
failed to load free space cache for block group 3452960768
[3/7] checking free space cache (0:00:00 elapsed, 9 items checked)
[4/7] checking fs roots (0:00:01 elapsed, 3282 items checked)
mirror 1 bytenr 425459712 csum 0x09fa5474 expected csum 0x538c7c4b032 items checked)
mirror 1 bytenr 425463808 csum 0x0c6a6ae4 expected csum 0xb201f83c
mirror 1 bytenr 425467904 csum 0xe790515b expected csum 0xba00c1fa
mirror 1 bytenr 425472000 csum 0xeb0cd41d expected csum 0x98409912
[5/7] checking csums against data (0:02:46 elapsed, 56482 items checked)
ERROR: errors found in csum tree
[6/7] checking root refs (0:00:00 elapsed, 4 items checked)
[7/7] checking quota groups skipped (not enabled on this FS)
found 3669475328 bytes used, error(s) found
total csum bytes: 3495104
total tree bytes: 77971456
total fs tree bytes: 54018048
total extent tree bytes: 17989632
btree space waste bytes: 12461938
file data blocks allocated: 3788791808
referenced 2703204352
1 Like
It’s fine to see that problem is solved.
You can call btrfs scrub command:
btrfs scrub start -B /
And in syslog you will see which files are corrupted. I see broken files on openSUSE, so on Ubuntu can be too.
1 Like
system
Closed
May 28, 2022, 7:16pm
16
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.