Bug#985481: marked as done (debootstrap: Detection of docker container is broken with cgroup v2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 02 Nov 2021 11:33:43 +0000
with message-id <E1mhs2x-0007kG-Cb@fasolo.debian.org>
and subject line Bug#985481: fixed in debootstrap 1.0.125
has caused the Debian Bug report #985481,
regarding debootstrap: Detection of docker container is broken with cgroup v2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
985481: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985481
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: debootstrap: Detection of docker container is broken with cgroup v2
• From: Arnaud Rebillout <arnaudr@kali.org>
• Date: Fri, 19 Mar 2021 10:02:44 +0700
• Message-id: <161612296424.3489.11356508982909207090.reportbug@carbon>

Package: debootstrap
Version: 1.0.123
Severity: normal
Tags: patch
User: devel@kali.org
Usertags: origin-kali

Dear Maintainer,

The code that is meant to detect if debootstrap is running from within a
docker container is broken with cgroup v2. Talking about this particular
function and line in the file `functions`:

    detect_container () {
        [...]
        elif grep -qs '[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo; then
                CONTAINER="docker"

This code only works for cgroup v1.

After some research, and also after looking into the code of
systemd-detect-virt, it seems that the right way to detect a docker
container these days is to check for the file '/.dockerenv'.

Hence I'm proposing this patch:
https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/52

Thanks!


-- More debug logs:

Here's what I get on current Debian sid:

    $ cat /proc/cmdline
    BOOT_IMAGE=/vmlinuz-5.10.0-4-amd64 root=<<ROOT>> tro quiet

    $ mount | grep cgroup
    cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)

    $ sudo docker run --rm -it debian:testing grep '[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo
    .... no ouput, the detection code is broken!

    $ sudo docker run --rm -it debian:testing ls -l /.dockerenv
    -rwxr-xr-x 1 root root 0 Mar 19 02:37 /.dockerenv

Just out of curiosity, I tried to get the current detection code to
work, by booting my system with cgroup v1 only. This is done by setting
the two boot parameters `systemd.unified_cgroup_hierarchy=0` and
`systemd.legacy_systemd_cgroup_controller=1`.

Here are the logs:

    $ cat /proc/cmdline
    BOOT_IMAGE=/vmlinuz-5.10.0-4-amd64 root=<<ROOT>> ro quiet systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller=1

    $ mount | grep cgroup
    tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,size=4096k,nr_inodes=1024,mode=755)
    cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
    cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
    cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
    cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
    cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
    cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
    cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
    cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
    cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
    cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
    cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
    cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)

    $ sudo docker run --rm -it debian:testing grep '[[:space:]]/docker/.*/sys/fs/cgroup' /proc/1/mountinfo
    795 794 0:29 /docker/<<id>> /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime master:10 - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
    797 794 0:33 /docker/<<id>> /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime master:15 - cgroup cgroup rw,memory
    818 794 0:35 /docker/<<id>> /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime master:17 - cgroup cgroup rw,net_cls,net_prio
    819 794 0:36 /docker/<<id>> /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime master:18 - cgroup cgroup rw,cpu,cpuacct
    853 794 0:37 /docker/<<id>> /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime master:19 - cgroup cgroup rw,blkio
    854 794 0:38 /docker/<<id>> /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime master:20 - cgroup cgroup rw,devices
    872 794 0:39 /docker/<<id>> /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime master:21 - cgroup cgroup rw,pids
    873 794 0:40 /docker/<<id>> /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime master:22 - cgroup cgroup rw,cpuset
    891 794 0:41 /docker/<<id>> /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime master:23 - cgroup cgroup rw,freezer
    892 794 0:42 /docker/<<id>> /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime master:24 - cgroup cgroup rw,perf_event
    910 794 0:43 /docker/<<id>> /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime master:25 - cgroup cgroup rw,hugetlb

Conclusion: the debootstrap code that detects a docker container used to
work for cgroup v1, but it's broken for cgroup v2.


-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debootstrap depends on:
ii  wget  1.21-1+b1

Versions of packages debootstrap recommends:
ii  arch-test               0.17-1
ii  debian-archive-keyring  2021.1.1
ii  gnupg                   2.2.27-1

Versions of packages debootstrap suggests:
pn  squid-deb-proxy-client  <none>
pn  ubuntu-archive-keyring  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 985481-close@bugs.debian.org
• Subject: Bug#985481: fixed in debootstrap 1.0.125
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 02 Nov 2021 11:33:43 +0000
• Message-id: <E1mhs2x-0007kG-Cb@fasolo.debian.org>
• Reply-to: Samuel Thibault <sthibault@debian.org>

Source: debootstrap
Source-Version: 1.0.125
Done: Samuel Thibault <sthibault@debian.org>

We believe that the bug you reported is fixed in the latest version of
debootstrap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985481@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Samuel Thibault <sthibault@debian.org> (supplier of updated debootstrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 19 Aug 2021 13:49:19 +0200
Source: debootstrap
Built-For-Profiles: noudeb
Architecture: source
Version: 1.0.125
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Samuel Thibault <sthibault@debian.org>
Closes: 968927 985481 985811
Launchpad-Bugs-Fixed: 1923845
Changes:
 debootstrap (1.0.125) unstable; urgency=medium
 .
   [ Samuel Thibault ]
   * functions (download_main): Let the loops try the different components and
     suites when the checksum doesn't match. This is needed when several of
     them contain the same package name.
 .
   [ Arnaud Rebillout ]
   * Fix auto proxy discovery (Closes: #985811)
   * Fix detection of docker container for cgroup v2 (Closes: #985481)
 .
   [ Johannes 'josch' Schauer ]
   * functions: define link_dir before using it.
 .
   [ Hideki Yamane ]
   * Add (Debian) trixie as a symlink to sid.
 .
   [ Dimitri John Ledkov ]
   * Add (Ubuntu) jammy as a symlink to gutsy.
   * Upload to unstable.
 .
 debootstrap (1.0.124) experimental; urgency=medium
 .
   [ Colin Watson ]
   * Add (Ubuntu) groovy as a symlink to gutsy.
 .
   [ Samuel Thibault ]
   * functions: Turn for loops variables into locals, suggested by jhcha54008.
 .
   [ YunQiang Su ]
   * stage1: re-mkdir /proc if it is a symlink instead of umount. (Closes: #968927)
 .
   [ Luca Falavigna ]
   * Add (Ubuntu) hirsute as a symlink to gutsy.
 .
   [ Tobias Koch ]
   * Add --inrelease-path option to allow specifying by-hash InRelease
     location.
 .
   [ Dimitri John Ledkov ]
   * functions: add zstd control&data support to the ar extractor LP: #1923845
   * Add (Ubuntu) impish as a symlink to gutsy.
   * gutsy: sync changes from Ubuntu, to ensure that impish+ are always
     merged-usr.
   * gutsy: use --extractor=ar if dpkg-deb has no zstd support (i.e. on
     Debian & non-Ubuntu derivatives).
   * rules,control: adjust Recommends/Suggests to be appropriate on each
     distro.
Checksums-Sha1:
 2e2f3de1cb47a1477754be43e54b8e13b7c3796e 1919 debootstrap_1.0.125.dsc
 1a6e5ea0743cafd8814b3921d6086f526b0b2c34 78777 debootstrap_1.0.125.tar.gz
 1f3fe6472f80c4c97c61072d5e665010367a9b02 8649 debootstrap_1.0.125_source.buildinfo
Checksums-Sha256:
 87ccaf0676817f7c193ed48ee68018b8898ecb7b05f7727549e40f64d73fac22 1919 debootstrap_1.0.125.dsc
 9c4c7ca8f3f6653e7eca65aae77bbf7f723d7395fb48403bbc2256ce8b24ec1a 78777 debootstrap_1.0.125.tar.gz
 03b0b8cad8cb9fd527400a8488e5c18c14e6d331d76c760dd64d33bc9a1e236c 8649 debootstrap_1.0.125_source.buildinfo
Files:
 96291c94bbb8c27237d63b36a3d20141 1919 admin optional debootstrap_1.0.125.dsc
 e18f10e1952f6622aa027a7e8d980935 78777 admin optional debootstrap_1.0.125.tar.gz
 e670578e531a636d61fcfec598e0f8eb 8649 admin optional debootstrap_1.0.125_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7iQKBSojGtiSWEHXm47ISdXvcO0FAmGBHL8ACgkQm47ISdXv
cO0/iw/8Db2QzJlaEvYluWpVge4IejT5jtnQLTaPsMkQAeP6wC+GRJ0Dy7sAXtEU
qCHVoFBzf+a/c4fJsF11AidRAop1CU6pa9XLky2tnlzgEmURvqsgL8bPEx7UuygO
yjHzNyXK+9n3ku3qbYy5jfoElllg+7kSLzBEPC5Bw3P/dAoEMRf7x2T6iPV9QNCO
OxgBQNUHTNvkfX9fvNq+6CqrjhLrKNmRqjbHzELJhAXQavs6RBSXCG8O+EbD0eYJ
FvMF1kELymk5gxoMv8McgwMEaKYNaaVRQOaDHa4OlJRQ0ic30m1kPAUO0yc3uZUn
eBmm7BfXBxxVBMYVGvcGzwmZyRQ3g+ArQ3x7hf59OcvFuCKnhxWPrK6IEBL64S4y
G/bAn71s/qqYTSTV8MDY2AXrYbPdMUQzEa5KJS/iSfotUClaBZmmfNrAiQt5JIC9
1htxBT3vyOUKHUxGH1SRTNDyBfnimEQep4mGkIu4rZLcFfL9aZSpVN930DAIuXAk
1+3rzpcZoZ3wvSk+/9PB4vA4gZ7c3ZuttSVbVlJa/SdDSAkg3jgmDQCIP+up9Syr
OkDXX8kHE1pEH8V0rdsVt/wV4xnqs0W5kX7WxVpI6Teqzyi918kNzeam/n0ovE0A
H3LH2yeRqsUQDJB1J1d3W/7ugQltrmhDnH71yPKbs+czV7XQGfE=
=+ZHG
-----END PGP SIGNATURE-----

--- End Message ---