Package install issue with jammy
psolymos opened this issue · comments
I run into some issues with Ubuntu 22.04 (jammy) but not with 20.04 (focal) and docker build fails as a result.
FROM eddelbuettel/r2u:22.04
RUN install.r shiny rmarkdown
...
Output after docker build:
Sending build context to Docker daemon 1.717MB
Step 1/9 : FROM eddelbuettel/r2u:22.04
---> 3a33fd542e6d
Step 2/9 : RUN install.r shiny rmarkdown
---> Running in 89c8be562c21
Warning messages:
1: In normalizePath(paths, "/") :
path[1]="/usr/local/lib/R/site-library/": Operation not permitted
2: In normalizePath(paths, "/") :
path[2]="/usr/local/lib/R/site-library/": Operation not permitted
Error: .onLoad failed in loadNamespace() for 'utils', details:
call: system(paste(which, shQuote(names[i])), intern = TRUE, ignore.stderr = TRUE)
error: cannot popen '/usr/bin/which 'uname' 2>/dev/null', probable reason 'Cannot allocate memory'
Error: .onLoad failed in loadNamespace() for 'utils', details:
call: system(paste(which, shQuote(names[i])), intern = TRUE, ignore.stderr = TRUE)
error: cannot popen '/usr/bin/which 'uname' 2>/dev/null', probable reason 'Cannot allocate memory'
The command '/bin/sh -c install.r shiny rmarkdown' returned a non-zero code: 1
Forget the Dockerfile. Something else is going on there, I cannot tell from what you posted. I just did
$ docker run --pull always --rm -ti eddelbuettel/r2u:22.04
22.04: Pulling from eddelbuettel/r2u
Digest: sha256:f659bfa2e02cf4e449806c3857aae056d20619134e44a504b53bedd190c2ea40
Status: Image is up to date for eddelbuettel/r2u:22.04
root@f5becb5b974a:/# install.r shiny rmarkdown
Install system packages as root...
Reading package lists... Done
[...]
Setting up r-cran-httpuv (1.6.5-1.ca2204.1) ...
Setting up r-cran-bslib (0.3.1-1.ca2204.1) ...
Setting up r-cran-rmarkdown (2.14-1.ca2204.1) ...
Setting up r-cran-shiny (1.7.1-1.ca2204.1) ...
root@f5becb5b974a:/# which looks quite encouraging. And
root@f5becb5b974a:/# R
R version 4.2.1 (2022-06-23) -- "Funny-Looking Kid"
Copyright (C) 2022 The R Foundation for Statistical Computing
Platform: x86_64-pc-linux-gnu (64-bit)
R is free software and comes with ABSOLUTELY NO WARRANTY.
You are welcome to redistribute it under certain conditions.
Type 'license()' or 'licence()' for distribution details.
Natural language support but running in an English locale
R is a collaborative project with many contributors.
Type 'contributors()' for more information and
'citation()' on how to cite R or R packages in publications.
Type 'demo()' for some demos, 'help()' for on-line help, or
'help.start()' for an HTML browser interface to help.
Type 'q()' to quit R.
> library(shiny)
> library(rmarkdown)
> search()
[1] ".GlobalEnv" "package:rmarkdown" "package:shiny"
[4] "package:stats" "package:graphics" "package:grDevices"
[7] "package:datasets" "package:utils" "package:methods"
[10] "Autoloads" "org:r-lib" "package:base"
> so the r2u packages seem fine. Maybe you have a different issue in your Dockerfile?
The main "product" of r2u is the repo, and its sets of packages. The Dockerfiles we create "are mostly just for illustration". So how can we figure out what goes of the rails for you there?
I am closing this for lack of follow-up and pertinent minimally reproducible verifiable code. Debugging inside a contributed Dockerfile is outside our scope, as I showed above the packages install fine per se.
I may well have misunderstood, or missed something. If so, kindly re-explain and preferably demonstrate with a minimal example.
Thanks for the follow up. I am a bit late to respond but I tried your instructions and found the same issue on:
- On Ubuntu 20.04 with Docker version 20.10.7, build f0df350
- On Mac OS X with Docker version 19.03.5, build 633a0ea:
This is what I see (note the digest is identical to yours):
$ docker pull eddelbuettel/r2u:22.04
22.04: Pulling from eddelbuettel/r2u
...
Digest: sha256:f659bfa2e02cf4e449806c3857aae056d20619134e44a504b53bedd190c2ea40
Status: Downloaded newer image for eddelbuettel/r2u:22.04
docker.io/eddelbuettel/r2u:22.04
$ docker run --rm -ti eddelbuettel/r2u:22.04
root@0819cf8160ed:/# install.r shiny rmarkdown
Warning messages:
1: In normalizePath(paths, "/") :
path[1]="/usr/local/lib/R/site-library/": Operation not permitted
2: In normalizePath(paths, "/") :
path[2]="/usr/local/lib/R/site-library/": Operation not permitted
Error: .onLoad failed in loadNamespace() for 'utils', details:
call: system(paste(which, shQuote(names[i])), intern = TRUE, ignore.stderr = TRUE)
error: cannot popen '/usr/bin/which 'uname' 2>/dev/null', probable reason 'Cannot allocate memory'
Error: .onLoad failed in loadNamespace() for 'utils', details:
call: system(paste(which, shQuote(names[i])), intern = TRUE, ignore.stderr = TRUE)
error: cannot popen '/usr/bin/which 'uname' 2>/dev/null', probable reason 'Cannot allocate memory'
root@0819cf8160ed:/# R
ERROR: R_HOME ('/usr/lib/R') not found
Could be related to rocker-org/rocker#482 which says:
I ran into exactly the same issue. Image built with Docker 19 worked everywhere. Same Image built with Docker 20.10.14 didn't work on older Docker hosts with the same error (yet it worked on the machine that built it).
Could it be a Docker version issue on the machine where the image was built?
Hm. I do not see the normalizePath messages when using the container. What does ls -ld show on the directory in question? I have
edd@rob:~$ docker run --rm -ti eddelbuettel/r2u:22.04
root@59e24226a914:/# ls -ld /usr/local/lib/R/site-library/
drwxr-xr-x 1 root docker 4096 Jul 8 16:53 /usr/local/lib/R/site-library/
root@59e24226a914:/# which is borderline 'not right' (should be 0775, group-wide) but as we act as root it shoud not matter. As I said, it works for me here:
root@59e24226a914:/# install.r rmarkdown knitr [94/38171]
Install system packages as root...
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Ign https://dirk.eddelbuettel.com/cranapt jammy InRelease
Get:1 https://dirk.eddelbuettel.com/cranapt jammy Release [5713 B]
Get:2 https://dirk.eddelbuettel.com/cranapt jammy Release.gpg [793 B]
Hit http://archive.ubuntu.com/ubuntu jammy InRelease
Get:3 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [114 kB]
Get:5 https://dirk.eddelbuettel.com/cranapt jammy/main all Packages [6448 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [99.8 kB]
Get:7 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 Packages [2079 kB]
Get:8 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [461 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [301 kB]
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [204 kB]
Get:11 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [107 kB]
Get:12 https://ppa.launchpadcontent.net/marutter/rrutter4.0/ubuntu jammy InRelease [17.5 kB]
Get:13 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [267 kB]
Get:14 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [257 kB]
Fetched 10.5 MB in 0s (0 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Get:1 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-base64enc amd64 0.1-3-1.ca2204.1 [26.9 kB]
Get:2 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-digest amd64 0.6.29-1.ca2204.1 [184 kB]
Get:3 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-rlang amd64 1.0.3-1.ca2204.1 [1439 kB]
Get:4 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-fastmap amd64 1.1.0-1.ca2204.1 [58.1 kB]
Get:5 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-htmltools amd64 0.5.2-1.ca2204.1 [328 kB]
Get:6 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-jsonlite amd64 1.8.0-1.ca2204.1 [623 kB]
Get:7 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-fs amd64 1.5.2-1.ca2204.1 [269 kB]
Get:8 https://dirk.eddelbuettel.com/cranapt jammy/main all r-cran-r6 all 2.5.1-1.ca2204.1 [83.2 kB]
Get:9 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-rappdirs amd64 0.3.3-1.ca2204.1 [44.9 kB]
Get:10 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-sass amd64 0.4.1-1.ca2204.1 [2236 kB]
Get:11 https://dirk.eddelbuettel.com/cranapt jammy/main all r-cran-jquerylib all 0.1.4-1.ca2204.1 [298 kB]
Get:12 https://dirk.eddelbuettel.com/cranapt jammy/main all r-cran-bslib all 0.3.1-1.ca2204.1 [4026 kB]
Get:13 https://dirk.eddelbuettel.com/cranapt jammy/main all r-cran-evaluate all 0.15-1.ca2204.1 [77.3 kB]
Get:14 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-glue amd64 1.6.2-1.ca2204.1 [143 kB]
Get:15 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-xfun amd64 0.31-1.ca2204.1 [368 kB]
Get:16 https://dirk.eddelbuettel.com/cranapt jammy/main all r-cran-highr all 0.9-1.ca2204.1 [39.6 kB]
Get:17 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-magrittr amd64 2.0.3-1.ca2204.1 [199 kB]
Get:18 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-stringi amd64 1.7.8-1.ca2204.1 [879 kB]
Get:19 https://dirk.eddelbuettel.com/cranapt jammy/main all r-cran-stringr all 1.4.0-1.ca2204.1 [196 kB]
Get:20 https://dirk.eddelbuettel.com/cranapt jammy/main amd64 r-cran-yaml amd64 2.3.5-1.ca2204.1 [106 kB]
Get:21 https://dirk.eddelbuettel.com/cranapt jammy/main all r-cran-knitr all 1.39-1.ca2204.1 [1248 kB]
Get:22 https://dirk.eddelbuettel.com/cranapt jammy/main all r-cran-tinytex all 0.40-1.ca2204.1 [132 kB]
Get:23 https://dirk.eddelbuettel.com/cranapt jammy/main all r-cran-rmarkdown all 2.14-1.ca2204.1 [2823 kB] [47/38171]
Fetched 15.8 MB in 0s (0 B/s)
Selecting previously unselected package r-cran-base64enc.
(Reading database ... 21841 files and directories currently installed.)
Preparing to unpack .../00-r-cran-base64enc_0.1-3-1.ca2204.1_amd64.deb ...
Unpacking r-cran-base64enc (0.1-3-1.ca2204.1) ...
Selecting previously unselected package r-cran-digest.
Preparing to unpack .../01-r-cran-digest_0.6.29-1.ca2204.1_amd64.deb ...
Unpacking r-cran-digest (0.6.29-1.ca2204.1) ...
Selecting previously unselected package r-cran-rlang.
Preparing to unpack .../02-r-cran-rlang_1.0.3-1.ca2204.1_amd64.deb ...
Unpacking r-cran-rlang (1.0.3-1.ca2204.1) ...
Selecting previously unselected package r-cran-fastmap.
Preparing to unpack .../03-r-cran-fastmap_1.1.0-1.ca2204.1_amd64.deb ...
Unpacking r-cran-fastmap (1.1.0-1.ca2204.1) ...
Selecting previously unselected package r-cran-htmltools.
Preparing to unpack .../04-r-cran-htmltools_0.5.2-1.ca2204.1_amd64.deb ...
Unpacking r-cran-htmltools (0.5.2-1.ca2204.1) ...
Selecting previously unselected package r-cran-jsonlite.
Preparing to unpack .../05-r-cran-jsonlite_1.8.0-1.ca2204.1_amd64.deb ...
Unpacking r-cran-jsonlite (1.8.0-1.ca2204.1) ...
Selecting previously unselected package r-cran-fs.
Preparing to unpack .../06-r-cran-fs_1.5.2-1.ca2204.1_amd64.deb ...
Unpacking r-cran-fs (1.5.2-1.ca2204.1) ...
Selecting previously unselected package r-cran-r6.
Preparing to unpack .../07-r-cran-r6_2.5.1-1.ca2204.1_all.deb ...
Unpacking r-cran-r6 (2.5.1-1.ca2204.1) ...
Selecting previously unselected package r-cran-rappdirs.
Preparing to unpack .../08-r-cran-rappdirs_0.3.3-1.ca2204.1_amd64.deb ...
Unpacking r-cran-rappdirs (0.3.3-1.ca2204.1) ...
Selecting previously unselected package r-cran-sass.
Preparing to unpack .../09-r-cran-sass_0.4.1-1.ca2204.1_amd64.deb ...
Unpacking r-cran-sass (0.4.1-1.ca2204.1) ...
Selecting previously unselected package r-cran-jquerylib.
Preparing to unpack .../10-r-cran-jquerylib_0.1.4-1.ca2204.1_all.deb ...
Unpacking r-cran-jquerylib (0.1.4-1.ca2204.1) ...
Selecting previously unselected package r-cran-bslib.
Preparing to unpack .../11-r-cran-bslib_0.3.1-1.ca2204.1_all.deb ...
Unpacking r-cran-bslib (0.3.1-1.ca2204.1) ...
Selecting previously unselected package r-cran-evaluate.
Preparing to unpack .../12-r-cran-evaluate_0.15-1.ca2204.1_all.deb ...
Unpacking r-cran-evaluate (0.15-1.ca2204.1) ...
Selecting previously unselected package r-cran-glue.
Preparing to unpack .../13-r-cran-glue_1.6.2-1.ca2204.1_amd64.deb ...
Unpacking r-cran-glue (1.6.2-1.ca2204.1) ...
Selecting previously unselected package r-cran-xfun.
Preparing to unpack .../14-r-cran-xfun_0.31-1.ca2204.1_amd64.deb ...
Unpacking r-cran-xfun (0.31-1.ca2204.1) ...
Selecting previously unselected package r-cran-highr.
Preparing to unpack .../15-r-cran-highr_0.9-1.ca2204.1_all.deb ...
Unpacking r-cran-highr (0.9-1.ca2204.1) ...
Selecting previously unselected package r-cran-magrittr.
Preparing to unpack .../16-r-cran-magrittr_2.0.3-1.ca2204.1_amd64.deb ...
Unpacking r-cran-magrittr (2.0.3-1.ca2204.1) ...
Selecting previously unselected package r-cran-stringi.
Preparing to unpack .../17-r-cran-stringi_1.7.8-1.ca2204.1_amd64.deb ...
Unpacking r-cran-stringi (1.7.8-1.ca2204.1) ...
Selecting previously unselected package r-cran-stringr.
Preparing to unpack .../18-r-cran-stringr_1.4.0-1.ca2204.1_all.deb ...
Unpacking r-cran-stringr (1.4.0-1.ca2204.1) ...
Selecting previously unselected package r-cran-yaml.
Preparing to unpack .../19-r-cran-yaml_2.3.5-1.ca2204.1_amd64.deb ...
Unpacking r-cran-yaml (2.3.5-1.ca2204.1) ...
Selecting previously unselected package r-cran-knitr.
Preparing to unpack .../20-r-cran-knitr_1.39-1.ca2204.1_all.deb ...
Unpacking r-cran-knitr (1.39-1.ca2204.1) ...
Selecting previously unselected package r-cran-tinytex.
Preparing to unpack .../21-r-cran-tinytex_0.40-1.ca2204.1_all.deb ...
Unpacking r-cran-tinytex (0.40-1.ca2204.1) ...
Selecting previously unselected package r-cran-rmarkdown.
Preparing to unpack .../22-r-cran-rmarkdown_2.14-1.ca2204.1_all.deb ...
Unpacking r-cran-rmarkdown (2.14-1.ca2204.1) ...
Setting up r-cran-fs (1.5.2-1.ca2204.1) ...
Setting up r-cran-rlang (1.0.3-1.ca2204.1) ...
Setting up r-cran-xfun (0.31-1.ca2204.1) ...
Setting up r-cran-base64enc (0.1-3-1.ca2204.1) ...
Setting up r-cran-digest (0.6.29-1.ca2204.1) ...
Setting up r-cran-yaml (2.3.5-1.ca2204.1) ...
Setting up r-cran-evaluate (0.15-1.ca2204.1) ...
Setting up r-cran-highr (0.9-1.ca2204.1) ...
Setting up r-cran-glue (1.6.2-1.ca2204.1) ...
Setting up r-cran-fastmap (1.1.0-1.ca2204.1) ...
Setting up r-cran-jsonlite (1.8.0-1.ca2204.1) ...
Setting up r-cran-stringi (1.7.8-1.ca2204.1) ...
Setting up r-cran-htmltools (0.5.2-1.ca2204.1) ...
Setting up r-cran-tinytex (0.40-1.ca2204.1) ...
Setting up r-cran-r6 (2.5.1-1.ca2204.1) ...
Setting up r-cran-magrittr (2.0.3-1.ca2204.1) ...
Setting up r-cran-rappdirs (0.3.3-1.ca2204.1) ...
Setting up r-cran-stringr (1.4.0-1.ca2204.1) ...
Setting up r-cran-jquerylib (0.1.4-1.ca2204.1) ...
Setting up r-cran-knitr (1.39-1.ca2204.1) ...
Setting up r-cran-sass (0.4.1-1.ca2204.1) ...
Setting up r-cran-bslib (0.3.1-1.ca2204.1) ...
Setting up r-cran-rmarkdown (2.14-1.ca2204.1) ...
root@59e24226a914:/# My containers are
edd@rob:~$ docker images | grep "/r2u "
eddelbuettel/r2u 22.04 3a33fd542e6d 4 days ago 885MB
eddelbuettel/r2u jammy 3a33fd542e6d 4 days ago 885MB
eddelbuettel/r2u 20.04 428a2397c8c5 4 days ago 978MB
eddelbuettel/r2u focal 428a2397c8c5 4 days ago 978MB
edd@rob:~$ so make sure you have the newest. Other than that I only noticed that in some places (like AWS) I also need to add '--security-opt seccomp=unconfined' to the docker invocation. Not at home though on 22.04 as the host.
So in short: no idea 😞
OK, --security-opt seccomp=unconfined solved it for me. Thanks.
Now the question is how to best document, or, better yet, test this.
I will try to make a point of noting it on the main README.md.
Out of curiousity, what versions of the Docker packages do you have? I seem to be at
edd@rob:~$ dpkg -l|grep docker | cut -c-90
ii docker-ce 5:20.10.14~3-0~ubuntu-hirsute
ii docker-ce-cli 5:20.10.14~3-0~ubuntu-hirsute
ii docker-ce-rootless-extras 5:20.10.14~3-0~ubuntu-hirsute
ii docker-scan-plugin 0.17.0~ubuntu-hirsute
edd@rob:~$
Seeing that, I just updated my apt entry to jammy, and with the current Docker packages I need it too. So I was locally behind because one of the apt files got stale -- my fault!
I noticed the apt entry issue when I was trying to build r2u locally.
Now back to the seccomp issue, here is something interesting:
these are the docker package that I see on Ubuntu 20.04 with Docker version 20.10.7, build f0df350 (a cloud VM)
ii docker-ce 5:20.10.7~3-0~ubuntu-focal amd64
ii docker-ce-cli 5:20.10.7~3-0~ubuntu-focal amd64
ii docker-ce-rootless-extras 5:20.10.7~3-0~ubuntu-focal amd64
ii docker-scan-plugin 0.8.0~ubuntu-focal amd64
then after apt update && apt upgrade the docker-scan-plugin is ahead (Docker version 20.10.17, build 100c701):
ii docker-ce 5:20.10.17~3-0~ubuntu-focal amd64 D
ii docker-ce-cli 5:20.10.17~3-0~ubuntu-focal amd64 D
ii docker-ce-rootless-extras 5:20.10.17~3-0~ubuntu-focal amd64 R
ii docker-scan-plugin 0.17.0~ubuntu-focal amd64 D
After that the commands work inside the jammy container.
To conclude: we need docker-scan-plugin >= 0.17.0.
This is a litte terse, and even after reading it a few times hours apart I am not sure I follow.
There appear to be two distinct issues. One has to do with you building Dockerfiles. Which? How? To produce r2u content? To locally rebuild the r2u 'run' container? To build on top it? Which is it? And what goes wrong? Can you detail that with complete reproducible steps.
The second appears to concern focal but I do not know what "we need docker-scan-plugin >= 0.17.0." wants to say. Do you mean that if docker-scan-plugin is version 0.17.0 or newer we need the seccomp option to run Docker?
(1) When I used the r2u/docker/jammy/run/Dockerfile and tried to build the eddelbuettel/r2u:22.04 image, I noticed that the deb sources were not pointing to the right location, which I thought might be related to your comment:
I was locally behind because one of the apt files got stale
but I might be wrong. This is unrelated to this issue, but I copy the output here in case it helps:
$ docker build -t testjam .
Sending build context to Docker daemon 29.7kB
Step 1/9 : FROM rocker/r-bspm:22.04
---> e088566db42b
Step 2/9 : LABEL org.label-schema.license="GPL-2.0" org.label-schema.vcs-url="https://github.com/eddelbuettel/r2u" maintainer="Dirk Eddelbuettel <edd@debian.org>"
---> Using cache
---> 8cfd25944a21
Step 3/9 : ENV DEBIAN_FRONTEND noninteractive
---> Using cache
---> 14ac60da0831
Step 4/9 : RUN rm -f /etc/apt/sources.list.save /etc/apt/sources.list.d/{c2d4u*,edd*,*.save} && apt update -qq && apt upgrade --yes
---> Running in a4ad6445edd2
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/cran_ubuntu_key.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/marutter-ubuntu-rrutter4_0.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.ubuntu.com/ubuntu jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/cran_ubuntu_key.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/marutter-ubuntu-rrutter4_0.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.ubuntu.com/ubuntu jammy-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/cran_ubuntu_key.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/marutter-ubuntu-rrutter4_0.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.ubuntu.com/ubuntu jammy-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
W: https://ppa.launchpadcontent.net/marutter/rrutter4.0/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/cran_ubuntu_key.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://ppa.launchpadcontent.net/marutter/rrutter4.0/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/marutter-ubuntu-rrutter4_0.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://ppa.launchpadcontent.net/marutter/rrutter4.0/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://ppa.launchpadcontent.net/marutter/rrutter4.0/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://ppa.launchpadcontent.net/marutter/rrutter4.0/ubuntu jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5E25F516B04C661B
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/cran_ubuntu_key.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/marutter-ubuntu-rrutter4_0.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.ubuntu.com/ubuntu jammy-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
W: Failed to fetch https://ppa.launchpadcontent.net/marutter/rrutter4.0/ubuntu/dists/jammy/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5E25F516B04C661B
W: Some index files failed to download. They have been ignored, or old ones used instead.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
The command '/bin/sh -c rm -f /etc/apt/sources.list.save /etc/apt/sources.list.d/{c2d4u*,edd*,*.save} && apt update -qq && apt upgrade --yes' returned a non-zero code: 100
(2) Updating the docker-scan-plugin from 0.8.0 to 0.17.0 solved the issue with the jammy image, therefore building from the jammy image with docker-scan-plugin 0.17.0 does not require to invoke docker run with --security-opt seccomp=unconfined any more.
Hope this clarifies my terse comment from before.
(1) Docker can be hairy. After all those years I only fairly recently and accidentally learned about the --no-cache option to docker build. Can you try that?
(2) is intriguiging (I'd love to operate without the seccomp option) but I am still not sure I fully follow. But I can surely rebuild the local images and try.
Thanks for taking the time to explain! Much appreciated.
(1) Same output with --no-cache.
(2) Your docker-scan-plugin version (0.17.0) seem to be the right one locally, that's why you did not have to use the seccomp option. My Mac is probably still behind even after updating docker, but on a cloud VM with Ubuntu an update/upgrade solved the issue, which brought the version up to 0.17.0 from the pre-installed docker-scan-plugin 0.8.0 (this was the official Digitalocean marketplace image).
(1) I don't understand, and cannot reproduce. Sorry. Full log attached.
(2) I do have to use seccomp now.
Anyway. it is late, and we are going in circles. Maybe tomorrow...
A little late to the party, apologies. These are the important bits:
these are the docker package that I see on Ubuntu 20.04 with Docker version 20.10.7, build f0df350 (a cloud VM)
ii docker-ce 5:20.10.7~3-0~ubuntu-focal amd64then after
apt update && apt upgradethedocker-scan-pluginis ahead (Docker version 20.10.17, build 100c701):ii docker-ce 5:20.10.17~3-0~ubuntu-focal amd64 DAfter that the commands work inside the jammy container.
From what I read here, this is moby/moby#42963, which has to do with clone3 in glibc. We had this same issue before in distributions that updated early to glibc 2.34, which introduced this change. Docker solved it in v20.10.10. The docker-scan-plugin has nothing to do with this.
As a summary, a host with docker < 20.10.10 cannot run containers with glibc >= 2.34 unless seccomp is disabled. This is the case for jammy. A container based on focal would work just fine, because there's glibc == 2.31 there.