Docker image 21.04 (rolling) - apt update error

[babelouest]

When I pull the docker image ubuntu:rolling, the command apt update is on error and makes it impossible to upgrade or install any package:

$ docker run -it --rm ubuntu:rolling 
root@7f24d8992e05:/# apt --allow-unauthenticated update
Get:1 http://security.ubuntu.com/ubuntu hirsute-security InRelease [101 kB]
Err:1 http://security.ubuntu.com/ubuntu hirsute-security InRelease    
  gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
Get:2 http://archive.ubuntu.com/ubuntu hirsute InRelease [269 kB]
Err:2 http://archive.ubuntu.com/ubuntu hirsute InRelease
  gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
Get:3 http://archive.ubuntu.com/ubuntu hirsute-updates InRelease [109 kB]
Err:3 http://archive.ubuntu.com/ubuntu hirsute-updates InRelease
  gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
Get:4 http://archive.ubuntu.com/ubuntu hirsute-backports InRelease [90.7 kB]
Err:4 http://archive.ubuntu.com/ubuntu hirsute-backports InRelease
  gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
Reading package lists... Done
W: GPG error: http://security.ubuntu.com/ubuntu hirsute-security InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
E: The repository 'http://security.ubuntu.com/ubuntu hirsute-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.ubuntu.com/ubuntu hirsute InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
E: The repository 'http://archive.ubuntu.com/ubuntu hirsute InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.ubuntu.com/ubuntu hirsute-updates InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
E: The repository 'http://archive.ubuntu.com/ubuntu hirsute-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.ubuntu.com/ubuntu hirsute-backports InRelease: gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed
E: The repository 'http://archive.ubuntu.com/ubuntu hirsute-backports InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Is there something I did wrong?

[yosifkit]

I'm unable to reproduce. 😕

$ docker pull ubuntu:rolling
rolling: Pulling from library/ubuntu
c830499a6a92: Pull complete 
b38f134463e2: Pull complete 
2fd6a415fd8e: Pull complete 
Digest: sha256:be154cc2b1211a9f98f4d708f4266650c9129784d0485d4507d9b0fa05d928b6
Status: Downloaded newer image for ubuntu:rolling
docker.io/library/ubuntu:rolling
$ docker run -it --rm ubuntu:rolling
root@076520bcf464:/# apt update    
Get:1 http://security.ubuntu.com/ubuntu hirsute-security InRelease [101 kB]
Get:2 http://archive.ubuntu.com/ubuntu hirsute InRelease [269 kB]
Get:3 http://security.ubuntu.com/ubuntu hirsute-security/multiverse amd64 Packages [1725 B]
Get:4 http://security.ubuntu.com/ubuntu hirsute-security/main amd64 Packages [29.4 kB]
Get:5 http://security.ubuntu.com/ubuntu hirsute-security/universe amd64 Packages [10.8 kB]
Get:6 http://security.ubuntu.com/ubuntu hirsute-security/restricted amd64 Packages [97.2 kB]
Get:7 http://archive.ubuntu.com/ubuntu hirsute-updates InRelease [109 kB]                
Get:8 http://archive.ubuntu.com/ubuntu hirsute-backports InRelease [90.7 kB]
Get:9 http://archive.ubuntu.com/ubuntu hirsute/universe amd64 Packages [16.8 MB]
Get:10 http://archive.ubuntu.com/ubuntu hirsute/multiverse amd64 Packages [252 kB]
Get:11 http://archive.ubuntu.com/ubuntu hirsute/restricted amd64 Packages [111 kB]
Get:12 http://archive.ubuntu.com/ubuntu hirsute/main amd64 Packages [1791 kB]
Get:13 http://archive.ubuntu.com/ubuntu hirsute-updates/multiverse amd64 Packages [1725 B]                                                                                
Get:14 http://archive.ubuntu.com/ubuntu hirsute-updates/restricted amd64 Packages [97.2 kB]                                                                               
Get:15 http://archive.ubuntu.com/ubuntu hirsute-updates/universe amd64 Packages [17.4 kB]                                                                                 
Get:16 http://archive.ubuntu.com/ubuntu hirsute-updates/main amd64 Packages [41.2 kB]                                                                                     
Fetched 19.8 MB in 9s (2257 kB/s)                                                                                                                                         
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
root@076520bcf464:/# 

[babelouest]

That's very weird!

I have the exact same image IDs pulled, and yet I still have the error.

I'm running Docker version 18.09.1, build 4c52b90 on a Debian Buster.

I'll try from a Ubuntu device later.

[babelouest]

Nope, I confirm the same problem on a Ubuntu 20.10, strange...

[tianon]

This looks very similar to debuerreotype/docker-debian-artifacts#122; if using --security-opt seccomp=unconfined makes it work, you'll need to update your host to:

• Docker version 19.03.9 or newer
• libseccomp version 2.4.2 or newer

See moby/moby#40734 for more details around this (and similar issues).

[babelouest]

@tianon , indeed, adding --security-opt seccomp=unconfined makes it work. Debian Bullseye and Ubuntu 21.04 are up-to-date according to the packages you mention. Thanks for the help!

[babelouest]

After a few tries I was able to find a workaround.

The problem is --security-opt seccomp=unconfined can't be used on a docker build command. Therefore I force the docker image to trust the sources no matter what.

Warning
I don't believe these changes are secure enough to run a docker instance in production mode. I use this image only to build packages.

So my Dockerfile starts like that:

FROM ubuntu:rolling

COPY ["sources.list", "/etc/apt/"]
COPY ["99own", "/etc/apt/apt.conf.d/"]

# Install required packages
RUN apt-get update && apt-get upgrade -y

The file sources.list:

deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ hirsute main restricted
deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ hirsute-updates main restricted
deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ hirsute universe
deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ hirsute-updates universe
deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ hirsute multiverse
deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ hirsute-updates multiverse
deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ hirsute-backports main restricted universe multiverse
deb [trusted=yes] http://security.ubuntu.com/ubuntu/ hirsute-security main restricted
deb [trusted=yes] http://security.ubuntu.com/ubuntu/ hirsute-security universe
deb [trusted=yes] http://security.ubuntu.com/ubuntu/ hirsute-security multiverse

And the file 99own:

APT::Get::AllowUnauthenticated "true";
APT::Get::AllowInsecureRepositories "true";
APT::Get::AllowDowngradeToInsecureRepositories "true";