Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xgo-image-deb6 container image build fails #6502

Closed
graphaelli opened this issue Mar 6, 2018 · 9 comments · Fixed by #6508
Closed

xgo-image-deb6 container image build fails #6502

graphaelli opened this issue Mar 6, 2018 · 9 comments · Fixed by #6508

Comments

@graphaelli
Copy link
Member

make package produces:

10:21:06 E: There are problems and -y was used without --force-yes
10:21:06 The command '/bin/sh -c apt-get -o Acquire::Check-Valid-Until=false update &&   apt-get install -y automake autogen build-essential ca-certificates     gcc-multilib     clang llvm-dev  libtool libxml2-dev uuid-dev libssl-dev pkg-config     patch make xz-utils cpio wget unzip git mercurial bzr rsync --no-install-recommends' returned a non-zero code: 100
10:21:06 make[1]: *** [xgo-image] Error 100

This happens because of a recent key expiration:

Step 9/22 : RUN   apt-get -o Acquire::Check-Valid-Until=false update &&   apt-get install -y automake autogen build-essential ca-certificates     gcc-multilib     clang llvm-dev  libtool libxml2-dev uuid-dev libssl-dev pkg-config     patch make xz-utils cpio wget unzip git mercurial bzr rsync --no-install-recommends
 ---> Running in d13be47f8090
Get:1 http://archive.debian.org squeeze Release.gpg [1655 B]
Get:2 http://archive.debian.org squeeze-lts Release.gpg [819 B]
Get:3 http://archive.debian.org squeeze Release [96.0 kB]
Ign http://archive.debian.org squeeze Release
Get:4 http://archive.debian.org squeeze-lts Release [34.3 kB]
Get:5 http://archive.debian.org squeeze/main amd64 Packages [8370 kB]
Get:6 http://archive.debian.org squeeze/contrib amd64 Packages [61.7 kB]
Get:7 http://archive.debian.org squeeze-lts/main amd64 Packages [390 kB]
Fetched 8955 kB in 16s (533 kB/s)
Reading package lists...
W: GPG error: http://archive.debian.org squeeze Release: The following signatures were invalid: KEYEXPIRED 1520281423 KEYEXPIRED 1501892461

specifically:

$ docker run -it --rm debian:6 apt-key list | grep -B1 squeeze
pub   4096R/473041FA 2010-08-27 [expired: 2018-03-05]
uid                  Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
@graphaelli
Copy link
Member Author

I'm not terribly familiar with apt keys. This doesn't resolve the issue

$ apt-key adv --keyserver keys.gnupg.net --recv-keys 473041FA
gpg: requesting key 473041FA from hkp server keys.gnupg.net
gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" 10 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:         new signatures: 10

I assume because of the gpg: no ultimately trusted keys found part.

@tsg
Copy link
Contributor

tsg commented Mar 7, 2018

I won’t be able to look at this this week. @andrewkroh, can you look into it, please? Thanks!

@andrewkroh
Copy link
Member

If they don't release an updated signing key then the only possible workaround I see is to use --allow-unauthenticated. But I would never want to use that option in building anything that we are going to release.

Perhaps moving to Debian 7 is the next best option?

@graphaelli
Copy link
Member Author

What do we rely on in debian:6 exactly? The build produces seemingly good executables (ran on machines I have access to) with this patch:

--- a/dev-tools/packer/docker/xgo-image-deb6/base/Dockerfile
+++ b/dev-tools/packer/docker/xgo-image-deb6/base/Dockerfile
@@ -3,13 +3,10 @@
 #
 # Released under the MIT license.
 
-FROM debian:6
+FROM debian:7
 
 MAINTAINER Tudor Golubenco <tudor@elastic.co>
 
-# Use sources list from the archive
-ADD sources.list /etc/apt/sources.list
-

but I'm not clear on how to verify further.

@graphaelli
Copy link
Member Author

build also succeeds on debian:8

@andrewkroh
Copy link
Member

@graphaelli I believe debian 6 is used on order to provide the greatest amount of libc compatibility for our non-statically compiled binaries. Here's the commit where this was added: elastic/beats-packer@2fb1e58#diff-12944685a1876ec1aad854eacb5f8745

Do the binaries produced under Debian 7 work on Debian 6?

@graphaelli
Copy link
Member Author

graphaelli commented Mar 7, 2018
edited
Loading

Under docker, binaries produced with debian 7, 8, and 9 ran without issue on the debian:6 image on my machine. I haven't come up with a reason that would be unexpected.

@andrewkroh Looking at the commit you referenced I wonder if using the build tag -tags netgo was considered at the time, since go version was 1.4.2 (as of 1.5 that's not necessary). I think it's less risky to continue dynamically linked builds on a newer debian for already released minors but consider moving to static builds going forward. I'll put up a pull request for a move to debian:7 for review while continue to discuss options.

@andrewkroh
Copy link
Member

I'll put up a pull request for a move to debian:7 for review while continue to discuss options.

Excellent!

but consider moving to static builds going forward.

We recently (I think as of 6.0) switched to dynamic linking for some OSes. #4546

This gives us the ability to use plugins on Linux/Darwin and enables collecting some of the self-monitoring metrics via cgo.

@graphaelli
Copy link
Member Author

Ah, I totally forgot about the metric collection bits, thanks.

@graphaelli graphaelli mentioned this issue Mar 7, 2018
Merged
@andrewkroh andrewkroh mentioned this issue Mar 10, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update build image from debian 6 to 7 graphaelli/beats
3 participants
@graphaelli @tsg @andrewkroh