/bin/bash 失败的“-r”运算符,但它在 /bin/sh 中有效
/bin/bash failing "-r" operator, but it works in /bin/sh
一直运行作为容器入口点的bash脚本。我刚刚从 Alpine3.13 升级到 Alpine3.15.0,脚本开始无法通过“-r”检查已安装和未安装的文件。
Docker版本18.06.1-ce, build e68fc7a
libseccomp 版本 libseccomp2/now 2.4.1-0ubuntu0.18.04.2
最小示例
bash-5.1# ls -lt try
-rw-r--r-- 1 root root 0 Mar 24 08:47 try
bash-5.1# cat test.sh
#!/bin/bash
if [ ! -r /tmp/try ] ; then
echo "fail -r"
fi
if [ ! -f /tmp/try ] ; then
echo "fail -f"
fi
bash-5.1# bash test.sh
fail -r
bash-5.1# sh test.sh
bash-5.1#
问题已记录在此处:https://github.com/alpinelinux/docker-alpine/issues/156
此处列出了建议的解决方案:https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2
由于我无法更新 docker 和 libseccomp 版本,我尝试了第三个选项并且工作正常
- As a workaround, in order to run under old Docker or libseccomp versions, the moby default seccomp profile should be downloaded and on line 2,
defaultAction changed to SCMP_ACT_TRACE, then --seccomp-profile=default.json can be passed to dockerd, or --security-opt=seccomp=default.json passed to docker create or docker run. This will cause the system calls to return ENOSYS instead of EPERM, allowing the container to fall back to faccessat.
一直运行作为容器入口点的bash脚本。我刚刚从 Alpine3.13 升级到 Alpine3.15.0,脚本开始无法通过“-r”检查已安装和未安装的文件。
Docker版本18.06.1-ce, build e68fc7a
libseccomp 版本 libseccomp2/now 2.4.1-0ubuntu0.18.04.2
最小示例
bash-5.1# ls -lt try
-rw-r--r-- 1 root root 0 Mar 24 08:47 try
bash-5.1# cat test.sh
#!/bin/bash
if [ ! -r /tmp/try ] ; then
echo "fail -r"
fi
if [ ! -f /tmp/try ] ; then
echo "fail -f"
fi
bash-5.1# bash test.sh
fail -r
bash-5.1# sh test.sh
bash-5.1#
问题已记录在此处:https://github.com/alpinelinux/docker-alpine/issues/156
此处列出了建议的解决方案:https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2
由于我无法更新 docker 和 libseccomp 版本,我尝试了第三个选项并且工作正常
- As a workaround, in order to run under old Docker or libseccomp versions, the moby default seccomp profile should be downloaded and on line 2,
defaultActionchanged toSCMP_ACT_TRACE, then--seccomp-profile=default.jsoncan be passed to dockerd, or--security-opt=seccomp=default.jsonpassed todocker createordocker run. This will cause the system calls to return ENOSYS instead of EPERM, allowing the container to fall back to faccessat.