Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] - microdnf does not respect --releasever flag in minimal container image #854

Open
wesner-price opened this issue Dec 2, 2024 · 4 comments
Open

[Bug] - microdnf does not respect --releasever flag in minimal container image #854

wesner-price opened this issue Dec 2, 2024 · 4 comments
Labels
bug Something isn't working enhancement New feature or request packages Package request

Comments

@wesner-price
Copy link

Ran into this issue trying to upgrade dependencies with published vulnerabilities.

This is not an issue if I was using the latest release of AL2023 minimal container image, as it points to the updated package repo.
However, I am using the public.ecr.aws/lambda/nodejs:20 image, and it has not been updated to the latest version of AL2023, it is still version 2023.6.20241031.
Regardless I believe the bug is present in all versions of the minimal container image.

An example vulnerability is https://alas.aws.amazon.com/AL2023/ALAS-2024-759.html
The correction is to run dnf update expat --releasever 2023.6.20241111

But on minimal container images which use microdnf this is not working.
Resulting in a nothing to do status, see output attached below.

I have found a workaround to update the packages, and that is to manually set the release version in the repo file.
sed -i 's/$releasever/2023.6.20241121/g' /etc/yum.repos.d/amazonlinux.repo

I suspect that something is wrong with how microdnf is setting the release version in /etc/yum.repos.d/amazonlinux.repo.

To Reproduce
Steps to reproduce the behavior:

  1. run docker image public.ecr.aws/amazonlinux/amazonlinux:2023.6.20241031.0-minimal
  2. run dnf install expat -y
  3. see that dnf installs expat-2.5.0-1.amzn2023.0.4.x86_64
  4. run dnf upgrade expat -y --releasever=2023.6.20241121 --refresh
  5. see that there is nothing to do
  6. run sed -i 's/$releasever/2023.6.20241121/g' /etc/yum.repos.d/amazonlinux.repo
  7. run dnf upgrade expat -y --refresh
  8. see that dnf upgrades to expat-2.6.3-1.amzn2023.0.1.x86_64

Expected behavior
I would expect that on step 4 that dnf would upgrade expat to 2.6.3

Screenshots
If applicable, add screenshots to help explain your problem.
image
@elsaco
Copy link

elsaco commented Dec 3, 2024
edited
Loading

@wesner-price I'm running an older container (tag 2023.6.20241111.0-minimal) and expat-2.6.3 is in the repo:

bash-5.2# dnf --refresh repoquery expat
Downloading metadata...
expat-2.5.0-1.amzn2023.0.2.x86_64
expat-2.5.0-1.amzn2023.0.3.x86_64
expat-2.5.0-1.amzn2023.0.4.x86_64
expat-2.6.3-1.amzn2023.0.1.x86_64

From microdnf vars:

bash-5.2# cat /etc/dnf/vars/releasever
2023.6.20241111

microdnf version:

bash-5.2# rpm -qi microdnf
Name        : microdnf
Version     : 3.10.0
Release     : 2.amzn2023.0.1
---cut---

@wesner-price
Copy link
Author

wesner-price commented Dec 3, 2024
edited
Loading

@elsaco Yes, I am aware the packages are up to date if one can simply upgrade the AL2023 version. Since the new versions point to updated repositories.

Not all aws images being released have been upgraded to the new version. For example, the Node 20 lambda image I am using.

Therefore, to update packages to a new version that exists in a new releases repository I need to specify the release version on dnf, but the option --releasever is not working for microdnf.

One would expect that using --releasever on micro dnf would result in pulling a package from that release version passed in via the argument.
In the non-minimal images with the full version of dnf, this is not an issue.

This can be seen by pulling 2023.6.20241111.0-minimal as you have but using repoquery for an older release.

You would think that --releasever would set the variable in the repo config file. But instead i need to manually replace with the desired version.

sh-5.2# cat /etc/dnf/vars/releasever
2023.6.20241111
sh-5.2# dnf repoquery expat
Downloading metadata...
expat-2.5.0-1.amzn2023.0.2.x86_64
expat-2.5.0-1.amzn2023.0.3.x86_64
expat-2.5.0-1.amzn2023.0.4.x86_64
expat-2.6.3-1.amzn2023.0.1.x86_64
sh-5.2# dnf repoquery expat --releasever=2023.6.20241031 --refresh
Downloading metadata...
expat-2.5.0-1.amzn2023.0.2.x86_64
expat-2.5.0-1.amzn2023.0.3.x86_64
expat-2.5.0-1.amzn2023.0.4.x86_64
expat-2.6.3-1.amzn2023.0.1.x86_64
sh-5.2# sed -i 's/$releasever/2023.6.20241031/g' /etc/yum.repos.d/amazonlinux.repo
sh-5.2# dnf repoquery expat --refresh
Downloading metadata...
expat-2.5.0-1.amzn2023.0.2.x86_64
expat-2.5.0-1.amzn2023.0.3.x86_64
expat-2.5.0-1.amzn2023.0.4.x86_64
sh-5.2#

Ultimately
I need to upgrade the packages to point to newer versions of AL2023 package repositories, because I cannot upgrade my AL2023 version to latest.

@elsaco
Copy link

elsaco commented Dec 4, 2024

@wesner-price I'm not convinced is the fault of microdnf and not just a configuration issue. In the /etc/dnf/vars there is a hardcoded releasever which overrides the supplied argument. Use strace for details.

If you delete /etc/dnf/vars/releasever then microdnf option works as expected:

bash-5.2# dnf install expat -y
Downloading metadata...
Package                                                                                          Repository                           Size
Installing:
 expat-2.5.0-1.amzn2023.0.4.x86_64                                                               amazonlinux                      120.2 kB
Transaction Summary:
 Installing:        1 packages
 Reinstalling:      0 packages
 Upgrading:         0 packages
 Obsoleting:        0 packages
 Removing:          0 packages
 Downgrading:       0 packages
Downloading packages...
Running transaction test...
Installing: expat;2.5.0-1.amzn2023.0.4;x86_64;amazonlinux
Complete.
bash-5.2# rm /etc/dnf/vars/releasever
bash-5.2# dnf upgrade expat -y --releasever=2023.6.20241121 --refresh
Downloading metadata...
Package                                                                                          Repository                           Size
Upgrading:
 expat-2.6.3-1.amzn2023.0.1.x86_64                                                               amazonlinux                      124.5 kB
   replacing expat-2.5.0-1.amzn2023.0.4.x86_64
Transaction Summary:
 Installing:        0 packages
 Reinstalling:      0 packages
 Upgrading:         1 packages
 Obsoleting:        0 packages
 Removing:          0 packages
 Downgrading:       0 packages
Downloading packages...
Running transaction test...
Updating: expat;2.6.3-1.amzn2023.0.1;x86_64;amazonlinux
Cleanup: expat;2.5.0-1.amzn2023.0.4;x86_64;installed
Complete.

Note that /etc/dnf/vars/releasever is not own by any package. Whoever is building the Docker container can provide more information.

@stewartsmith stewartsmith added bug Something isn't working enhancement New feature or request packages Package request labels Dec 26, 2024
@stewartsmith
Copy link
Member

I can verify that public.ecr.aws/lambda/nodejs:20 does set /etc/dnf/vars/releasever and is being used for the value of releasever. Removing this file will help achieve what you are looking for.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request packages Package request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stewartsmith @elsaco @wesner-price