Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

panic: assignment to entry in nil map #13968

Closed
ianw opened this issue Apr 22, 2022 · 9 comments
Closed

panic: assignment to entry in nil map #13968

ianw opened this issue Apr 22, 2022 · 9 comments
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@ianw
Copy link
Contributor

ianw commented Apr 22, 2022

Our CI jobs have started failing with

2022-04-22 05:45:36.243 | + podman run --name dib-tmp-export-28472 -d dib-tmp-work-image-13092 /bin/sh
2022-04-22 05:45:36.571 | panic: assignment to entry in nil map
2022-04-22 05:45:36.571 | 
2022-04-22 05:45:36.571 | goroutine 1 [running]:
2022-04-22 05:45:36.571 | github.com/opencontainers/runtime-tools/generate.(*Generator).addEnv(...)
2022-04-22 05:45:36.571 | 	github.com/opencontainers/runtime-tools/generate/generate.go:525
2022-04-22 05:45:36.571 | github.com/opencontainers/runtime-tools/generate.(*Generator).AddProcessEnv(0xc000717bc8, {0x17edeb7, 0x8}, {0xc000351cc0, 0xc})
2022-04-22 05:45:36.571 | 	github.com/opencontainers/runtime-tools/generate/generate.go:501 +0x2ea
2022-04-22 05:45:36.571 | github.com/containers/podman/libpod.(*Container).generateSpec(0xc00063cf20, {0x1ad3050, 0xc000124bd0})
2022-04-22 05:45:36.571 | 	github.com/containers/podman/libpod/container_internal_linux.go:648 +0x2965
2022-04-22 05:45:36.571 | github.com/containers/podman/libpod.(*Container).init(0xc00063cf20, {0x1ad3050, 0xc000124bd0}, 0x0)
2022-04-22 05:45:36.571 | 	github.com/containers/podman/libpod/container_internal.go:1098 +0x8e
2022-04-22 05:45:36.571 | github.com/containers/podman/libpod.(*Container).prepareToStart(0xc00063cf20, {0x1ad3050, 0xc000124bd0}, 0xa0?)
2022-04-22 05:45:36.571 | 	github.com/containers/podman/libpod/container_internal.go:875 +0x345
2022-04-22 05:45:36.572 | github.com/containers/podman/libpod.(*Container).Start(0xc00063cf20, {0x1ad3050?, 0xc000124bd0?}, 0x0?)
2022-04-22 05:45:36.572 | 	github.com/containers/podman/libpod/container_api.go:91 +0xde
2022-04-22 05:45:36.572 | github.com/containers/podman/pkg/domain/infra/abi.(*ContainerEngine).ContainerRun(0xc000518058, {0x1ad3050, 0xc000124bd0}, {{0x0, 0x0}, 0x1, {0x17f5ed4, 0xd}, 0xc000010020, 0x0, ...})
2022-04-22 05:45:36.572 | 	github.com/containers/podman/pkg/domain/infra/abi/containers.go:947 +0x276
2022-04-22 05:45:36.572 | github.com/containers/podman/cmd/podman/containers.run(0x25046a0?, {0xc0004b4280?, 0x2, 0x5})
2022-04-22 05:45:36.572 | 	github.com/containers/podman/cmd/podman/containers/run.go:194 +0x7e6
2022-04-22 05:45:36.572 | github.com/spf13/cobra.(*Command).execute(0x25046a0, {0xc00003c090, 0x5, 0x5})
2022-04-22 05:45:36.572 | 	github.com/spf13/cobra/command.go:856 +0x67c
2022-04-22 05:45:36.572 | github.com/spf13/cobra.(*Command).ExecuteC(0x251b3a0)
2022-04-22 05:45:36.572 | 	github.com/spf13/cobra/command.go:974 +0x3b4
2022-04-22 05:45:36.572 | github.com/spf13/cobra.(*Command).Execute(...)
2022-04-22 05:45:36.572 | 	github.com/spf13/cobra/command.go:902
2022-04-22 05:45:36.572 | github.com/spf13/cobra.(*Command).ExecuteContext(...)
2022-04-22 05:45:36.572 | 	github.com/spf13/cobra/command.go:895
2022-04-22 05:45:36.572 | main.Execute()
2022-04-22 05:45:36.572 | 	github.com/containers/podman/cmd/podman/root.go:91 +0xc5
2022-04-22 05:45:36.572 | main.main()
2022-04-22 05:45:36.572 | 	github.com/containers/podman/cmd/podman/main.go:39 +0x74

Several different types of builds have started failing with this. Concentrating on one type [1] the last successful build was [2] yesterday.

It looks like there has been a minor point-update of podman in Debian in that time, e.g. [3] (failing)

2022-04-22 06:44:54.031462 | ubuntu-focal | Get:69 http://deb.debian.org/debian unstable/main amd64 podman amd64 3.4.7+ds1-1 [9625 kB]

versus [4] (passing)

2022-04-21 20:08:20.771641 | ubuntu-focal | Get:69 http://deb.debian.org/debian unstable/main amd64 podman amd64 3.4.6+ds1-1 [9623 kB]

This seems to be about the only difference. It seems this is a release to fix a CVE [5]

* New upstream release.
     - Fixes:  [CVE-2022-1227](https://security-tracker.debian.org/tracker/CVE-2022-1227)

I haven't managed to track this down further yet, but it felt more like a generic issue than something Debian specific; we run from unstable because we need some other features so might be some early testers of this.

[1] https://zuul.opendev.org/t/openstack/builds?job_name=dib-nodepool-functional-openstack-fedora-35-containerfile-src&project=openstack/diskimage-builder
[2] https://zuul.opendev.org/t/openstack/build/7fe19006ea0543afab58d56b206c70ed
[3] https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_7de/838863/2/check/nodepool-build-image-siblings/7de1ad4/job-output.txt
[4] https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_806/836228/10/check/nodepool-build-image-siblings/806f881/job-output.txt
[5] https://tracker.debian.org/news/1320098/accepted-libpod-347ds1-1-source-into-unstable/

@giuseppe
Copy link
Member

it looks like the Debian package is using an old version of github.com/opencontainers/runtime-tools.

AddProcessEnv is not using addEnv since:

commit 3967c4654461e6673d2418e05678bcda4bf51b2f
Author: Giuseppe Scrivano <[email protected]>
Date:   Wed Aug 19 13:18:19 2020 +0200

    vendor: update opencontainers/runtime-spec
    
    Signed-off-by: Giuseppe Scrivano <[email protected]>

@siretart PTAL

@Luap99
Copy link
Member

Luap99 commented Apr 22, 2022

Sine this is is a debian issue you should report this to the distro specific bug tracker.
Looks like the latest github.com/opencontainers/runtime-tools tag is from 2019, I guess there are using this instead.

@giuseppe
Copy link
Member

@siretart sorry if it was already discussed in the past and I am not aware of the outcome but is there anything we can do to use the same version of the modules we ship and avoid such kind of issues?

@jqueuniet
Copy link

Had the same problem this morning with the last podman update for Debian sid. Upgrading to podman 4 from experimental solved my issue.

@siretart
Copy link
Contributor

siretart commented Apr 22, 2022

@giuseppe you can track the versions of containers/runtime-tools in Debian at https://tracker.debian.org/pkg/golang-github-opencontainers-runtime-tools. As you can see, it is packaging the lastest upstream release.

Any chance you can assist with having a new upstream release so that podman doesn't need to vendor unreleased versions? That would help me a lot. opencontainers/runtime-tools#702 might be a good starting point, not sure where it got stuck.

Alternatively, you could help me by pointing out specific upstream commits that I could backport to the debian package (as you can see from 0.9.0+dfsg-4, I've been doing that e.g. for cd1349b7c47e9def74bee83f6cec88c5c3413e65 but evidently more changes are needed).

@Luap99
Copy link
Member

Luap99 commented Apr 22, 2022

see opencontainers/runtime-tools#702

@giuseppe
Copy link
Member

we can address the runtime-tools issue for now, but I am more worried about the fact the Go modules we use and test are different than the ones used on Debian. We could be more diligent and use only released tags, but we have no control over the indirect dependencies.

I somehow understand why it is done but it defeats the only advantage of Go binaries static linking.

@siretart
Copy link
Contributor

it looks like the Debian package is using an old version of github.com/opencontainers/runtime-tools.

AddProcessEnv is not using addEnv [...]

@giuseppe I think it is a bit more complicated than that, I did backport that relevant change: https://sources.debian.org/src/golang-github-opencontainers-runtime-tools/0.9.0%2Bdfsg-4/debian/patches/ProcessEnvPerformance.patch/ -- so the addEnv function is used in the debian package.

Unfortunately, it appears to be not sufficient, and probably additional patches are necessary to avoid this crash.

@siretart
Copy link
Contributor

Actually, I think the comment in

// NewFromSpec() is deprecated according to its comment
// however the recommended replace just causes a nil map panic
//nolint:staticcheck
is referring to exactly this crash.

I'm backporting upstream commit a42c131 which reverts the usage to the deprecated API. Initial testing confirms that this avoids the crash. Go figure! (pun intended)

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 20, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

No branches or pull requests

5 participants