Join Log in
Score:2
jlmt avatar Server

How can I write a Dockerfile based on Debian Slim in which 'apt-get update' doesn't fail with public key errors?

ng flag
jlmt

The build server is Ubuntu 16.04, patched recently with sudo apt update && sudo apt upgrade.

docker version says:

Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa825
 Built:             Wed Jul 18 19:11:02 2018
 OS/Arch:           linux/amd64
 Experimental:      false

The Dockerfile looks like this:

FROM debian:12-slim

RUN apt-get update \
    && apt-get install -y wget \
    && apt-get install -y supervisor \
    && apt-get install -y apt-utils \
    && apt-get install -y nginx \
    && apt-get install -y libgdiplus

RUN apt-get autoremove -y \
    && apt-get clean -y \
    && apt-get autoclean -y \
    && rm -rf /var/lib/apt/lists/*

# .. other stuff cut ..

The apt-get update step fails with:

W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.

Presumably I need to first RUN something to update public keys.

I can find a lot of guides to solving this manually by copy-pasting the missing keys into the command line, but obviously I need the fix to be part of the Dockerfile (and ideally not fall over if the keys get changed, if possible?).

But perhaps the fact that apt-get isn't working for an official base image indicates a deeper problem?

Am I using the correct tag for a minimal Debian Docker image?

Is the problem related to using the slim distribution of Debian?

Could this be an issue with the build environment or old Docker version?

Any thoughts?

(Background: the intention is to build a .Net Core 2.1 runtime image for a legacy app, but the official Microsoft runtime image is no longer supported and has recently developed its own problems in which apt-get fails with many 404 errors. The choice of Debian slim here is because that image was based on an older version of the same.)

Edit: The comments seemed to suggest that it was probably the environment that was the problem; When building the same Dockerfile on Ubuntu 22.04.2 with Docker 24.0.4, everything was fine. Question answered as: Don't use an out of date build server!

920
1 + 7
apt
pt flag
larsks
Unrelated to your question, but running your cleanup tasks in a separate `RUN` script from the install tasks **does not free up any space**. You would need to combine those two `RUN` scripts into a single `RUN` script.
0
Reply
pt flag
larsks
Related to your question, I cannot reproduce those GPG errors; `docker build` using your Dockerfile runs to completion without any errors. Are you sure you have a recent version of the `debian:12-slim` image? Do you get the same behavior if you first `docker pull debian:12-slim` and then re-try the build?
0
Reply
jlmt avatar
ng flag
jlmt
Re the `RUN` script - thanks - will update that! And re the image - yes same errors after running the `docker pull` command (I think first pulled this image yesterday anyway). Perhaps that indicates that the issue's related to the environment then?
0
Reply
jp flag
AlexD
You have an old and unsupported versions of Ubuntu and Docker. Try running docker with option `--security-opt seccomp=unconfined`
0
Reply
jlmt avatar
ng flag
jlmt
Thanks, but am seeing `Error response from daemon: The daemon on this platform does not support setting security options on build` in response to adding that option. for `docker build`. Good point on versions - I guess am hoping that there's a way to resolve this without needing to build a new build server - `do-release-upgrade` fails on this system with an error about broken packages. The official .Net Core 6.0 runtime image ran `apt-get update` without problems, which is what gave me hope that a new Debian image also should, but no such luck so far.
0
Reply
jp flag
AlexD
Try using `FROM debian:11-slim` as a workaround.
0
Reply
jlmt avatar
ng flag
jlmt
Thanks for the suggestions both - caved and built a new build server - latest versions solved all the problems.
0
Reply
Score:2
avatar Server
jp flag
AlexD

The root cause is that outdated libseccomp blocks new Linux syscalls used by Debian Bookworm. There are three approaches:

  • Update Docker and libseccomp
  • Use older images like debian:11-slim
  • Run with security disabled --security-opt seccomp=unconfined (obviously insecure approach)
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.