Develop Reference

apt-get update fails on Ubuntu 22 base docker image

I am trying to upgrade one of our docker base images to the latest stable version of Ubuntu. I have isolated the problem to a simple reproducible case. I have a Dockerfile like this:
FROM ubuntu:22.04
MAINTAINER mep-dev#zulily.com
# Install java and clean-up
RUN apt-get update
When I build it on my local machine, I don't have any problems. However, when I build it on my CICD, I sometimes get this error:
Step 3/3 : RUN apt-get update
---> Running in 6ca01b60de64
Get:1 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [109 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [99.8 kB]
Err:1 http://archive.ubuntu.com/ubuntu jammy InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Err:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Err:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Err:2 http://security.ubuntu.com/ubuntu jammy-security InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Reading package lists...
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://archive.ubuntu.com/ubuntu jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://archive.ubuntu.com/ubuntu jammy InRelease' is not signed.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://archive.ubuntu.com/ubuntu jammy-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://archive.ubuntu.com/ubuntu jammy-updates InRelease' is not signed.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://archive.ubuntu.com/ubuntu jammy-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://archive.ubuntu.com/ubuntu jammy-backports InRelease' is not signed.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://security.ubuntu.com/ubuntu jammy-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://security.ubuntu.com/ubuntu jammy-security InRelease' is not signed.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/.deb /var/cache/apt/archives/partial/.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
The command '/bin/sh -c apt-get update' returned a non-zero code: 100
If I comment out RUN apt-get update, then it succeeds, and I can enter the container and see that /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg and /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg do exist and have read for all permissions:
root#b778220b39d8:/# ls -l /etc/apt/trusted.gpg.d
total 8
-rw-r--r-- 1 root root 2794 Mar 26 2021 ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 26 2021 ubuntu-keyring-2018-archive.gpg
I also checked the parent directories, and they have r-x at least for all.
This answer might be related, but why would the file have the correct structure when the base image is used in one environment and not another?
Update:
By using --pull, I can see the exact image it's using.
$ docker build --pull -t $EMAIL_DELIVERABILITY_ARN .
Step 1/3 : FROM ubuntu:22.04
22.04: Pulling from library/ubuntu
Digest: sha256:b6b83d3c331794420340093eb706a6f152d9c1fa51b262d9bf34594887c2c7ac
Status: Downloaded newer image for ubuntu:22.04
---> 27941809078c
This is the same sha and image id that I see when building locally, which works.
I am not having the same problem with ubuntu:20.04.

After spending half a day trying to fix the Ubuntu images (which aren't broken) I have eventually started debugging the host.
It's a docker problem. Ubuntu makes use of syscalls for better key security, which Docker didn't support yet. The solution is to update docker... or use runc or something similar.
Instead of apt getting the message that the syscalls aren't supported, it gets the message that permission is denied, which results in the confusing error messages.
You could technically patch ubuntu to be less secure, and to work with older docker, but that is sadly not a long term solution.

When you reference a docker image by name, Docker only checks to see if it exists locally or not -- it doesn't check for updates. So if there is already a version of the named image available, it will use that even though it might be stale. I suspect that's what you're seeing: some of your CI nodes must have a cached version of the image that has problems.
There are a few ways of dealing with this:
Explicitly docker pull ubuntu:22.04 before calling docker run; this will pull down a newer version of the image if one exists.
Add --pull always to your docker run command line. This accomplishes the same thing but without requiring an extra command execution.
Reference an image by digest rather than by tag. If you use an image reference like this:
FROM ubuntu#sha256:bace9fb0d5923a675c894d5c815da75ffe35e24970166a48a4460a48ae6e0d19
Then docker will use that exact image. You can find the image digests on docker hub.

Exactly same problem
Err:3 http://security.ubuntu.com/ubuntu jammy-security InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Reading package lists...
[91mW: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
Dockerfile (simple how to reproduce) docker-version: 18.x or 19.03/
FROM ubuntu:latest
RUN apt-get -y update
With latest Docker version 20.10.9, i did not see the issue.
some of the options tried to tshoot:
sed -i 's/jammy/focal/g' /etc/apt/sources.list
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 871920D1991BC93C
this fails with with another child-issue
gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
SO, solutions seems to be either update docker-version or use a tagged image where it has worked previously.

A very dirty but probably acceptable hack for some docker hacking is this:
apt update --allow-insecure-repositories
Which just ignores the signatures. The errors get still printed, but the package repository is updated, and you can install new packages afterwards. Even though you get warned and asked if that is really what you want to do.

It is the same from me, something is broken inside the Ubuntu image. The issue is not coming from the docker software/pkg, it is sourced within the image.

Build Error. Failed to fetch http://deb.debian.org/debian/dists/jessie-updates/main/binary-amd64/Packages

Build Errors unable to find jq.
Err http://deb.debian.org jessie/main amd64 Packages
404 Not Found
Err http://deb.debian.org jessie-updates/main amd64 Packages
404 Not Found
Fetched 723 kB in 2s (357 kB/s)
W: Failed to fetch http://deb.debian.org/debian/dists/jessie/main/binary-amd64/Packages 404 Not Found
W: Failed to fetch http://deb.debian.org/debian/dists/jessie-updates/main/binary-amd64/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.
$ apt-get install jq
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package jq
ERROR: Job failed: exit code 1

#codinghaus mentioned in another thread:
This is due to the fact that
as Wheezy and Jessie have been integrated into the archive.debian.org structure recently, we are now removing all of Wheezy and all non-LTS architectures of Jessie from the mirror network starting today.
A solution (according to https://github.com/debuerreotype/docker-debian-artifacts/issues/66#issuecomment-476616579) is to add the following command into your Dockerfile before calling any apt-get update when using debian:jessie.
RUN sed -i '/jessie-updates/d' /etc/apt/sources.list # Now archived
This will remove the jessie-updates repository (which now causes the 404) from sources.list.
FROM debian:jessie
RUN sed -i '/jessie-updates/d' /etc/apt/sources.list # Now archived
RUN apt-get update
CMD /bin/sh

Just place this line before your apt-get commands in your Dockerfile:
RUN echo "deb http://deb.debian.org/debian jessie main" > /etc/apt/sources.list
Debian removed some url for old packages which is causing this issue. The line fixes the repository to refer to.

I had the same problem today. I believe yours is related to Jessie being removed from Debian (see: https://twitter.com/debian/status/1109080168318926851?s=12).
I upgraded php in Dockerfile to php:7.1.27-apache-stretch and it worked.

Maybe, the third party import that you are doing is not able to refer to the debian jessie, so changing ftp.debian.org to http://ftp.us.debian.org might make it work. If you are not referring to this directly, try upgrading or downgrading the imported versions, if removing them is not the option.
In my case, i was using:
FROM docker.***.com/node:10
downgrading the node from 10 to 8, kicked off the job successfully.

E: Unable to locate package usbmount

I've installed a debian stretch container in docker (via portainer.io)
and was able to install openssh-server via apt-get install.
After a successful connection with PuTTY, i'm not able to install usbmount which i need for later purpose..
i searched a lot and went through different repositories but nothing helped - i'm getting the same error every time.
of course, i typed in apt-get update after every edit of sources.list
by looking for another solution i've tried to install apt-file and for some reason this works, but usbmount wont...
this is the content of my /etc/apt/sources.list
deb http://deb.debian.org/debian/ stable main contrib non-free
deb-src http://deb.debian.org/debian/ stable main contrib non-free
deb http://deb.debian.org/debian/ stable-updates main contrib non-free
deb-src http://deb.debian.org/debian/ stable-updates main contrib non-free
deb http://deb.debian.org/debian-security stable/updates main
deb-src http://deb.debian.org/debian-security stable/updates main
deb http://ftp.debian.org/debian stretch-backports main
deb-src http://ftp.debian.org/debian stretch-backports main
any suggestions?
thanks in advance

Docker install failed on downloading ubuntu package

I'm trying to install Docker CE 18.03 on Ubuntu 18.04 using the official step by step page found here. I am stuck at step 4) sudo apt-get update. This is what I get:
Hit:1 http://mirror.transip.net/stack/software/deb/Ubuntu_18.04 ./ InRelease
Hit:2 http://nl.archive.ubuntu.com/ubuntu bionic InRelease
Ign:3 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 http://dl.google.com/linux/chrome/deb stable Release
Hit:5 http://nl.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:6 http://nl.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:7 http://security.ubuntu.com/ubuntu bionic-security InRelease
Err:8 https://get.docker.com/ubuntu docker InRelease
403 Forbidden [IP: 52.85.58.66 443]
Reading package lists... Done
E: Failed to fetch http://get.docker.io/ubuntu/dists/docker/InRelease 403 Forbidden [IP: 52.85.58.66 443]
E: The repository 'http://get.docker.io/ubuntu docker InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Visiting the link in Err:8 https://get.docker.com/ubuntu/ outputs the following:
echo "# WARNING! This script is deprecated. Please use the script"
echo "# at https://get.docker.com/"
exit 1
Ok, obsolete link, no problem, so I download the script found at get.docker.com and run it with bash, this is the result:
# Executing docker install script, commit: 36b78b2
+ sudo -E sh -c apt-get update -qq >/dev/null
E: The repository 'http://ppa.launchpad.net/colingille/freshlight/ubuntu bionic Release' does not have a Release file.
E: Failed to fetch http://get.docker.io/ubuntu/dists/docker/InRelease 403 Forbidden [IP: 52.85.58.48 443]
E: The repository 'http://get.docker.io/ubuntu docker InRelease' is not signed.
Is there anything I can try?

The installation is indeed broken and i faced it too. This link came to my rescue while I was performing similar action some time back https://gist.github.com/levsthings/0a49bfe20b25eeadd61ff0e204f50088

This error means it is not able to connect to the url mentioned..
I solved using below steps..
found out which file it is there
cd /etc/apt
grep -irl "docker"
sources.list.d/docker.list
vi sources.list.d/docker.list
change the content inside this file to
deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable
save it
and then try update again.
Solved my issue!

This error means it is not able to connect to the url mentioned..
I solved using below steps..
found out which file it is there
cd /etc/apt
grep -irl "docker"
sources.list.d/docker.list
gedit sources.list.d/docker.list
change the content inside this file to
deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable
save it
and then try update again.
Solved my issue!

You're accessing from a country that Docker blocked on their server, or at least your IP 52.85.58.66
Try to use a VPN and see it if still get you the same error.

Linux Mint 'rvm requirements' failure

I run Linux Mint 16 (petra) and have increasingly encountered issues where it says it needs a package, it even tells me what it needs me to install, I try to install exactly that package, and then it says "hey that package doesnt exist! haha!"
It is becoming incredibly frustrating and unfortunately I'm totally out of luck when it comes to reinstalling the OS because I need an ethernet cable and a router both of which I do not have. I have tried to start learning Erlang which has become impossible because I can't even get it installed (see my previous stackoverflow post) and now I can't even get rails working, which is something I was working on very regularly prior to starting an internship this summer.
Here is my issue.
core#core ~ $ rvm requirements
Checking requirements for mint.
Installing requirements for mint.
Updating system..core password
required for 'apt-get --quiet --yes update': ...............
Installing required packages: libreadline6-dev, libyaml-dev, autoconf,
libgdbm-dev, libncurses5-dev, automake, libtool, libffi-dev..... Error
running 'requirements_debian_libs_install libreadline6-dev libyaml-dev
autoconf libgdbm-dev libncurses5-dev automake libtool libffi-dev',
showing last 15 lines of
/home/core/.rvm/log/1404864015/package_install_libreadline6-dev_libyaml-dev_autoconf_libgdbm-dev_libncurses5-dev_automake_libtool_libffi-dev.log
is only available from another source
Package libtool is not available, but is referred to by another
package. This may mean that the package is missing, has been
obsoleted, or is only available from another source
E: Unable to locate package libreadline6-dev E: Package 'autoconf' has
no installation candidate E: Unable to locate package libgdbm-dev E:
Unable to locate package libncurses5-dev E: Package 'automake' has no
installation candidate E: Package 'libtool' has no installation
candidate E: Unable to locate package libffi-dev
+ return 100
+ return 100 Requirements installation failed with status: 100.
I tried to install several of those packages, and then I get the message "hey that package doesn't exist!"
What can I do?
Please help me resolve this so I can become productive again. Very very much appreciated in advance!
UPDATE: iain suggested that I run a command which I did and it produced this:
core#core ~ $ sudo apt-get install autoconf bison build-essential
libssl-dev libyaml-dev libreadline6 libreadline6-dev zlib1g zlib1g-dev
[sudo] password for core: Reading package lists... Done Building
dependency tree Reading state information... Done Package
autoconf is not available, but is referred to by another package. This
may mean that the package is missing, has been obsoleted, or is only
available from another source
E: Package 'autoconf' has no installation candidate E: Unable to
locate package libreadline6-dev

These are the packages I install to get Ruby to build on an Ubuntu system
make
autoconf
libtool
build-essential
libffi-dev
libgdbm-dev
libncurses5-dev
libreadline-dev
libssl-dev
libyaml-dev
zlib1g-dev
I got most of that list from the ruby-build wiki, which suggests:
apt-get install autoconf bison build-essential libssl-dev libyaml-dev libreadline6 libreadline6-dev zlib1g zlib1g-dev
but I add in make too, for good measure.
I got this from an Ubuntu box provided by Vagrant, the hashicorp/precise64 which should (hopefully) be close enough to what Mint is using to check against.
#
# deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/main/binary-i386/
# deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/restricted/binary-i386/
# deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ precise main restricted
#deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/main/binary-i386/
#deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/restricted/binary-i386/
#deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ precise main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://us.archive.ubuntu.com/ubuntu/ precise main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ precise main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ precise universe
deb-src http://us.archive.ubuntu.com/ubuntu/ precise universe
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://us.archive.ubuntu.com/ubuntu/ precise multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ precise multiverse
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu precise-security main restricted
deb-src http://security.ubuntu.com/ubuntu precise-security main restricted
deb http://security.ubuntu.com/ubuntu precise-security universe
deb-src http://security.ubuntu.com/ubuntu precise-security universe
deb http://security.ubuntu.com/ubuntu precise-security multiverse
deb-src http://security.ubuntu.com/ubuntu precise-security multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu precise partner
# deb-src http://archive.canonical.com/ubuntu precise partner
## Uncomment the following two lines to add software from Ubuntu's
## 'extras' repository.
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
# deb http://extras.ubuntu.com/ubuntu precise main
# deb-src http://extras.ubuntu.com/ubuntu precise main
The MD5 may help:
$ md5 sources.list
MD5 (sources.list) = b966730006afc9e02e6d56d7ceb96af5