PHP7のDockerイメージをカスタマイズして使っていたら、apt updateでエラーになる

前提

以下のような、Dockerfileとcompose.ymlを使った環境がある

Dockerfile

FROM php:7.2.11-apache

# Install MySQL Extention
RUN docker-php-ext-install mysqli pdo_mysql

# Install GD Extention
RUN apt update && apt install -y \
    libfreetype6-dev \
    libjpeg62-turbo-dev \
    libpng-dev \
    && docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ \
    && docker-php-ext-install -j$(nproc) gd \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

compose.yml

services:
  server:
    build:
      context: .
    ports:
      - 80:80
    volumes:
      - ./src:/var/www/html
  db:
    image: mysql:5.7
    user: root
    secrets:
      - db-password
    volumes:
      - db-data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db-password
      - MYSQL_DATABASE=example
    ports:
      - 3306:3306
volumes:
  db-data:
secrets:
  db-password:
    file: password.txt

ディレクトリ構成

$ tree
.
├── Dockerfile
├── compose.yml
├── password.txt
└── src
    └── index.php

状況

docker compose buildをすると

$ docker compose build
[+] Building 15.2s (6/6) FINISHED                                                                                                                                                                             docker:default
 => [server internal] load build definition from Dockerfile                                                                                                                                                             0.3s
 => => transferring dockerfile: 411B                                                                                                                                                                                    0.0s
 => [server internal] load .dockerignore                                                                                                                                                                                0.2s
 => => transferring context: 2B                                                                                                                                                                                         0.0s
 => [server internal] load metadata for docker.io/library/php:7.2.11-apache                                                                                                                                             0.0s
 => [server 1/3] FROM docker.io/library/php:7.2.11-apache                                                                                                                                                               0.0s
 => CACHED [server 2/3] RUN docker-php-ext-install mysqli pdo_mysql                                                                                                                                                     0.0s
 => ERROR [server 3/3] RUN apt-get update && apt-get install -y     libfreetype6-dev     libjpeg62-turbo-dev     libpng-dev     && docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr  13.6s
------
 > [server 3/3] RUN apt-get update && apt-get install -y     libfreetype6-dev     libjpeg62-turbo-dev     libpng-dev     && docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/     && docker-php-ext-install -j$(nproc) gd:
1.330 Ign:1 http://security.debian.org/debian-security stretch/updates InRelease
1.589 Ign:2 http://deb.debian.org/debian stretch InRelease
:
:
:
3.902 Err:8 http://security.debian.org/debian-security stretch/updates/main amd64 Packages
3.902   404  Not Found [IP: 151.101.194.132 80]
:
:
:
11.67 Err:16 http://deb.debian.org/debian stretch/main amd64 Packages
11.67   404  Not Found
:
12.54 Err:18 http://deb.debian.org/debian stretch-updates/main amd64 Packages
12.54   404  Not Found
12.55 Fetched 8706 kB in 11s (772 kB/s)
12.55 Reading package lists...
13.01 W: The repository 'http://security.debian.org/debian-security stretch/updates Release' does not have a Release file.
13.01 W: GPG error: http://security.debian.org/debian-security buster/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
13.01 W: The repository 'http://security.debian.org/debian-security buster/updates InRelease' is not signed.
13.01 W: GPG error: http://deb.debian.org/debian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY DCC9EFBF77E11517
13.01 W: The repository 'http://deb.debian.org/debian buster InRelease' is not signed.
13.01 W: GPG error: http://deb.debian.org/debian buster-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
13.01 W: The repository 'http://deb.debian.org/debian buster-updates InRelease' is not signed.
13.01 W: The repository 'http://deb.debian.org/debian stretch Release' does not have a Release file.
13.01 W: The repository 'http://deb.debian.org/debian stretch-updates Release' does not have a Release file.
13.01 E: Failed to fetch http://security.debian.org/debian-security/dists/stretch/updates/main/binary-amd64/Packages  404  Not Found [IP: 151.101.194.132 80]
13.01 E: Failed to fetch http://deb.debian.org/debian/dists/stretch/main/binary-amd64/Packages  404  Not Found
13.01 E: Failed to fetch http://deb.debian.org/debian/dists/stretch-updates/main/binary-amd64/Packages  404  Not Found
13.01 E: Some index files failed to download. They have been ignored, or old ones used instead.
------
failed to solve: process "/bin/sh -c apt-get update && apt-get install -y     libfreetype6-dev     libjpeg62-turbo-dev     libpng-dev     && docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/     && docker-php-ext-install -j$(nproc) gd" did not complete successfully: exit code: 100

エラー内容から http://deb.debian.org/debian にアクセスすると、dists以下にstretchが見つからない。

【Debianサポート終了】Google Cloud RunにDockerfileを使ってデプロイしようとしたらエラーが出た によると、Debian 9.0（stretch）のサポートが2022年6月30日で終了したため、パッケージリポジトリは http://archive.debian.org に移動したとのこと。

そのため、Dockerfile内でapt updateをすると、エラーとなってしまっていた。

そこで、PHPイメージ内の/etc/apt/source.listにあるURLを書き換える。

対応

書き換え前

# cat /etc/apt/sources.list
deb http://deb.debian.org/debian stretch main
deb http://security.debian.org/debian-security stretch/updates main
deb http://deb.debian.org/debian stretch-updates main

http://deb.debian.org , http://security.debian.org を http://archive.debian.org に変更する。 また、スイートのstretch-updatesはなくなったため削除する。

sed -i -e 's#deb.debian.org#archive.debian.org#' -e 's#security.debian.org#archive.debian.org#' -e '/stretch-updates/d' /etc/apt/sources.list

この状態でapt udpateを実行すると、/etc/apt/sources.list.d/buster.listで NO_PUBKEY エラーが発生する。

# apt update
Get:1 http://deb.debian.org/debian buster InRelease [122 kB]
Err:1 http://deb.debian.org/debian buster InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY DCC9EFBF77E11517
Get:2 http://deb.debian.org/debian buster-updates InRelease [56.6 kB]
Err:2 http://deb.debian.org/debian buster-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Get:3 http://security.debian.org/debian-security buster/updates InRelease [34.8 kB]
Err:3 http://security.debian.org/debian-security buster/updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
Ign:4 http://archive.debian.org/debian stretch InRelease
Get:5 http://archive.debian.org/debian-security stretch/updates InRelease [59.1 kB]
Get:6 http://archive.debian.org/debian stretch Release [118 kB]
Get:7 http://archive.debian.org/debian stretch Release.gpg [3177 B]
Get:8 http://archive.debian.org/debian-security stretch/updates/main amd64 Packages [782 kB]
Get:9 http://archive.debian.org/debian stretch/main amd64 Packages [7080 kB]
Reading package lists... Done
W: GPG error: http://deb.debian.org/debian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY DCC9EFBF77E11517
E: The repository 'http://deb.debian.org/debian buster InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://deb.debian.org/debian buster-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
E: The repository 'http://deb.debian.org/debian buster-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://security.debian.org/debian-security buster/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
E: The repository 'http://security.debian.org/debian-security buster/updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

/etc/apt/sources.list.d/buster.listを削除しても今回の場合問題ないが、そのままにしておく場合、debian-archive-keyringをインストールする

# apt update
# apt install -y debian-archive-keyring 

apt updateもすべて成功する

# apt update
Get:1 http://security.debian.org/debian-security buster/updates InRelease [34.8 kB]
:
:
:
Reading package lists... Done
Building dependency tree
Reading state information... Done
71 packages can be upgraded. Run 'apt list --upgradable' to see them.

最終的なDockerfileは

• /etc/apt/sources.list.d/buster.listをなくした場合

@@ -1,5 +1,8 @@
 FROM php:7.2.11-apache

+RUN sed -i -e 's#deb.debian.org#archive.debian.org#' -e 's#security.debian.org#archive.debian.org#' -e '/stretch-updates/d' /etc/apt/sources.list \
+    && rm /etc/apt/sources.list.d/buster.list
+
 # Install MySQL Extention
 RUN docker-php-ext-install mysqli pdo_mysql

• /etc/apt/sources.list.d/buster.listを残す場合

@@ -1,5 +1,13 @@
 FROM php:7.2.11-apache

+RUN sed -i -e 's#deb.debian.org#archive.debian.org#' -e 's#security.debian.org#archive.debian.org#' -e '/stretch-updates/d' /etc/apt/sources.list \
+    && mv /etc/apt/sources.list.d/buster.list /etc/apt/sources.list.d/buster.list.disabled \
+    && apt update \
+    && apt install -y debian-archive-keyring \
+    && mv /etc/apt/sources.list.d/buster.list.disabled /etc/apt/sources.list.d/buster.list \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
 # Install MySQL Extention
 RUN docker-php-ext-install mysqli pdo_mysql

debian stretchを使っていることを明確にするためにベースイメージをphp:7.2.11-apache-stretch変更しても可能でした

参考

• 【ロボット】WebフロントエンジニアがDebianのOSアプデに対応して苦労した話【備忘録】 #Linux – Qiita
• The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A – Plugins – openmediavault
• docker build時にapt-get updateでPackages Not Found #Debian – Qiita
• apt – Security repo for Debian stretch not working anymore – Unix & Linux Stack Exchange
• Debian9 “stretch” はサポートを終了しました。そのうちパッケージも取得できなくなるよ #Debian – Qiita
• php:8.2-fpmのdocker imageでapt-getしたらエラーが出まくった #PHP – Qiita
• Debian apt update GPG error #Docker – Qiita