-
Notifications
You must be signed in to change notification settings - Fork 770
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Buildah failed to build image with additionalimage options #2359
Comments
Are you runnint podman as root or rootless? |
podman was running as root |
I am getting the same failure. @giuseppe Any ideas? |
Seems to be an issue with buildah bud. If I run each command separately everything works. |
I also try to build this example in a script way
but got follwoing error
Debug log from commit command
|
And one more interesting thing. when fuse-overlay was turned off, buildah was able to perform build, but fails to push to registry Error
script
full log: https://gist.github.com/bulanovk/953b2afdef1dc9d3199a6ef6c4d1dd07 |
fuse-overlayfs needs write access to the shared repository to create the work directory and operate there when mounting the image. It must be mounted using @rhatdan is it possible to mount the image read only? |
Yes it helps, but it still fails in push Script:
full log: https://gist.github.com/bulanovk/953b2afdef1dc9d3199a6ef6c4d1dd07#file-bud_build-log |
@giuseppe I think that is a bug in fuse-overlay. The shared container images should be readonly. I think this would work with regular overlay. The shared images are for the lower level, why is fuse-overlay writing to this directory? /var/lib/containers should container the upper/writable layer. |
I am seeing fuse-overlayfs used with an upperdir and a workdir specified:
|
Any idea why, I don't see this happen when I do a buildah mount. |
I can not get this to happen outside of the container. |
If I remove fuse-overlay and the mountoptions from containers/storage.conf, it works. |
I think some how fuse-overlay is getting confused on the upper directory and mount directory. |
With overlay it will fails to push image to remote registry, if additionalimage not empty and FROM image are r/o |
if "ro" is specified when mounting overlay, configure overlay without any upper layer and workdir so the file system doesn't attempt to write any file. Closes: containers/buildah#2359 Signed-off-by: Giuseppe Scrivano <[email protected]>
this PR fixes the issue for me when attempting to create a workdir on a ro storage: containers/storage#628 I've tried with fuse-overlayfs, but I expect it to fix the root case as well. |
Guys, is there a chance to get fix in buildah release? |
the push seems still broken, I'll take a look |
we can fix it for overlay and vfs with: containers/storage#631 Unfortunately it is not a generic fix as other backends still require to mount the layer. |
@giuseppe in rootless container, buildah 1.16.4 with fuse-overlayfs driver still fail to commit image, the error log:
In root mode, building works as excepted. ~ $ mount | grep /storage
grpcfuse on /storage type fuse.grpcfuse (ro,relatime,user_id=0,group_id=0,allow_other,max_read=1048576)
~ $ ls -alh /storage
total 8K
drwxr-xr-x 11 testuser testuser 352 Oct 15 14:42 .
drwxr-xr-x 1 root root 4.0K Oct 15 17:05 ..
drwxr-xr-x 3 root root 96 Oct 15 14:42 cache
drwxr-xr-x 2 root root 64 Oct 15 14:42 mounts
drwxr-xr-x 4 root root 128 Oct 15 14:42 overlay
drwxr-xr-x 3 root root 96 Oct 15 14:42 overlay-containers |
was the shared storage created with an older version of buildah or podman? In any case, I don't think it can work if it is owned by root. The rootless user doesn't have enough privileges to read all the files in the images. The shared storage must be owned by the same rootless user and every file in the storage owned by a UID/GID available in the rootless user namespace. Otherwise you need to make sure every file has at least mode 0755 when owned by a different user. |
The problem occurs on the latest podman/buildah. it seems that the ## on MacOS, mount a not user folder into container, the grpcfuse will shift the uid of the mounted folder to 0.
touch /1.txt
chmod 444 /1.txt
mv /1.txt /mnt ## report error, return non-zero, but the file is moved correctly with correct permission Since some folder do not have write permission, such as |
Hello All, I seem to have hit an issue possibly related to the one in this thread on RHEL 8.3, and upgrading to 8.4 did not resolve it. I'm using rootless containers and additionalimage options as described in this article . As a rootless user, when trying to build a new intermediate image in a multi-stage a Dockerfile, I'm trying to pull from an image in the Read Only shared area /var/lib/mycontainers. I get this error: Error initializing source containers-storage:vcdevhub-working-container-1: error extracting layer "925c7db0fc455b5d4d7ac03683a0b0d0b71d73f63aeb93b33026aadb3fda1c72": chown /var/lib/mycontainers/overlay/f62732f7ab4af0fd05b173fadc39a8659085a1c21d43dd652ad1e63e698b8f9c/diff: operation not permitted It seems as though it's trying to update (chown) in the shared area? I get the same error whether I use podman or buildah. (From what I've read, podman actually uses buildah code for building). Note. The error does not happen when I try the same operation as root. Here is some version info: $ uname -a podman version 3.2.3 Does anyone know whether the fix for the issue in this thread should be implemented in RHEL 8.4? Thanks, |
We faced an issue when try to reproduce images cache approach from article https://developers.redhat.com/blog/2019/08/14/best-practices-for-running-buildah-in-a-container/?intcmp=701f20000012ngPAAQ&extIdCarryOver=true&sc_cid=7013a000002DTxFAAW
The main idea it to use additionalimage options, as a result on Fedora 32 base os with
podman 1.9.1 we got following error:
Script to reproduce
The text was updated successfully, but these errors were encountered: