-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
File ownership on files copied to the <app> dir are set to root when using Podman #1395
Comments
@matejvasek would you have some insight or guidance here? |
Is there any update for this issue? I am hitting the same issue on macOS when building with podman 4.1.0. It looks like the app directory has the correct owner in the resulting image, and it is only wrong ownership during the build: App dir owner during build===> ANALYZING
[analyzer] Previous image with name "test" not found
===> DETECTING
[detector] examples/diag 0.0.1
===> RESTORING
===> BUILDING
[builder] ---> Building with diag buildpack
[builder] uid=1000(cnb) gid=1000(cnb) groups=1000(cnb)
[builder] drwxr-xr-x. 2 root root 22 Jun 10 12:30 workspace Checking app dir in resulting image$ podman run --entrypoint ls test -al /
drwxr-xr-x. 2 cnb cnb 22 Jan 1 1980 workspace |
Interesting I've seen and fixed similar issues long time ago: containers/podman#10801 |
When trying this on Linux with podman 4.2 it works as expected. The workspace belongs to cnb user. |
@matejvasek Here is the verbose output for The diag buildpack I created prints out the owner if
|
@frayer this was happening on Linux with podman 3.2.1, right? |
Is really old: |
I recommend at least 3.3 for pack. |
The guide says that v3.3+ should be used. |
@matejvasek That is correct. It was Podman v3.2.1 on a Linux host system. Thank you for the v3.3+ call out as that addressed the issue for me. I am now seeing what I expect for file ownership when using my original steps above with Podman v4.1.0.
I'm on an Ubuntu 21.10 distro which doesn't appear to have newer versions of
For anyone in a similar situation, you can build podman from source or there is a binary distribution here. Use the later at your own risk as it's not an official distribution. Unfortunately I don't think this addresses what @hibell is seeing on macOS, but my original issue is resolved. |
Closing as this seems resolved, but please re-open if not |
This should not be issue for trusetd builders. However this is still an issue if build in unstruster builder mode. See: containers/podman#19652 |
Thanks @matejvasek - should this issue be blocked on containers/podman#19652? |
I have a strange situation that could be related. My pack build runs on Jenkins with podman 4.4.1. The build works fine and creates the |
Closing as I believe this is fixed in pack 0.34 with #2129 (but please reopen if not) |
Summary
Workspace files copied into the
<app>
directory of the Builder image have permissions set toroot
whenpack
is used in combination with Podman. When doing the same against a Docker daemon, theuser:group
permissions match${CNB_USER_ID}:${CNB_GROUP_ID}
of the selected Builder image.This causes
permission denied
errors for buildpacks which attempt to write to the<app>
directory such aspaketo-buildpacks/maven
since they are running asCNB_USER_ID
and don't have permissions to write to the<app>
directory.Reproduction
Steps
I've created a minimal buildpack at https://github.com/frayer/details-buildpack to demonstrate the issue.
pack build
once using against Docker, and once against Podman to observe the differencegit clone https://github.com/frayer/details-buildpack.git cd details-buildpack pack build test-app -B paketobuildpacks/builder:base -b ./buildpack
Current behavior
Look in the log output of
pack build
for the---> Working directory details
section.Expected behavior
I expect the
user:group
ownership on the files in/workspace
to match${CNB_USER_ID}:${CNB_GROUP_ID}
of the Builder image when using Podman as they are when building against the Docker daemon. In this example, that would becnb:cnb
or1000:1000
.Environment
pack info
docker info
podman info
The text was updated successfully, but these errors were encountered: