[OSTree] Cannot build rootfs with Containerfile due to dangling files /etc/{hostname,hosts,resolv.conf}

[GrabbenD]

Issue Description

One of requirements for building a OSTree images is moving /etc to /usr/etc (see: https://ostree.readthedocs.io/en/stable/manual/adapting-existing/). However, this isn't possible in a single stage build with Containerfile as seen here:

RUN mv /etc /usr/
RUN ls -l /etc
-rw-r--r-- 1 0 0  13 Sep 16 08:54 hostname
-rw-r--r-- 1 0 0 128 Sep 16 08:54 hosts
-rw-r--r-- 1 0 0  24 Sep 16 08:54 resolv.conf

These dangling files prevent $ ostree commit from deploying:

Deploying tree: Initializing deployment: Preparing /etc: Tree contains both /etc and /usr/etc

Furthermore they can't be removed:

RUN rm -rf /etc
rm: cannot remove '/etc/hosts': Device or resource busy
rm: cannot remove '/etc/hostname': Device or resource busy
rm: cannot remove '/etc/resolv.conf': Device or resource busy

Disabling network isn't possible to workaround this:

RUN --network=none mv /etc /usr/

Currently the only working workaround is to export rootfs/ and then modify it outside of Containerfile but ideally this shouldn't be needed to keep everything inside one place (Containerfile)

Steps to reproduce the issue

Steps to reproduce the issue

1. Create Containerfile with any distro as base, e.g:

   FROM fedora:latest
   RUN rm -rf /etc

2. $ podman build -f Containerfile

Describe the results you received

Dangling files exist in /etc/{hostname,hosts,resolv.conf} after moving /etc to /usr/etc

Describe the results you expected

It should be possible to move contents of /etc to /usr/etc to comply with OSTree image requirements

podman info output

host:
  arch: amd64
  buildahVersion: 1.31.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.8-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: 00e08f4a9ca5420de733bf542b930ad58e1a7e7d'
  cpuUtilization:
    idlePercent: 99.89
    systemPercent: 0.08
    userPercent: 0.03
  cpus: 32
  databaseBackend: boltdb
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  freeLocks: 2026
  hostname: ostree
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.5.3-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 30800125952
  memTotal: 33651613696
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
    package: /usr/lib/podman/netavark is owned by netavark 1.7.0-1
    path: /usr/lib/podman/netavark
    version: netavark 1.7.0
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.9-1
    path: /usr/bin/crun
    version: |-
      crun version 1.9
      commit: a538ac4ea1ff319bcfe2bf81cb5c6f687e2dc9d3
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.2-1
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 0h 22m 21.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 22
    paused: 0
    running: 0
    stopped: 22
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 20957446144
  graphRootUsed: 9738891264
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 71
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.6.2
  Built: 1693343961
  BuiltTime: Tue Aug 29 23:19:21 2023
  GitCommit: 5db42e86862ef42c59304c38aa583732fd80f178-dirty
  GoVersion: go1.21.0
  Os: linux
  OsArch: linux/amd64
  Version: 4.6.2

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

N/A

Additional information

N/A

[rhatdan]

This gets you closer, but not sure it is enough, or if the --network=none will cause you issues.

podman build --network=none --no-cache /tmp
STEP 1/3: FROM fedora
STEP 2/3: run mv /etc /usr
--> 70a6ec330456
STEP 3/3: run ls -l /etc
total 4
-rw-r--r--. 1 0 0 13 Sep 17 11:25 hostname
COMMIT
--> b8ed6438a8c8
b8ed6438a8c8c2568ab76f8d01524ab4701f29e6135e44899045b5b8302abafa

[rhatdan]

you could do your commit in the same RUN command.

RUN mv /etc/ /usr/; ostree commit ...

[GrabbenD]

This gets you closer, but not sure it is enough, or if the --network=none will cause you issues.

Thanks for the suggestion!
Although /etc needs to be completely empty for this to work correctly 🙁

you could do your commit in the same RUN command.

Just switched to native overlayfs from fuse-overlayfs and tried your idea but /etc/hostname is dangling and furthermore native overlayfs seems to behave differently, the build actually fails now (instead of silently leaving dangling file(s)):

mv: cannot move '/etc/hostname' to '/usr/etc/hostname': Device or resource busy

[Luap99]

The files are all bind mounted from the host into the container so they are mount point and cannot be moved. You would fist need to unmount them. This is required for us to setup proper networking within the container.

--network=none completely disabled networking so we do not need these files. The (maybe?) better option is to use --no-hosts and --dns=none to disable the setup of /etc/hosts and /etc/resolv.conf but that will likely leave the container without proper dns setup. There is no option to disable the creation of the /etc/hostname mount AFAIK.

I don't see any solution here as this is really the normal behaviour, the only way would be to add a new option to also disable the creation of the hostname file.

[GrabbenD]

Thanks for your insights

Network is only required in the beginning and I just double checked that /etc/hostname is the only remaining file in final rootfs with this example:

RUN --network=none rm -rf /etc || true

add a new option to also disable the creation of the hostname file.

This sounds like the best alternative to not break any functionality in Podman 🙂

[rhatdan]

@Luap99 does it make sense to modify /etc/hostname with network=none is done?

[rhatdan]

podman run --network=none alpine mount | grep /etc
tmpfs on /etc/hostname type tmpfs (rw,seclabel,size=13064252k,nr_inodes=819200,mode=755,inode64)
tmpfs on /etc/hosts type tmpfs (rw,seclabel,size=13064252k,nr_inodes=819200,mode=755,inode64)

The following seems to work for me.

# podman build /tmp
STEP 1/2: FROM fedora
STEP 2/2: run --network=none mv /etc /usr; ls -l /etc
ls: cannot access '/etc': No such file or directory
Error: building at STEP "RUN --network=none mv /etc /usr; ls -l /etc": while running runtime: exit status 2

[GrabbenD]

@rhatdan @Luap99

This should illustrate the problem better (and everything here is executed from the root account):

1. fuse-overlayfs (default)

   Package fuse-overlayfs isn't actually installed but table from Pacman docs (https://github.com/containers/podman/blob/main/docs/tutorials/performance.md#choosing-a-storage-driver) says this configuration is equivalent to fuse-overlayfs

   $ podman info -f {{.Store.GraphDriverName}}
   overlay
   # podman info -f '{{index .Store.GraphStatus "Native Overlay Diff"}}'
   false

   Scenario rm: (broken)

   STEP 2/2: RUN --network=none rm -rf /etc; ls -l /etc
   rm: cannot remove '/etc/hostname': Device or resource busy
   total 4

   Scenario mv: (works)

   STEP 2/2: RUN --network=none mv /etc /usr; ls -l /etc
   ls: cannot access '/etc': No such file or directory

   $ podman info

   $ podman info
   host:
     arch: amd64
     buildahVersion: 1.31.2
     cgroupControllers:
     - cpuset
     - cpu
     - io
     - memory
     - hugetlb
     - pids
     - rdma
     - misc
     cgroupManager: systemd
     cgroupVersion: v2
     conmon:
       package: /usr/bin/conmon is owned by conmon 1:2.1.8-1
       path: /usr/bin/conmon
       version: 'conmon version 2.1.8, commit: 00e08f4a9ca5420de733bf542b930ad58e1a7e7d'
     cpuUtilization:
       idlePercent: 99.95
       systemPercent: 0.04
       userPercent: 0.01
     cpus: 32
     databaseBackend: boltdb
     distribution:
       distribution: arch
       version: unknown
     eventLogger: journald
     freeLocks: 2029
     hostname: ostree
     idMappings:
       gidmap: null
       uidmap: null
     kernel: 6.5.3-arch1-1
     linkmode: dynamic
     logDriver: journald
     memFree: 33055391744
     memTotal: 33651613696
     networkBackend: netavark
     networkBackendInfo:
       backend: netavark
       dns:
         package: Unknown
       package: /usr/lib/podman/netavark is owned by netavark 1.7.0-1
       path: /usr/lib/podman/netavark
       version: netavark 1.7.0
     ociRuntime:
       name: crun
       package: /usr/bin/crun is owned by crun 1.9-1
       path: /usr/bin/crun
       version: |-
         crun version 1.9
         commit: a538ac4ea1ff319bcfe2bf81cb5c6f687e2dc9d3
         rundir: /run/user/0/crun
         spec: 1.0.0
         +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
     os: linux
     pasta:
       executable: ""
       package: ""
       version: ""
     remoteSocket:
       path: /run/podman/podman.sock
     security:
       apparmorEnabled: false
       capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
       rootless: false
       seccompEnabled: true
       seccompProfilePath: /etc/containers/seccomp.json
       selinuxEnabled: false
     serviceIsRemote: false
     slirp4netns:
       executable: /usr/bin/slirp4netns
       package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.2-1
       version: |-
         slirp4netns version 1.2.2
         commit: 0ee2d87523e906518d34a6b423271e4826f71faf
         libslirp: 4.7.0
         SLIRP_CONFIG_VERSION_MAX: 4
         libseccomp: 2.5.4
     swapFree: 0
     swapTotal: 0
     uptime: 0h 5m 23.00s
   plugins:
     authorization: null
     log:
     - k8s-file
     - none
     - passthrough
     - journald
     network:
     - bridge
     - macvlan
     - ipvlan
     volume:
     - local
   registries: {}
   store:
     configFile: /etc/containers/storage.conf
     containerStore:
       number: 19
       paused: 0
       running: 0
       stopped: 19
     graphDriverName: overlay
     graphOptions:
       overlay.mountopt: nodev
     graphRoot: /var/lib/containers/storage
     graphRootAllocated: 157131702272
     graphRootUsed: 10136002560
     graphStatus:
       Backing Filesystem: extfs
       Native Overlay Diff: "false"
       Supports d_type: "true"
       Using metacopy: "true"
     imageCopyTmpDir: /var/tmp
     imageStore:
       number: 139
     runRoot: /run/containers/storage
     transientStore: false
     volumePath: /var/lib/containers/storage/volumes
   version:
     APIVersion: 4.6.2
     Built: 1693343961
     BuiltTime: Tue Aug 29 23:19:21 2023
     GitCommit: 5db42e86862ef42c59304c38aa583732fd80f178-dirty
     GoVersion: go1.21.0
     Os: linux
     OsArch: linux/amd64
     Version: 4.6.2

2. native overlayfs

   Enabled with steps from: https://wiki.archlinux.org/title/Docker#Enable_native_overlay_diff_engine

   $ podman info -f {{.Store.GraphDriverName}}
   overlay
   $ podman info -f '{{index .Store.GraphStatus "Native Overlay Diff"}}'
   true

   Scenario rm: (broken)

   STEP 2/2: RUN --network=none rm -rf /etc; ls -l /etc
   rm: cannot remove '/etc/hostname': Device or resource busy
   total 4
   -rw-r--r-- 1 0 0 13 Sep 19 07:30 hostname

   Scenario mv: (broken)

   STEP 2/2: RUN --network=none mv /etc /usr; ls -l /etc
   mv: cannot move '/etc/hostname' to '/usr/etc/hostname': Device or resource busy
   total 16
   drwxr-xr-x 1 0 0   32 Aug  4 06:50 NetworkManager
   drwxr-xr-x 1 0 0   25 Aug  4 06:50 X11
   drwxr-xr-x 1 0 0   34 Sep 19 07:27 alternatives
   drwxr-xr-x 1 0 0  188 Sep 19 07:27 authselect
   drwxr-xr-x 1 0 0   38 Sep 19 07:27 bash_completion.d
   drwxr-xr-x 1 0 0   50 Sep 19 07:27 crypto-policies
   drwxr-xr-x 1 0 0   16 Aug  4 06:50 dconf
   drwxr-xr-x 1 0 0   21 Sep 19 07:27 default
   drwxr-xr-x 1 0 0   41 Sep 19 07:27 dnf
   drwxr-xr-x 2 0 0    6 Apr 11 00:00 gcrypt
   drwxr-xr-x 2 0 0    6 Mar  3  2023 gnupg
   drwxr-xr-x 3 0 0   20 Aug  4 06:49 gss
   -rw-r--r-- 1 0 0   13 Sep 19 07:27 hostname
   drwxr-xr-x 2 0 0    6 May 30 00:00 issue.d
   drwxr-xr-x 1 0 0   29 Sep 19 07:27 krb5.conf.d
   drwxr-xr-x 2 0 0    6 Apr 28 00:00 ld.so.conf.d
   drwxr-xr-x 1 0 0   22 Aug  4 06:49 libreport
   drwxr-xr-x 1 0 0   62 Sep 19 07:27 libssh
   drwxr-xr-x 1 0 0   17 Sep 19 07:27 logrotate.d
   drwxr-xr-x 2 0 0    6 Jan 21  2023 motd.d
   drwxr-xr-x 1 0 0   23 Sep 19 07:27 openldap
   drwxr-xr-x 2 0 0    6 Jan 19  2023 opt
   drwxr-xr-x 1 0 0  167 Sep 19 07:27 pam.d
   drwxr-xr-x 3 0 0   21 Aug  4 06:49 pkcs11
   drwxr-xr-x 1 0 0   60 Aug  4 06:49 pki
   drwxr-xr-x 5 0 0   52 Aug  4 06:49 pm
   drwxr-xr-x 2 0 0    6 Jan 20  2023 popt.d
   drwxr-xr-x 1 0 0 4096 Sep 19 07:27 profile.d
   drwxr-xr-x 1 0 0   40 Sep 19 07:27 rpm
   drwxr-xr-x 2 0 0    6 Jan 19  2023 rwtab.d
   drwxr-xr-x 2 0 0    6 Jan 19  2023 sasl2
   drwxr-xr-x 1 0 0 4096 Sep 19 07:27 security
   drwxr-xr-x 1 0 0   27 Sep 19 07:27 selinux
   drwxr-xr-x 1 0 0   62 Sep 19 07:27 skel
   drwxr-xr-x 1 0 0   91 Sep 19 07:27 ssl
   drwxr-xr-x 2 0 0    6 Jan 19  2023 statetab.d
   drwxr-x--- 2 0 0    6 Jun 20 00:00 sudoers.d
   drwxr-xr-x 1 0 0   24 Aug  4 06:49 swid
   drwxr-xr-x 1 0 0   37 Sep 19 07:27 sysconfig
   drwxr-xr-x 2 0 0    6 Jan 19  2023 terminfo
   drwxr-xr-x 1 0 0   51 Sep 19 07:27 tpm2-tss
   drwxr-xr-x 3 0 0   23 Aug  4 06:49 xdg
   drwxr-xr-x 1 0 0 4096 Sep 19 07:27 yum.repos.d

   $ podman info

   $ podman info
   host:
     arch: amd64
     buildahVersion: 1.31.2
     cgroupControllers:
     - cpuset
     - cpu
     - io
     - memory
     - hugetlb
     - pids
     - rdma
     - misc
     cgroupManager: systemd
     cgroupVersion: v2
     conmon:
       package: /usr/bin/conmon is owned by conmon 1:2.1.8-1
       path: /usr/bin/conmon
       version: 'conmon version 2.1.8, commit: 00e08f4a9ca5420de733bf542b930ad58e1a7e7d'
     cpuUtilization:
       idlePercent: 99.3
       systemPercent: 0.57
       userPercent: 0.14
     cpus: 32
     databaseBackend: boltdb
     distribution:
       distribution: arch
       version: 20230910.0.177821
     eventLogger: journald
     freeLocks: 2048
     hostname: ostree
     idMappings:
       gidmap: null
       uidmap: null
     kernel: 6.5.3-arch1-1
     linkmode: dynamic
     logDriver: journald
     memFree: 33063342080
     memTotal: 33651605504
     networkBackend: netavark
     networkBackendInfo:
       backend: netavark
       dns:
         package: Unknown
       package: /usr/lib/podman/netavark is owned by netavark 1.7.0-1
       path: /usr/lib/podman/netavark
       version: netavark 1.7.0
     ociRuntime:
       name: crun
       package: /usr/bin/crun is owned by crun 1.9-1
       path: /usr/bin/crun
       version: |-
         crun version 1.9
         commit: a538ac4ea1ff319bcfe2bf81cb5c6f687e2dc9d3
         rundir: /run/user/0/crun
         spec: 1.0.0
         +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
     os: linux
     pasta:
       executable: ""
       package: ""
       version: ""
     remoteSocket:
       path: /run/podman/podman.sock
     security:
       apparmorEnabled: false
       capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
       rootless: false
       seccompEnabled: true
       seccompProfilePath: /etc/containers/seccomp.json
       selinuxEnabled: false
     serviceIsRemote: false
     slirp4netns:
       executable: /usr/bin/slirp4netns
       package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.2-1
       version: |-
         slirp4netns version 1.2.2
         commit: 0ee2d87523e906518d34a6b423271e4826f71faf
         libslirp: 4.7.0
         SLIRP_CONFIG_VERSION_MAX: 4
         libseccomp: 2.5.4
     swapFree: 0
     swapTotal: 0
     uptime: 0h 0m 20.00s
   plugins:
     authorization: null
     log:
     - k8s-file
     - none
     - passthrough
     - journald
     network:
     - bridge
     - macvlan
     - ipvlan
     volume:
     - local
   registries: {}
   store:
     configFile: /etc/containers/storage.conf
     containerStore:
       number: 0
       paused: 0
       running: 0
       stopped: 0
     graphDriverName: overlay
     graphOptions:
       overlay.mountopt: nodev
     graphRoot: /var/lib/containers/storage
     graphRootAllocated: 26506952704
     graphRootUsed: 2326089728
     graphStatus:
       Backing Filesystem: xfs
       Native Overlay Diff: "true"
       Supports d_type: "true"
       Using metacopy: "false"
     imageCopyTmpDir: /var/tmp
     imageStore:
       number: 3
     runRoot: /run/containers/storage
     transientStore: false
     volumePath: /var/lib/containers/storage/volumes
   version:
     APIVersion: 4.6.2
     Built: 1693343961
     BuiltTime: Tue Aug 29 23:19:21 2023
     GitCommit: 5db42e86862ef42c59304c38aa583732fd80f178-dirty
     GoVersion: go1.21.0
     Os: linux
     OsArch: linux/amd64
     Version: 4.6.2

Seems like mv is a edge case which only works with a particular configuration (fuse-overlayfs)
Hope this helps!

[Luap99]

I wasn't aware the you could mv a mount point location. But just guessing I assume this happens because it just uses rename(2), however if you try to actually copy the data to another partition (rename only works if you are on the same partition) it will fail as it cannot unlink the mount point.

So my best guess would be fuse-overlays correctly uses rename() while the native one does not for whatever reason, not sure if this is a bug or expected. cc @giuseppe.

[Luap99]

@Luap99 does it make sense to modify /etc/hostname with network=none is done?

Hostname is not really related to networking, the hostname is controlled by the UTS namespace. But even then there is no such thing as no hostname, the runtime will always set a hostname so we should always have a valid hostname file. I am not sure if applications actually care about /etc/hostname instead of using gethostname() but we shouldn't change this behaviour now to avoid breaking people.

[GrabbenD]

I am not sure if applications actually care about /etc/hostname instead of using gethostname() but we shouldn't change this behaviour now to avoid breaking people.

Fair point!
What about a new flag like: RUN --no-hostname?
For OSTree commit to work, the /etc directory cannot exist and this would solve that issue 🙂

[Luap99]

Yes I have no problem with adding an opt in flag to make it work consistently. I have no idea how the flag parsing for single RUN instructions works but adding it as top level option to podman build should be easy enough.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[GrabbenD]

Bump (don't close this @github-actions)

[giuseppe]

@GrabbenD interested in opening a PR to add that flag?

[GrabbenD]

I'd love to but I'm not a programmer and wouldn't know how 😞