Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Containerized buildah fails to build openjdk:15 based image on EXPOSE command step #315

Closed
Peter-Sh opened this issue Jul 30, 2021 · 2 comments
Closed

Containerized buildah fails to build openjdk:15 based image on EXPOSE command step #315

Peter-Sh opened this issue Jul 30, 2021 · 2 comments

Comments

@Peter-Sh
Copy link

Buildah fails to build openjdk:15 based image on EXPOSE step when buildah bud is running in privileged container using overlayfs.

This is may be somehow related to containers/buildah#3384, because it is also openjdk:15 based image and is something with /dev/* in containers, but this issue is reproduced only in overlayfs, vfs works fine.

When running with docker the error is

lgetxattr /var/lib/containers/storage/overlay/3da3dadd6e3530202229eff0f68056e6da9cf2f60a0902c6307723fbe62d1825/merged/dev/ptmx: no such file or directory

When running with podman the error for buildah stable latest (and 1.21)

lgetxattr /var/lib/containers/storage/overlay/3da3dadd6e3530202229eff0f68056e6da9cf2f60a0902c6307723fbe62d1825/merged/dev/console: permission denied

And error is the same as in docker for buildah 1.19.8

Steps to reproduce the issue:

It is very simple to reproduce

echo "FROM docker.io/openjdk:15" > Dockerfile
echo "EXPOSE 60555" >> Dockerfile
sudo podman run --privileged --device /dev/fuse -it -v `pwd`:/test -w /test quay.io/buildah/stable buildah  bud  .
  • Selinux is permissive on centos.
  • Apparmor is disabled on ubuntu.
  • No warnings in audit log.

Describe the results you received:

With podman on ubuntu 20.04 host and Fedora 34 host

podman run --privileged --device /dev/fuse  -it -v `pwd`:/test -w /test quay.io/buildah/stable buildah  bud  .
STEP 1: FROM docker.io/openjdk:15
Trying to pull docker.io/library/openjdk:15...
Getting image source signatures
Copying blob ab2540feecc5 done  
Copying blob 1a0005db7778 done  
Copying blob 9509c6b41a37 done  
Copying config bae9931e82 done  
Writing manifest to image destination
Storing signatures
STEP 2: EXPOSE 60555
STEP 3: COMMIT
error committing container for step {Env:[PATH=/usr/java/openjdk-15/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin JAVA_HOME=/usr/java/openjdk-15 LANG=C.UTF-8 JAVA_VERSION=15.0.2] Command:expose Args:[60555] Flags:[] Attrs:map[] Message:EXPOSE 60555 Original:EXPOSE 60555}: error copying layers and metadata for container "6e94a135b3f25cbbb3d2bd79ea7adaffbc44a0c174aca1a0735d6f552343e707": Error initializing source containers-storage:openjdk-working-container: error extracting layer "9dc0da5cf14916ce4242cdb31c120d1d3db50a276df75f80aaf02374874beed1": lgetxattr /var/lib/containers/storage/overlay/3da3dadd6e3530202229eff0f68056e6da9cf2f60a0902c6307723fbe62d1825/merged/dev/console: permission denied

With docker on centos 8.4 host

docker run -it --privileged --device /dev/fuse -v `pwd`:/test -w /test quay.io/buildah/stable buildah bud .
STEP 1: FROM docker.io/openjdk:15
Trying to pull docker.io/library/openjdk:15...
Getting image source signatures
Copying blob 1a0005db7778 done  
Copying blob ab2540feecc5 done  
Copying blob 9509c6b41a37 done  
Copying config bae9931e82 done  
Writing manifest to image destination
Storing signatures
STEP 2: EXPOSE 60555
STEP 3: COMMIT
error committing container for step {Env:[PATH=/usr/java/openjdk-15/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin JAVA_HOME=/usr/java/openjdk-15 LANG=C.UTF-8 JAVA_VERSION=15.0.2] Command:expose Args:[60555] Flags:[] Attrs:map[] Message:EXPOSE 60555 Original:EXPOSE 60555}: error copying layers and metadata for container "9303ea1fcf11d9ec9049259a6b284fdc9700fbe34e62cac64ce057ffc96d19f3": Error initializing source containers-storage:openjdk-working-container: error extracting layer "54246683d1a27bbe49b18274e5b840510d55189718d07b3117ef467afe56f98c": lgetxattr /var/lib/containers/storage/overlay/3da3dadd6e3530202229eff0f68056e6da9cf2f60a0902c6307723fbe62d1825/merged/dev/ptmx: no such file or directory

Centos

# cat /etc/centos-release
CentOS Linux release 8.4.2105
# uname -a
Linux ******** 4.18.0-305.7.1.el8_4.x86_64 containers/buildah#1 SMP Tue Jun 29 21:55:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
# getenforce
Permissive

Ubuntu

# cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"
# uname -a
Linux buildah-test 5.4.0-54-generic containers/buildah#60-Ubuntu SMP Fri Nov 6 10:37:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# sudo aa-status
apparmor module is loaded.
apparmor filesystem is not mounted

Fedora

# getenforce 
Permissive
# cat /etc/fedora-release 
Fedora release 34 (Thirty Four)
# uname -a
Linux fedora 5.11.12-300.fc34.x86_64 containers/buildah#1 SMP Wed Apr 7 16:31:13 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
@rhatdan
Copy link
Member

rhatdan commented Aug 2, 2021

@giuseppe PTAL

@giuseppe giuseppe transferred this issue from containers/buildah Aug 4, 2021
@giuseppe
Copy link
Member

giuseppe commented Aug 4, 2021

Fixed with: #313

@giuseppe giuseppe closed this as completed Aug 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@giuseppe @rhatdan @Peter-Sh