-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quarkus NativeImageBuildStep fails with perm denied with podman 2.x #10637
Comments
Same failure error with |
Assigning this to myself. |
I'm unassigning myself from this because I won't be able to work on in for the next week or so. I've tried to replicate it on macOS but that won't work because you can't run podman on top of docker. Also tried centos 7 server, but podman version there is only 1.x. Finally tried fedora 32 aarch64 but the quarkus images don't support that arch (see quarkusio/quarkus-images#83). This should be better handled by someone with amd64 env with a more recent linux version. |
Unfortunately |
Note that if the image is using the root user this issue doesn't appear:
vs
So an alternative would be to generate images that use the root user instead of the quarkus user |
@cescoffier would using the root user in the images cause any issues? |
@geoand do you know who could look at that one? |
@gastaldi maybe? I have never used podman, otherwise I would take a look myself |
@Ladicek maybe? |
I've played with Podman once, I can have a look if no one beats me to it |
That's better than me, none and I don't think I can even install it :) |
I wonder if tqvarnst@0b52b07 actually fixes this. @tqvarnst can you confirm? |
It looks like it applies @jerboaa 's suggestion, but it still needs to reset the ownership at the end (see #10637 (comment)) |
Just like @geoand, I have exactly zero experience with Podman. |
I think I've got a solution (we essentially need to add
|
@zakkak is it OK if I assign this issue to you? |
@gastaldi Yes. I do have something working, just polishing it and I will soon open a PR. |
hello, I'm having this issue with 1.8.3. |
@raffaelespazzoli can you please share info on how to reproduce it? Using |
the link doesn't work can you give me the link of the app?
I was using the following tutorial:
http://web-m3-quarkus-bjrvk-guides.apps.cluster-952wq.952wq.sandbox763.opentlc.com/workshop/quarkus-lab/lab/springstrangle
but I am convinced it can be reproduced with any project. It seems to me
the issue depends on the combination of OS and podman.
I my case:
FC 33
podman version 2.1.1
and podman is aliased to docker.
…On Fri, Nov 27, 2020 at 11:27 AM Foivos ***@***.***> wrote:
@raffaelespazzoli <https://github.com/raffaelespazzoli> can you please
share info on how to reproduce it? Using code.quarkus.io/api.download and
editing the pom.xml file to use 1.8.3 works as expected for me.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#10637 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABPERXDOESYSKC5OODGQRELSR7HOZANCNFSM4OWOM6YQ>
.
--
ciao/bye
Raffaele
|
I did
I am on Fedora 33 with podman 2.1.1 as well |
that server has been retired, hashidoc of the tutorial can be found here:
https://github.com/RedHat-Middleware-Workshops/quarkus-workshop-m1m2/tree/rhtr2020/docs
On Fri, Nov 27, 2020 at 11:46 AM raffaele spazzoli <
[email protected]> wrote:
… the link doesn't work can you give me the link of the app?
I was using the following tutorial:
http://web-m3-quarkus-bjrvk-guides.apps.cluster-952wq.952wq.sandbox763.opentlc.com/workshop/quarkus-lab/lab/springstrangle
but I am convinced it can be reproduced with any project. It seems to me
the issue depends on the combination of OS and podman.
I my case:
FC 33
podman version 2.1.1
and podman is aliased to docker.
On Fri, Nov 27, 2020 at 11:27 AM Foivos ***@***.***> wrote:
> @raffaelespazzoli <https://github.com/raffaelespazzoli> can you please
> share info on how to reproduce it? Using code.quarkus.io/api.download
> and editing the pom.xml file to use 1.8.3 works as expected for me.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#10637 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ABPERXDOESYSKC5OODGQRELSR7HOZANCNFSM4OWOM6YQ>
> .
>
--
ciao/bye
Raffaele
--
ciao/bye
Raffaele
|
it worked with this option |
Hi @raffaelespazzoli, this is documented in https://github.com/quarkusio/quarkus/blob/master/docs/src/main/asciidoc/building-native-image.adoc#creating-a-linux-executable-without-graalvm-installed |
Do we have a way to detect if |
That's a good idea. I am sure it should be possible. @gastaldi any ideas? Perhaps just |
Yeah |
While at it, could we make If WDYT? |
@zakkak sure, the auto-detection should kick in only if the |
I think we can even simplify the auto-detection algorithm by returning |
Describe the bug
This bug originated here:
https://bugzilla.redhat.com/show_bug.cgi?id=1854738
and here:
https://groups.google.com/g/quarkus-dev/c/8LVoqk4G5uc/m/M5MAVopLAwAJ
Basically with podman 1.x --userns=keep-id contained a bug which got fixed with 2.x which results in quarkus build failures with options
-Pnative -Dquarkus.native.container-build=true -Dquarkus.native.container-runtime=podman
in rootless mode.Expected behavior
Native image build passes. No "Permission Denied" error.
Actual behavior
Native image build in the container with mounted volume fails due to "Permission Denied".
To Reproduce
Steps to reproduce the behavior:
mvn package -Pnative -Dquarkus.native.container-build=true -Dquarkus.native.container-runtime=podman
Additional context
Looking at this podman bug:
containers/podman#3990
... it seems podman won't help with getting permissions correctly set up for volume mounts.
My experiments showed that doing some
podman unshare
tricks prior the native image build might work. Something like this:Getting the UID the container runs as that way is important as it might change.
The text was updated successfully, but these errors were encountered: