chown permission error building with podman

[GolanTrevize10]

Description

I am building a docker image using rootless podman running inside a kubernetes container. The dockerfile contains these instructions

FROM owasp/dependency-check
ARG REGISTRY_USER
ARG REGISTRY_PASS
USER root
RUN sed -i "s|https://dl-cdn.alpinelinux.org/alpine|https://$REGISTRY_USER:$REGISTRY_PASS@xxxxxx/artifactory/public_alpine_org|g" /etc/apk/repositories

But I am getting this error in the sed step

Error: error building at STEP "RUN sed -i "s|https://dl-cdn.alpinelinux.org/alpine|https://$REGISTRY_USER:$REGISTRY_PASS@xxxxxxx/artifactory/public_alpine_org|g" /etc/apk/repositories": error resolving mountpoints for container "fffad1d7e0424f3b7ec7c5d5fbf8f8c19d4835f8eecafa3254f4bfedf10a9843": chown /var/lib/jenkins/jobs/40/.local/share/containers/storage/vfs-containers/fffad1d7e0424f3b7ec7c5d5fbf8f8c19d4835f8eecafa3254f4bfedf10a9843/userdata/buildah-volumes/8cc63f97e8c58d7c5c77d045c486c19c3ac8ef8dfc50a682653175b1121a9e4d: operation not permitted

Output of rpm -q buildah or apt list buildah:

podman-3.4.2-9.module+el8.5.0+13852+150547f7.x86_64

Output of podman version if reporting a podman build issue:

13:03:43  time="2022-05-02T13:03:43+02:00" level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
13:03:43  Version:      3.4.2
13:03:43  API Version:  3.4.2
13:03:43  Go Version:   go1.16.7
13:03:43  Built:        Thu Jan 13 11:15:49 2022
13:03:43  OS/Arch:      linux/amd64

Output of cat /etc/*release:

13:16:56  NAME="Red Hat Enterprise Linux"
13:16:56  VERSION="8.2 (Ootpa)"
13:16:56  ID="rhel"
13:16:56  ID_LIKE="fedora"
13:16:56  VERSION_ID="8.2"
13:16:56  PLATFORM_ID="platform:el8"
13:16:56  PRETTY_NAME="Red Hat Enterprise Linux 8.2 (Ootpa)"
13:16:56  ANSI_COLOR="0;31"
13:16:56  CPE_NAME="cpe:/o:redhat:enterprise_linux:8.2:GA"
13:16:56  HOME_URL="https://www.redhat.com/"
13:16:56  BUG_REPORT_URL="https://bugzilla.redhat.com/"
13:16:56  
13:16:56  REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
13:16:56  REDHAT_BUGZILLA_PRODUCT_VERSION=8.2
13:16:56  REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
13:16:56  REDHAT_SUPPORT_PRODUCT_VERSION="8.2"
13:16:56  Red Hat Enterprise Linux release 8.2 (Ootpa)
13:16:56  Red Hat Enterprise Linux release 8.2 (Ootpa)

Output of uname -a:

Linux jenkins-slave-prg4-sr06s 3.10.0-1160.59.1.el7.x86_64 #1 SMP Wed Feb 16 12:17:35 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

13:19:46  # This file is is the configuration file for all tools
13:19:46  # that use the containers/storage library.
13:19:46  # See man 5 containers-storage.conf for more information
13:19:46  # The "container storage" table contains all of the server options.
13:19:46  [storage]
13:19:46  
13:19:46  # Default Storage Driver, Must be set for proper operation.
13:19:46  driver = "overlay"
13:19:46  
13:19:46  # Temporary storage location
13:19:46  runroot = "/run/containers/storage"
13:19:46  
13:19:46  # Primary Read/Write location of container storage
13:19:46  graphroot = "/var/lib/containers/storage"
13:19:46  
13:19:46  # Storage path for rootless users
13:19:46  #
13:19:46  # rootless_storage_path = "$HOME/.local/share/containers/storage"
13:19:46  
13:19:46  [storage.options]
13:19:46  # Storage options to be passed to underlying storage drivers
13:19:46  
13:19:46  # AdditionalImageStores is used to pass paths to additional Read/Only image stores
13:19:46  # Must be comma separated list.
13:19:46  additionalimagestores = [
13:19:46  #"/var/lib/shared",
13:19:46  ]
13:19:46  
13:19:46  # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
13:19:46  # a container, to the UIDs/GIDs as they should appear outside of the container,
13:19:46  # and the length of the range of UIDs/GIDs.  Additional mapped sets can be
13:19:46  # listed and will be heeded by libraries, but there are limits to the number of
13:19:46  # mappings which the kernel will allow when you later attempt to run a
13:19:46  # container.
13:19:46  #
13:19:46  # remap-uids = 0:1668442479:65536
13:19:46  # remap-gids = 0:1668442479:65536
13:19:46  
13:19:46  # Remap-User/Group is a user name which can be used to look up one or more UID/GID
13:19:46  # ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
13:19:46  # with an in-container ID of 0 and then a host-level ID taken from the lowest
13:19:46  # range that matches the specified name, and using the length of that range.
13:19:46  # Additional ranges are then assigned, using the ranges which specify the
13:19:46  # lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
13:19:46  # until all of the entries have been used for maps.
13:19:46  #
13:19:46  # remap-user = "containers"
13:19:46  # remap-group = "containers"
13:19:46  
13:19:46  # Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
13:19:46  # ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
13:19:46  # to containers configured to create automatically a user namespace.  Containers
13:19:46  # configured to automatically create a user namespace can still overlap with containers
13:19:46  # having an explicit mapping set.
13:19:46  # This setting is ignored when running as rootless.
13:19:46  # root-auto-userns-user = "storage"
13:19:46  #
13:19:46  # Auto-userns-min-size is the minimum size for a user namespace created automatically.
13:19:46  # auto-userns-min-size=1024
13:19:46  #
13:19:46  # Auto-userns-max-size is the minimum size for a user namespace created automatically.
13:19:46  # auto-userns-max-size=65536
13:19:46  
13:19:46  [storage.options.overlay]
13:19:46  # ignore_chown_errors can be set to allow a non privileged user running with
13:19:46  # a single UID within a user namespace to run containers. The user can pull
13:19:46  # and use any image even those with multiple uids.  Note multiple UIDs will be
13:19:46  # squashed down to the default uid in the container.  These images will have no
13:19:46  # separation between the users in the container. Only supported for the overlay
13:19:46  # and vfs drivers.
13:19:46  #ignore_chown_errors = "false"
13:19:46  
13:19:46  # Inodes is used to set a maximum inodes of the container image.
13:19:46  # inodes = ""
13:19:46  
13:19:46  # Path to an helper program to use for mounting the file system instead of mounting it
13:19:46  # directly.
13:19:46  mount_program = "/usr/bin/fuse-overlayfs"
13:19:46  
13:19:46  # mountopt specifies comma separated list of extra mount options
13:19:46  mountopt = "nodev,metacopy=on"
13:19:46  
13:19:46  # Set to skip a PRIVATE bind mount on the storage home directory.
13:19:46  # skip_mount_home = "false"
13:19:46  
13:19:46  # Size is used to set a maximum size of the container image.
13:19:46  # size = ""
13:19:46  
13:19:46  # ForceMask specifies the permissions mask that is used for new files and
13:19:46  # directories.
13:19:46  #
13:19:46  # The values "shared" and "private" are accepted.
13:19:46  # Octal permission masks are also accepted.
13:19:46  #
13:19:46  #  "": No value specified.
13:19:46  #     All files/directories, get set with the permissions identified within the
13:19:46  #     image.
13:19:46  #  "private": it is equivalent to 0700.
13:19:46  #     All files/directories get set with 0700 permissions.  The owner has rwx
13:19:46  #     access to the files. No other users on the system can access the files.
13:19:46  #     This setting could be used with networked based homedirs.
13:19:46  #  "shared": it is equivalent to 0755.
13:19:46  #     The owner has rwx access to the files and everyone else can read, access
13:19:46  #     and execute them. This setting is useful for sharing containers storage
13:19:46  #     with other users.  For instance have a storage owned by root but shared
13:19:46  #     to rootless users as an additional store.
13:19:46  #     NOTE:  All files within the image are made readable and executable by any
13:19:46  #     user on the system. Even /etc/shadow within your image is now readable by
13:19:46  #     any user.
13:19:46  #
13:19:46  #   OCTAL: Users can experiment with other OCTAL Permissions.
13:19:46  #
13:19:46  #  Note: The force_mask Flag is an experimental feature, it could change in the
13:19:46  #  future.  When "force_mask" is set the original permission mask is stored in
13:19:46  #  the "user.containers.override_stat" xattr and the "mount_program" option must
13:19:46  #  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
13:19:46  #  extended attribute permissions to processes within containers rather then the
13:19:46  #  "force_mask"  permissions.
13:19:46  #
13:19:46  # force_mask = ""
13:19:46  
13:19:46  [storage.options.thinpool]
13:19:46  # Storage Options for thinpool
13:19:46  
13:19:46  # autoextend_percent determines the amount by which pool needs to be
13:19:46  # grown. This is specified in terms of % of pool size. So a value of 20 means
13:19:46  # that when threshold is hit, pool will be grown by 20% of existing
13:19:46  # pool size.
13:19:46  # autoextend_percent = "20"
13:19:46  
13:19:46  # autoextend_threshold determines the pool extension threshold in terms
13:19:46  # of percentage of pool size. For example, if threshold is 60, that means when
13:19:46  # pool is 60% full, threshold has been hit.
13:19:46  # autoextend_threshold = "80"
13:19:46  
13:19:46  # basesize specifies the size to use when creating the base device, which
13:19:46  # limits the size of images and containers.
13:19:46  # basesize = "10G"
13:19:46  
13:19:46  # blocksize specifies a custom blocksize to use for the thin pool.
13:19:46  # blocksize="64k"
13:19:46  
13:19:46  # directlvm_device specifies a custom block storage device to use for the
13:19:46  # thin pool. Required if you setup devicemapper.
13:19:46  # directlvm_device = ""
13:19:46  
13:19:46  # directlvm_device_force wipes device even if device already has a filesystem.
13:19:46  # directlvm_device_force = "True"
13:19:46  
13:19:46  # fs specifies the filesystem type to use for the base device.
13:19:46  # fs="xfs"
13:19:46  
13:19:46  # log_level sets the log level of devicemapper.
13:19:46  # 0: LogLevelSuppress 0 (Default)
13:19:46  # 2: LogLevelFatal
13:19:46  # 3: LogLevelErr
13:19:46  # 4: LogLevelWarn
13:19:46  # 5: LogLevelNotice
13:19:46  # 6: LogLevelInfo
13:19:46  # 7: LogLevelDebug
13:19:46  # log_level = "7"
13:19:46  
13:19:46  # min_free_space specifies the min free space percent in a thin pool require for
13:19:46  # new device creation to succeed. Valid values are from 0% - 99%.
13:19:46  # Value 0% disables
13:19:46  # min_free_space = "10%"
13:19:46  
13:19:46  # mkfsarg specifies extra mkfs arguments to be used when creating the base
13:19:46  # device.
13:19:46  # mkfsarg = ""
13:19:46  
13:19:46  # metadata_size is used to set the `pvcreate --metadatasize` options when
13:19:46  # creating thin devices. Default is 128k
13:19:46  # metadata_size = ""
13:19:46  
13:19:46  # Size is used to set a maximum size of the container image.
13:19:46  # size = ""
13:19:46  
13:19:46  # use_deferred_removal marks devicemapper block device for deferred removal.
13:19:46  # If the thinpool is in use when the driver attempts to remove it, the driver
13:19:46  # tells the kernel to remove it as soon as possible. Note this does not free
13:19:46  # up the disk space, use deferred deletion to fully remove the thinpool.
13:19:46  # use_deferred_removal = "True"
13:19:46  
13:19:46  # use_deferred_deletion marks thinpool device for deferred deletion.
13:19:46  # If the device is busy when the driver attempts to delete it, the driver
13:19:46  # will attempt to delete device every 30 seconds until successful.
13:19:46  # If the program using the driver exits, the driver will continue attempting
13:19:46  # to cleanup the next time the driver is used. Deferred deletion permanently
13:19:46  # deletes the device and all data stored in device will be lost.
13:19:46  # use_deferred_deletion = "True"
13:19:46  
13:19:46  # xfs_nospace_max_retries specifies the maximum number of retries XFS should
13:19:46  # attempt to complete IO when ENOSPC (no space) error is returned by
13:19:46  # underlying storage device.
13:19:46  # xfs_nospace_max_retries = "0"

[flouthoc]

Hi @GolanTrevize10 , Thanks for creating the issue. Is your kubernetes container privileged ? Could you share the command which you used to build the container? also it would nice if you could also share output of podman info since you are using podman not buildah directly.

Edit: Also see #2554 (comment)

[GolanTrevize10]

Hi @flouthoc , no it is not a privileged container.

the command is podman -storage-driver vfs build --build-arg REGISTRY_USER=**** --build-arg REGISTRY_PASS=**** -t xxxxxxx/cdlib/dependency-check:20220502.1253.52-master .

Output of podman info

13:05:01  time="2022-05-02T13:05:01+02:00" level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
13:05:01  host:
13:05:01    arch: amd64
13:05:01    buildahVersion: 1.23.1
13:05:01    cgroupControllers: []
13:05:01    cgroupManager: cgroupfs
13:05:01    cgroupVersion: v1
13:05:01    conmon:
13:05:01      package: conmon-2.0.32-1.module+el8.5.0+13852+150547f7.x86_64
13:05:01      path: /usr/bin/conmon
13:05:01      version: 'conmon version 2.0.32, commit: 4b12bce835c3f8acc006a43620dd955a6a73bae0'
13:05:01    cpus: 20
13:05:01    distribution:
13:05:01      distribution: '"rhel"'
13:05:01      version: "8.2"
13:05:01    eventLogger: file
13:05:01    hostname: jenkins-slave-prg4-1pc1g
13:05:01    idMappings:
13:05:01      gidmap:
13:05:01      - container_id: 0
13:05:01        host_id: 1000
13:05:01        size: 1
13:05:01      - container_id: 1
13:05:01        host_id: 100000
13:05:01        size: 65536
13:05:01      uidmap:
13:05:01      - container_id: 0
13:05:01        host_id: 1000
13:05:01        size: 1
13:05:01      - container_id: 1
13:05:01        host_id: 100000
13:05:01        size: 65536
13:05:01    kernel: 3.10.0-1160.59.1.el7.x86_64
13:05:01    linkmode: dynamic
13:05:01    logDriver: k8s-file
13:05:01    memFree: 28184047616
13:05:01    memTotal: 84279005184
13:05:01    ociRuntime:
13:05:01      name: runc
13:05:01      package: runc-1.0.3-1.module+el8.5.0+13556+7f055e70.x86_64
13:05:01      path: /usr/bin/runc
13:05:01      version: |-
13:05:01        runc version 1.0.3
13:05:01        spec: 1.0.2-dev
13:05:01        go: go1.16.7
13:05:01        libseccomp: 2.4.1
13:05:01    os: linux
13:05:01    remoteSocket:
13:05:01      path: /tmp/podman-run-1000/podman/podman.sock
13:05:01    security:
13:05:01      apparmorEnabled: false
13:05:01      capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
13:05:01      rootless: true
13:05:01      seccompEnabled: true
13:05:01      seccompProfilePath: /usr/share/containers/seccomp.json
13:05:01      selinuxEnabled: false
13:05:01    serviceIsRemote: false
13:05:01    slirp4netns:
13:05:01      executable: /usr/bin/slirp4netns
13:05:01      package: slirp4netns-1.1.8-1.module+el8.5.0+12582+56d94c81.x86_64
13:05:01      version: |-
13:05:01        slirp4netns version 1.1.8
13:05:01        commit: d361001f495417b880f20329121e3aa431a8f90f
13:05:01        libslirp: 4.4.0
13:05:01        SLIRP_CONFIG_VERSION_MAX: 3
13:05:01        libseccomp: 2.4.1
13:05:01    swapFree: 0
13:05:01    swapTotal: 0
13:05:01    uptime: 120h 13m 19.4s (Approximately 5.00 days)
13:05:01  plugins:
13:05:01    log:
13:05:01    - k8s-file
13:05:01    - none
13:05:01    - journald
13:05:01    network:
13:05:01    - bridge
13:05:01    - macvlan
13:05:01    volume:
13:05:01    - local
13:05:01  registries:
13:05:01    search:
13:05:01    - registry.fedoraproject.org
13:05:01    - registry.access.redhat.com
13:05:01    - registry.centos.org
13:05:01    - docker.io
13:05:01  store:
13:05:01    configFile: /home/jenkins/.config/containers/storage.conf
13:05:01    containerStore:
13:05:01      number: 0
13:05:01      paused: 0
13:05:01      running: 0
13:05:01      stopped: 0
13:05:01    graphDriverName: vfs
13:05:01    graphOptions: {}
13:05:01    graphRoot: /home/jenkins/.local/share/containers/storage
13:05:01    graphStatus: {}
13:05:01    imageStore:
13:05:01      number: 0
13:05:01    runRoot: /tmp/podman-run-1000/containers
13:05:01    volumePath: /home/jenkins/.local/share/containers/storage/volumes
13:05:01  version:
13:05:01    APIVersion: 3.4.2
13:05:01    Built: 1642068949
13:05:01    BuiltTime: Thu Jan 13 11:15:49 2022
13:05:01    GitCommit: ""
13:05:01    GoVersion: go1.16.7
13:05:01    OsArch: linux/amd64
13:05:01    Version: 3.4.2

[flouthoc]

I tried this just now following worked for me

• Start a rootless not privileged container

podman run -it --rm quay.io/containers/buildah:latest bash
Trying to pull quay.io/containers/buildah:latest...
Getting image source signatures
Copying blob 9c6cc3463716 done  
Copying blob 5ec9815b5317 done  
Copying blob 09f0ddd3b684 done  
Copying blob 229f3952ded4 done  
Copying blob 5f0d1d409f0e done  
Copying blob ad5a8472a781 done  
Copying config c57750d4fe done  
Writing manifest to image destination
Storing signatures
[root@dd415d1b4a71 /]# vi Dockerfile

• Run build inside container

[root@dd415d1b4a71 /]# buildah --storage-driver vfs build -t test .
STEP 1/3: FROM alpine
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob df9b9388f04a done  
Copying config 0ac33e5f5a done  
Writing manifest to image destination
Storing signatures
STEP 2/3: USER root
STEP 3/3: RUN touch hello
COMMIT test
Getting image source signatures
Copying blob 4fc242d58285 skipped: already exists  
Copying blob c577b75c8c4e done  
Copying config 094a0c66ed done  
Writing manifest to image destination
Storing signatures
--> 094a0c66ede
Successfully tagged localhost/test:latest
094a0c66ededd96ef02d04ae02e945db4c99f514789b8e8e3303daa7e4f6a009

@GolanTrevize10 Could you also add --security-opt seccomp=unconfined --cap-add all ? also try with a dummy container file cause issue could be with your image itself

FROM alpine
RUN echo hello

[GolanTrevize10]

@flouthoc with buildah latest image it works, but not with podman. Try this:

• Run podman run -it --rm docker.artifactory.dhl.com/containers/podman:latest bash
• Switch to podman user su - podman
• Create this dockerfile

FROM owasp/dependency-check
ARG REGISTRY_USER
ARG REGISTRY_PASS
USER root
RUN sed -i "s|[https://dl-cdn.alpinelinux.org/alpine|https://$REGISTRY_USER:$REGISTRY_PASS@xxxxxx/artifactory/public_alpine_org|g](https://dl-cdn.alpinelinux.org/alpine%7Chttps://$REGISTRY_USER:$REGISTRY_PASS@xxxxxxx/artifactory/public_alpine_org%7Cg)" /etc/apk/repositories

• Run this command podman --storage-driver vfs build --build-arg REGISTRY_USER=**** --build-arg REGISTRY_PASS=**** -t xxxxxxx/cdlib/dependency-check:20220502.1253.52-master .

WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers
STEP 1/5: FROM owasp/dependency-check
Trying to pull owasp/dependency-check:latest...
Getting image source signatures
Copying blob 599e78ef2415 done
Copying blob 9a5f499e3a2f done
Copying blob 8663204ce13b done
Copying blob e944dc4d5a91 done
Copying blob d16210d1a8e6 done
Copying blob da4d7c098825 done
Copying blob 80837c5e58fd done
Copying blob d300a6091766 done
Copying config 86373ce551 done
Writing manifest to image destination
Storing signatures
STEP 2/5: ARG REGISTRY_USER
--> bcc43d1e848
STEP 3/5: ARG REGISTRY_PASS
--> e942f648a59
STEP 4/5: USER root
--> c04f843cb71
STEP 5/5: RUN sed -i "s|https://dl-cdn.alpinelinux.org/alpine|https://$REGISTRY_USER:$REGISTRY_PASS@xxxxxx/artifactory/public_alpine_org|g" /etc/apk/repositories
error running container: error from /usr/bin/crun creating container for [/bin/sh -c sed -i "s|https://dl-cdn.alpinelinux.org/alpine|https://$REGISTRY_USER:$REGISTRY_PASS@xxxxxx/artifactory/public_alpine_org|g" /etc/apk/repositories]: sethostname: Operation not permitted
: exit status 1
Error: error building at STEP "RUN sed -i "s|https://dl-cdn.alpinelinux.org/alpine|https://$REGISTRY_USER:$REGISTRY_PASS@xxxxxx/artifactory/public_alpine_org|g" /etc/apk/repositories": error while running runtime: exit status 1

[GolanTrevize10]

I realized now you are running buildah with root. If I use the build user it does not work

STEP 3/3: RUN touch hello
error running container: error from crun creating container for [/bin/sh -c touch hello]: sethostname: Operation not permitted

[flouthoc]

@GolanTrevize10 It worked fine for me even from build user

• Start container

podman run -it --rm --user build quay.io/containers/buildah:latest bash

• Inside container

[build@2faf81db7bb9 ~]$ cat Dockerfile
FROM alpine
USER root
RUN touch hello
[build@2faf81db7bb9 ~]$ buildah --storage-driver vfs build -t test .
STEP 1/3: FROM alpine
STEP 2/3: USER root
STEP 3/3: RUN touch hello
COMMIT test
Getting image source signatures
Copying blob 4fc242d58285 skipped: already exists  
Copying blob 7881c59e6e45 done  
Copying config 65857c2720 done  
Writing manifest to image destination
Storing signatures
--> 65857c27206
Successfully tagged localhost/test:latest
65857c27206785842faa3a50c5ae4191308217c5ad37e03f6caa077f4f3a831a

[GolanTrevize10]

@flouthoc sorry, yo uare right. With buildah image it works. But with podman image it doesn't:

• Start podman container
  podman run -it --rm --user podman quay.io/containers/podman:latest bash

• Build image

[podman@33a0f756944b ~]$ cat Dockerfile
FROM alpine
USER root
RUN touch hello
[podman@33a0f756944b ~]$ podman --storage-driver vfs build  -t test .
STEP 1/3: FROM alpine
STEP 2/3: USER root
--> Using cache 46b193860d43fa73ab741afc58e9c677c72eab4de96d87b3aed1c64dbf3c114b
--> 46b193860d4
STEP 3/3: RUN touch hello
error running container: error from /usr/bin/crun creating container for [/bin/sh -c touch hello]: sethostname: Operation not permitted
: exit status 1
Error: error building at STEP "RUN touch hello": error while running runtime: exit status 1

[rhatdan]

Strange it looks like buildah is also attempting to set the hostname. Could you see if there are any errors in the audit.log about setting the hostname?

Could you also try with

podman --storage-driver vfs build --uts=host ...

And see if this works.

[GolanTrevize10]

With --uts=host it works. Where can I find the audit.log?

[rhatdan]

/var/log/audit/audit.log

[rhatdan]

Weird that it looks to me like buildah and podman would follow the same paths.

[flouthoc]

For me podman fails at a different point

[podman@7bd5880d59f7 /]$ cd ~
[podman@7bd5880d59f7 ~]$ vi Dockerfile
[podman@7bd5880d59f7 ~]$ podman --storage-driver vfs build  -t test .
WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers 
STEP 1/3: FROM alpine
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob df9b9388f04a done  
Copying config 0ac33e5f5a done  
Writing manifest to image destination
Storing signatures
STEP 2/3: USER root
--> aced8c862a8
STEP 3/3: RUN touch hello
error running container: error from /usr/bin/crun creating container for [/bin/sh -c touch hello]: remount `/var/tmp/buildah003021833/mnt/rootfs`: Permission denied
: exit status 1
Error: error building at STEP "RUN touch hello": error while running runtime: exit status 1

[flouthoc]

Looks like podman has regressed somewhere or something is done differently in podman, regression persists on older versions as well but not on older buildah versions

Podman

• quay.io/containers/podman:v3.4.4 -> fails
• quay.io/containers/podman:v3.4..0 -> fails

Buildah

• quay.io/containers/buildah:v1.23.0 -> works
• quay.io/containers/buildah:v1.22.0 -> works

[GolanTrevize10]

@rhatdan I don't have any /var/log/audit folder

[GolanTrevize10]

Anyway my original issue when I run podman on a container in Openshift is different, and it happens even if I add the --uts=host

Error: error building at STEP "RUN sed -i "s|[https://dl-cdn.alpinelinux.org/alpine|https://$REGISTRY_USER:$REGISTRY_PASS@xxxxxxx/artifactory/public_alpine_org|g](https://dl-cdn.alpinelinux.org/alpine%7Chttps://$REGISTRY_USER:$REGISTRY_PASS@xxxxxx/artifactory/public_alpine_org%7Cg)" /etc/apk/repositories": error resolving mountpoints for container "7e7347c4c07d12e4a5582b734ede108ea0d73b09ecad2413708df63f9c53143a": chown /var/lib/jenkins/jobs/41/.local/share/containers/storage/vfs-containers/7e7347c4c07d12e4a5582b734ede108ea0d73b09ecad2413708df63f9c53143a/userdata/buildah-volumes/8cc63f97e8c58d7c5c77d045c486c19c3ac8ef8dfc50a682653175b1121a9e4d: operation not permitted

[flouthoc]

Anyway my original issue when I run podman on a container in Openshift is different, and it happens even if I add the --uts=host

Error: error building at STEP "RUN sed -i "s|[https://dl-cdn.alpinelinux.org/alpine|https://$REGISTRY_USER:$REGISTRY_PASS@xxxxxxx/artifactory/public_alpine_org|g](https://dl-cdn.alpinelinux.org/alpine%7Chttps://$REGISTRY_USER:$REGISTRY_PASS@xxxxxx/artifactory/public_alpine_org%7Cg)" /etc/apk/repositories": error resolving mountpoints for container "7e7347c4c07d12e4a5582b734ede108ea0d73b09ecad2413708df63f9c53143a": chown /var/lib/jenkins/jobs/41/.local/share/containers/storage/vfs-containers/7e7347c4c07d12e4a5582b734ede108ea0d73b09ecad2413708df63f9c53143a/userdata/buildah-volumes/8cc63f97e8c58d7c5c77d045c486c19c3ac8ef8dfc50a682653175b1121a9e4d: operation not permitted

@GolanTrevize10 I see but does this discrepancy also exists with using buildah image directly on openshift ? If not then we can investigate inconsistency between podman and buildah

[GolanTrevize10]

@flouthoc I tried with buildah instead of podman and same error

[rhatdan]

How are you running within OpenShift? You need multiple UIDs to run a build, which OpenSHift does not give by default. You also need either all capabilities or CAP_SETUID and CAP_SETGID.

Have you read https://www.redhat.com/sysadmin/podman-inside-kubernetes?

[GolanTrevize10]

Yes, we have multiple UIDs. It only fails with that image. With other images it works.

[rhatdan]

Most likely you have a UID in that image, that is greater the the list of UIDs available.
If you have 10 UIDs available and I try to chown 11:11, it will fail with this error.

[GolanTrevize10]

But I am not running chown, just switching to root user and running a sed command

[rhatdan]

Pulling the image is causing a chown.

[GolanTrevize10]

No, the sed step is causing the chown error

[rhatdan]

Converting to a conversation, at this point.