Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

container_run_and_extract does not work with Podman #2251

Open
nyoxi opened this issue Apr 27, 2023 · 2 comments
Open

container_run_and_extract does not work with Podman #2251

nyoxi opened this issue Apr 27, 2023 · 2 comments
Labels
Can Close? Will close in 30 days unless there is a comment indicating why not

Comments

@nyoxi
Copy link

nyoxi commented Apr 27, 2023

🐞 bug report

Affected Rule

The issue is caused by the rule: container_run_and_extract when run with Podman.

Is this a regression?

I don't have prior experience and I cannot answer this.

Description

When Podman is used instead of Docker to run containers together with linux-sandbox in Bazel, the execution of container_run_and_extract command fails with errors because of read-only mounts. E.g.:

time="2023-04-27T05:31:22-04:00" level=error msg="set sticky bit on: chmod /run/user/1000/libpod: read-only file system"

When I try to workaround it by adding several --sandbox_writable_path arguments the build further fails with:

time="2023-04-27T05:57:26-04:00" level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
time="2023-04-27T05:57:26-04:00" level=error msg="running `/usr/bin/newuidmap 21 0 1000 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted\n"
time="2023-04-27T05:57:26-04:00" level=error msg="invalid internal status, try resetting the pause process with \"/usr/bin/podman system migrate\": cannot set up namespace using \"/usr/bin/newuidmap\": exit status 1"

I am running it as a non-root user if that is relevant.

🔬 Minimal Reproduction

container_run_and_extract(
    name = "test",
    commands = [
        "echo test > /test",
    ],
    extract_file = "/test",
    image = "@centos9//image",
)

🔥 Exception or Error

See the description above.

🌍 Your Environment

Operating System:

  
CentOS Stream 9

Output of bazel version:

  
5.4.0

Rules_docker version:

  
0.25.0

Anything else relevant?
@nyoxi
Copy link
Author

nyoxi commented Apr 27, 2023

I forgot to mention that a workaround is to use different sandboxing and with --spawn_strategy=processwrapper-sandbox it works ok. Obviously with all the security implication of it.

nyoxi added a commit to nyoxi/forklift that referenced this issue Apr 27, 2023
@nyoxi
virt-v2v: Build our own fixed appliance (Fixes kubev2v#226)
77bd665 
The appliance used Kubevirt is missing some packages we need. For legal
reasons it is not possible to include the missing packages there. We
need to build our own fixed appliance.

We imitate multi-stage Dockerfile build in Bazel. Unfortunately
container_run_and_extract() does not work with Podmana [1] and Bazel's
linux-sandbox. Slightly less secure but working processwrapper sandbox
is used as a workaround.

[1] bazelbuild/rules_docker#2251

Signed-off-by: Tomáš Golembiovský <[email protected]>
nyoxi added a commit to nyoxi/forklift that referenced this issue Apr 27, 2023
@nyoxi
virt-v2v: Build our own fixed appliance (Fixes kubev2v#226)
aeead85 
The appliance from Kubevirt [1] is missing some packages we need. For
legal reasons it is not possible to include the missing packages there.
We need to build our own fixed appliance.

We imitate multi-stage Dockerfile build in Bazel. Unfortunately
container_run_and_extract() does not work with Podmana [2] and Bazel's
linux-sandbox. Slightly less secure but working processwrapper sandbox
is used as a workaround.

[1] kubevirt/libguestfs-appliance#17
[2] bazelbuild/rules_docker#2251

Signed-off-by: Tomáš Golembiovský <[email protected]>
@nyoxi nyoxi mentioned this issue Apr 27, 2023
Merged
nyoxi added a commit to nyoxi/forklift that referenced this issue May 2, 2023
@nyoxi
virt-v2v: Build our own fixed appliance (Fixes kubev2v#226)
b4bd2c6 
The appliance from Kubevirt [1] is missing some packages we need. For
legal reasons it is not possible to include the missing packages there.
We need to build our own fixed appliance.

We imitate multi-stage Dockerfile build in Bazel. Unfortunately
container_run_and_extract() does not work with Podmana [2] and Bazel's
linux-sandbox. Slightly less secure but working processwrapper sandbox
is used as a workaround.

[1] kubevirt/libguestfs-appliance#17
[2] bazelbuild/rules_docker#2251

Signed-off-by: Tomáš Golembiovský <[email protected]>
nyoxi added a commit to nyoxi/forklift that referenced this issue May 2, 2023
@nyoxi
virt-v2v: Build our own fixed appliance (Fixes kubev2v#226)
f29b072 
The appliance from Kubevirt [1] is missing some packages we need. For
legal reasons it is not possible to include the missing packages there.
We need to build our own fixed appliance.

We imitate multi-stage Dockerfile build in Bazel. Unfortunately
container_run_and_extract() does not work with Podman [2] and Bazel's
linux-sandbox. Slightly less secure but working processwrapper sandbox
is used as a workaround.

[1] kubevirt/libguestfs-appliance#17
[2] bazelbuild/rules_docker#2251

Signed-off-by: Tomáš Golembiovský <[email protected]>
ahadas pushed a commit to kubev2v/forklift that referenced this issue May 2, 2023
@nyoxi @ahadas
virt-v2v: Build our own fixed appliance (Fixes #226)
b5bd8c3 
The appliance from Kubevirt [1] is missing some packages we need. For
legal reasons it is not possible to include the missing packages there.
We need to build our own fixed appliance.

We imitate multi-stage Dockerfile build in Bazel. Unfortunately
container_run_and_extract() does not work with Podman [2] and Bazel's
linux-sandbox. Slightly less secure but working processwrapper sandbox
is used as a workaround.

[1] kubevirt/libguestfs-appliance#17
[2] bazelbuild/rules_docker#2251

Signed-off-by: Tomáš Golembiovský <[email protected]>
ahadas pushed a commit to kubev2v/forklift that referenced this issue Jun 8, 2023
@nyoxi @ahadas
virt-v2v: Build our own fixed appliance (Fixes #226)
4d7366b 
The appliance from Kubevirt [1] is missing some packages we need. For
legal reasons it is not possible to include the missing packages there.
We need to build our own fixed appliance.

We imitate multi-stage Dockerfile build in Bazel. Unfortunately
container_run_and_extract() does not work with Podman [2] and Bazel's
linux-sandbox. Slightly less secure but working processwrapper sandbox
is used as a workaround.

[1] kubevirt/libguestfs-appliance#17
[2] bazelbuild/rules_docker#2251

Signed-off-by: Tomáš Golembiovský <[email protected]>
@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had any activity for 180 days. It will be closed if no further activity occurs in 30 days.
Collaborators can add an assignee to keep this open indefinitely. Thanks for your contributions to rules_docker!

@github-actions github-actions bot added the Can Close? Will close in 30 days unless there is a comment indicating why not label Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Can Close? Will close in 30 days unless there is a comment indicating why not
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nyoxi