Comments (9)
Seems to be caused by the configuration of the container storage library.
Buildah 1.27 do not have a storage.conf in $HOME/.config/containers/storage but Buildah 1.34 does.
I did a test without the storage.conf in $HOME and it almost works excepted some warnings not present with v1.27.
I ran minikube with podman rootless for the tests. The storage is configured with the kernel overlay and not the fuse one.
[build@buildah-latestfixed containers]$ buildah info
Error: open /usr/lib/containers/storage/overlay-images/images.lock: permission denied
WARN[0000] failed to shutdown storage: "open /usr/lib/containers/storage/overlay-images/images.lock: permission denied"
[build@buildah-latestfixed containers]$ pwd
/home/build/.config/containers
[build@buildah-latestfixed containers]$ mv storage.conf storage.conf.ori
[build@buildah-latestfixed containers]$ buildah info
{
"host": {
"CgroupVersion": "v2",
"Distribution": {
"distribution": "fedora",
"version": "39"
},
"MemFree": 196026368,
"MemTotal": 3080105984,
"OCIRuntime": "crun",
"SwapFree": 0,
"SwapTotal": 0,
"arch": "amd64",
"cpus": 2,
"hostname": "buildah-latestfixed",
"kernel": "6.1.0-17-amd64",
"os": "linux",
"rootless": true,
"uptime": "5h 58m 54.82s (Approximately 0.21 days)",
"variant": ""
},
"store": {
"ContainerStore": {
"number": 0
},
"GraphDriverName": "overlay",
"GraphOptions": null,
"GraphRoot": "/home/build/.local/share/containers/storage",
"GraphStatus": {
"Backing Filesystem": "extfs",
"Native Overlay Diff": "true",
"Supports d_type": "true",
"Supports shifting": "false",
"Supports volatile": "true",
"Using metacopy": "false"
},
"ImageStore": {
"number": 0
},
"RunRoot": "/var/tmp/storage-run-1000/containers"
}
}
sylvain@debian12:~$ minikube kubectl -- exec -it buildah-latestfixed -- bash -c 'buildah --version; buildah info; buildah run $(buildah from ubuntu) bash -c "ls -la"'
buildah version 1.34.0 (image-spec 1.1.0-rc.5, runtime-spec 1.1.0)
{
"host": {
"CgroupVersion": "v2",
"Distribution": {
"distribution": "fedora",
"version": "39"
},
"MemFree": 77193216,
"MemTotal": 3080105984,
"OCIRuntime": "crun",
"SwapFree": 0,
"SwapTotal": 0,
"arch": "amd64",
"cpus": 2,
"hostname": "buildah-latestfixed",
"kernel": "6.1.0-17-amd64",
"os": "linux",
"rootless": true,
"uptime": "5h 26m 15.22s (Approximately 0.21 days)",
"variant": ""
},
"store": {
"ContainerStore": {
"number": 0
},
"GraphDriverName": "overlay",
"GraphOptions": null,
"GraphRoot": "/home/build/.local/share/containers/storage",
"GraphStatus": {
"Backing Filesystem": "extfs",
"Native Overlay Diff": "true",
"Supports d_type": "true",
"Supports shifting": "false",
"Supports volatile": "true",
"Using metacopy": "false"
},
"ImageStore": {
"number": 0
},
"RunRoot": "/var/tmp/storage-run-1000/containers"
}
}
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:latest...
Getting image source signatures
Copying blob bccd10f490ab done |
Copying config ca2b0f2696 done |
Writing manifest to image destination
WARN[0000] Path "/run/secrets/etc-pki-entitlement" from "/etc/containers/mounts.conf" doesn't exist, skipping
WARN[0000] Path "/run/secrets/rhsm" from "/etc/containers/mounts.conf" doesn't exist, skipping
total 56
dr-xr-xr-x 1 root root 4096 Mar 7 16:54 .
dr-xr-xr-x 1 root root 4096 Mar 7 16:54 ..
lrwxrwxrwx 1 root root 7 Feb 27 15:59 bin -> usr/bin
drwxr-xr-x 2 root root 4096 Apr 18 2022 boot
drwxr-xr-x 5 nobody nogroup 360 Mar 7 16:52 dev
drwxr-xr-x 32 root root 4096 Feb 27 16:03 etc
drwxr-xr-x 2 root root 4096 Apr 18 2022 home
lrwxrwxrwx 1 root root 7 Feb 27 15:59 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Feb 27 15:59 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Feb 27 15:59 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Feb 27 15:59 libx32 -> usr/libx32
drwxr-xr-x 2 root root 4096 Feb 27 15:59 media
drwxr-xr-x 2 root root 4096 Feb 27 15:59 mnt
drwxr-xr-x 2 root root 4096 Feb 27 15:59 opt
dr-xr-xr-x 328 nobody nogroup 0 Mar 7 16:52 proc
drwx------ 2 root root 4096 Feb 27 16:02 root
drwxr-xr-x 1 root root 4096 Mar 7 16:54 run
lrwxrwxrwx 1 root root 8 Feb 27 15:59 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Feb 27 15:59 srv
dr-xr-xr-x 13 nobody nogroup 0 Mar 7 12:02 sys
drwxrwxrwt 2 root root 4096 Feb 27 16:02 tmp
drwxr-xr-x 14 root root 4096 Feb 27 15:59 usr
drwxr-xr-x 11 root root 4096 Feb 27 16:02 var
sylvain@debian12:~$ cat buildah-latest2.yaml
apiVersion: v1
kind: Pod
metadata:
name: buildah-latestfixed
spec:
containers:
- name: buildah
image: quay.io/buildah/stable:latest
args:
- sleep
- "1000000"
securityContext:
runAsUser: 1000
from buildah.
@zmjackson Does it work if you add --privileged --security-opt seccomp=unconfined --security-opt apparmor=unconfined
? Just to make sure that issue is not with the new profiles ? if it works we can work to figure out what is causing the issue.
from buildah.
@flouthoc or @rhatdan thoughts on what might be tweaked to fix this?
from buildah.
@sylvainpelletier thanks,
is there a reason for the storage.conf
to be added, is there a way to have the previous behaviour like at 1.27 ?
from buildah.
We have the same issue, seems like a regression after upgrading to v1.34.0.
(upgraded from v1.32.2
where everything runs well)
We run on k8s
and we get
Error: open /usr/lib/containers/storage/overlay-images/images.lock: permission denied
Any Advice?
Do we need to set an `EmptyDir' over this path?
from buildah.
I just checked and I get the same error when using --privileged --security-opt seccomp=unconfined --security-opt apparmor=unconfined
.
from buildah.
@zmjackson just changed the security context from
container:
securityContext:
allowPrivilegeEscalation: false
runAsUser: 1000
runAsGroup: 1000
capabilities:
drop:
- ALL
to
securityContext:
priviledged: true
and it worked...but as you know we don't want to run buildah
with these kind of priviledges
from buildah.
@zmjackson what do you think about that ^^ any ideas how we can proceed?
from buildah.
A friendly reminder that this issue had no activity for 30 days.
from buildah.
Related Issues (20)
- HEREDOC: Escaping `$` seems off HOT 3
- apparmor: build/run: net ns permission denied with pasta HOT 15
- --cache-to pushes base image as part of cache bundle HOT 2
- Unprivileged buildah container fails to build image with fuse: device not found, try 'modprobe fuse' first fuse-overlayfs: cannot mount: No such file or directory HOT 7
- buildah run fails : net ns permission denied with pasta HOT 10
- buildah complaining about missing systemd user session although it's present HOT 3
- HEREDOC run command: shell variables HOT 3
- HEREDOC: Not available in 1.33.5 1.33.7 1.34 on Ubuntu, Debian, etc? HOT 3
- 'operation not permitted' when running 'buildah mount' inside a buildah container HOT 7
- Panic on exiting already removed running container HOT 2
- push to docker-archive, cannot start in docker HOT 8
- Image build layer cache misses ignore retry options HOT 1
- buildah automatically removes base image after build HOT 2
- quay.io image locations are not noted in the README.md HOT 4
- Build uses cache despite ENV being set to differing ARG value HOT 2
- Action Required: Fix Renovate Configuration
- --layers flag doubles build time HOT 2
- RFE: formalize Containerfile workflow for custom stage outputs HOT 1
- Digest did not match, expected digest x but we got y HOT 2
- buildah times out trying HTTPS before trying HTTP for insecure registries HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from buildah.