Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

containers/buildah image misses settings for build user #4669

Closed
nolange opened this issue Mar 17, 2023 · 10 comments · Fixed by #4905 · May be fixed by #4674
Closed

containers/buildah image misses settings for build user #4669

nolange opened this issue Mar 17, 2023 · 10 comments · Fixed by #4905 · May be fixed by #4674
Labels
locked - please file new issue/PR

Comments

@nolange
Copy link

nolange commented Mar 17, 2023

Description

The quay.io/containers/buildah Image seems to miss the configuration
for the non-root build ($HOME/.config/containers/storage.conf).

In turn, running the container as build user will use the default settings and not
work with fuse-overlayfs

Steps to reproduce the issue:

  1. Run podman run --rm -it --device /dev/fuse --user build quay.io/containers/buildah buildah info

  2. Observe that unlike as root the configuration to use fuse-overlayfs is missing:

        "GraphDriverName": "overlay",
    "GraphOptions": [
        "overlay.imagestore=/var/lib/shared",
        "overlay.mount_program=/usr/bin/fuse-overlayfs",
        "overlay.mountopt=nodev,fsync=0"
    ]

Describe the results you received:

Running as build user, buildah build will not use fuse, and depending on other settings (which I haven't narrowed down),
errors will come up like the one below (apt-get install ca-certificates wont finish):

Unpacking ca-certificates (20230311) ...
dpkg: error processing archive /var/cache/apt/archives/ca-certificates_20230311_all.deb (--unpack):
 unable to install new version of './etc/ca-certificates': Invalid cross-device link

Describe the results you expected:

buildah build proceeding without errors (as it does when not using podman's --user build option)

Output of rpm -q buildah or apt list buildah:

buildah-1.29.1-1.fc37.x86_64

Output of buildah version:

Version:         1.29.1
Go Version:      go1.19.5
Image Spec:      1.0.2-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        1.0.0
libcni Version:  v1.1.2
image Version:   5.24.1
Git Commit:      
Built:           Fri Feb 17 10:05:41 2023
OS/Arch:         linux/amd64
BuildPlatform:   linux/amd64

Output of podman version if reporting a podman build issue:

Client:       Podman Engine
Version:      4.3.1
API Version:  4.3.1
Go Version:   go1.19.6
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of cat /etc/*release:

NAME="Fedora Linux"
VERSION="37 (Container Image)"
ID=fedora
VERSION_ID=37
VERSION_CODENAME=""
PLATFORM_ID="platform:f37"
PRETTY_NAME="Fedora Linux 37 (Container Image)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:37"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f37/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=37
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=37
SUPPORT_END=2023-11-14
VARIANT="Container Image"
VARIANT_ID=container

Output of uname -a:

Linux ac677b1df0a6 6.1.0-6-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.15-1 (2023-03-05) x86_64 x86_64 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:
(comments removed)

[storage]
driver = "overlay"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"

[storage.options]

additionalimagestores = [
"/var/lib/shared",
]

pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}

[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
mountopt = "nodev,fsync=0"
[storage.options.thinpool]
@rhatdan
Copy link
Member

rhatdan commented Mar 18, 2023

We want to fall back to fuse-overlayfs not use it by default. If the kernel supports using native overlay for the rootless user we should use it, If we hard code fuse-overlayfs into the configuration, then we won't be able to use native overlay.

Podman/Buildah are supposed to be smart enough to fall back to fuse-overlayfs (if it is installed) and /dev/fuse device exists and native overlayfs is not supported.

@nolange
Copy link
Author

nolange commented Mar 20, 2023

We want to fall back to fuse-overlayfs not use it by default. If the kernel supports using native overlay for the rootless user we should use it, If we hard code fuse-overlayfs into the configuration, then we won't be able to use native overlay.

AFAIU the docker image doesnt change the defaults, but adds lines to use a custom mount step:

buildah/contrib/buildahimage/Containerfile

Lines 70 to 74 in a8ba52d

RUN sed -e 's|^#mount_program|mount_program|g' \
-e '/additionalimage.*/a "/var/lib/shared",' \
-e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
/usr/share/containers/storage.conf \
> /etc/containers/storage.conf && \

Podman/Buildah are supposed to be smart enough to fall back to fuse-overlayfs (if it is installed) and /dev/fuse device exists and native overlayfs is not supported.

Your own docker image sets that config - but only for root?
Running buildah in a rootless container seems a bit more involved, and it doesn't work for me (when run as user). I dont understand how the Invalid cross-device link crops up, but I suspect its the missing configuration when run as build user.

nolange pushed a commit to nolange/buildah that referenced this issue Mar 20, 2023
@aag-norbert-lange
Add user configuration to builda image
857fde2 
The container has configuration for root,
this commit adds a similar configuration for the build user.

Closes: containers#4669
nolange pushed a commit to nolange/buildah that referenced this issue Mar 20, 2023
@aag-norbert-lange
Add user configuration to buildah container image
4516b3b 
The container has configuration for root,
this commit adds a similar configuration for the build user.

Closes: containers#4669
Signed-off-by: Norbert Lange <norbert.lange@andritz.com>
nolange added a commit to nolange/buildah that referenced this issue Mar 20, 2023
@nolange
Add user configuration to buildah container image
90ca6db 
The container has configuration for root,
this commit adds a similar configuration for the build user.

Closes: containers#4669

Signed-off-by: Norbert Lange <nolange79@gmail.com>
@nolange nolange mentioned this issue Mar 20, 2023
Open
@rhatdan
Copy link
Member

rhatdan commented Apr 1, 2023

This is a bug
-e 's|^#mount_program|mount_program|g' \

We should not be turning on the mount_program for rootful mode, we should use native overlay.

@github-actions
Copy link

github-actions bot commented May 2, 2023

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented May 2, 2023

@flouthoc you reverted my fix for this, could you followup on this?

@nolange nolange mentioned this issue May 3, 2023
Closed
@github-actions
Copy link

github-actions bot commented Jun 2, 2023

A friendly reminder that this issue had no activity for 30 days.

@flouthoc
Copy link
Collaborator

flouthoc commented Jun 2, 2023

@flouthoc you reverted my fix for this, could you followup on this?

Yes let me check this.

@github-actions
Copy link

github-actions bot commented Jul 3, 2023

A friendly reminder that this issue had no activity for 30 days.

@flouthoc
Copy link
Collaborator

flouthoc commented Jul 3, 2023

Checking this now.

flouthoc added a commit to flouthoc/buildah that referenced this issue Jul 3, 2023
@flouthoc
contrib/buildahimage: set config correctly for rootless build user
97b8402 
For image published at `quay.io/containers/buildah` buildah should
correctly use `fuseoverlay` for rootless `build` user `fuse-overlayfs`.

Closes: containers#4669

[NO NEW TESTS NEEDED]

Signed-off-by: Aditya R <arajan@redhat.com>
@flouthoc flouthoc mentioned this issue Jul 3, 2023
Merged
@flouthoc
Copy link
Collaborator

flouthoc commented Jul 3, 2023
edited
Loading

@nolange PR #4905 should close this and long term kernel agnostic fix should go in c/storage I think.

@flouthoc flouthoc mentioned this issue Jul 3, 2023
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 5, 2023
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
3 participants
@rhatdan @nolange @flouthoc