Issues with podman

[bhundven]

aqua info

$ aqua info
{
  "version": "2.23.1",
  "commit_hash": "65fb59915fced5e16413e59cd17b3f0a1b42b972",
  "os": "linux",
  "arch": "amd64",
  "pwd": "/home/(USER)/Projects/github.com/aquaproj/aqua-registry",
  "root_dir": "/home/(USER)/.local/share/aquaproj-aqua",
  "env": {
    "AQUA_ROOT_DIR": "/home/(USER)/.local/share/aquaproj-aqua"
  },
  "config_files": [
    {
      "path": "/home/(USER)/Projects/github.com/aquaproj/aqua-registry/aqua.yaml"
    },
    {
      "path": "/home/(USER)/aqua.yaml"
    }
  ]
}

Overview

Trying to add a new package to aqua-registry with podman on Fedora 39:

$ rpm -qa | grep podman
podman-compose-1.0.6-3.fc39.noarch
podman-tui-0.17.0-1.fc39.x86_64
podman-4.9.3-1.fc39.x86_64
podman-docker-4.9.3-1.fc39.noarch
podman-plugins-4.9.3-1.fc39.x86_64

How to reproduce

Executed command and output

bhundven@mill:~/Projects/github.com/aquaproj/aqua-registry$ cmdx scaffold iamhsa/pkenv
+ set -eu
if [ "false" = true ]; then
  cmdx rm
fi
bash scripts/start.sh
bash scripts/scaffold.sh "iamhsa/pkenv" "" ""
bash scripts/test.sh "iamhsa/pkenv"
bash scripts/start.sh aqua-registry-windows
bash scripts/test-windows.sh "iamhsa/pkenv"

Error: no such object: "aquaproj/aqua-registry"
[INFO] Building the docker image aquaproj/aqua-registry
STEP 1/15: FROM golang:1.22.0-bookworm
Resolved "golang" as an alias (/home/bhundven/.cache/containers/short-name-aliases.conf)
Trying to pull docker.io/library/golang:1.22.0-bookworm...
Getting image source signatures
Copying blob 9ef5d6b83255 done   | 
Copying blob 7bb465c29149 done   | 
Copying blob 49b40be4436e done   | 
Copying blob 2b9b41aaa3c5 done   | 
Copying blob d85d001093ea done   | 
Copying blob 07ba5748a600 done   | 
Copying blob 4f4fb700ef54 done   | 
Copying config 0c4ed86491 done   | 
Writing manifest to image destination
STEP 2/15: WORKDIR /workspace
--> 018c7015ed79
STEP 3/15: ENV AQUA_ROOT_DIR=/root/aquaproj-aqua
--> 2dff6d7dd83c
STEP 4/15: ENV AQUA_LOG_COLOR=always
--> 5c603fa0e3af
STEP 5/15: ENV AQUA_POLICY_CONFIG=/workspace/aqua-policy.yaml
--> dbe90d979600
STEP 6/15: ENV PATH=$AQUA_ROOT_DIR/bin:/root/.cargo/bin:$PATH
--> a8e9f02dad4b
STEP 7/15: SHELL ["/bin/bash", "-o", "pipefail", "-c"]
WARN[0013] SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format 
--> 1acd37b17b28
STEP 8/15: RUN   apt-get update &&   apt-get install --no-install-recommends -y tree &&   apt-get clean &&   rm -rf /var/lib/apt/lists/*
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8786 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [12.7 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [143 kB]
Fetched 9196 kB in 2s (4648 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
  tree
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 52.5 kB of archives.
After this operation, 116 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 tree amd64 2.1.0-1 [52.5 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 52.5 kB in 0s (482 kB/s)
Selecting previously unselected package tree.
(Reading database ... 15610 files and directories currently installed.)
Preparing to unpack .../tree_2.1.0-1_amd64.deb ...
Unpacking tree (2.1.0-1) ...
Setting up tree (2.1.0-1) ...
WARN[0016] SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format 
--> eca620644cf5
STEP 9/15: RUN curl -sSfL -O https://raw.githubusercontent.com/aquaproj/aqua-installer/v2.3.0/aqua-installer
WARN[0017] SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format 
--> 882db4483464
STEP 10/15: RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
info: downloading installer
info: profile set to 'minimal'
info: default host triple is x86_64-unknown-linux-gnu
info: syncing channel updates for 'stable-x86_64-unknown-linux-gnu'
info: latest update on 2024-02-08, rust version 1.76.0 (07dca489a 2024-02-04)
info: downloading component 'cargo'
info: downloading component 'rust-std'
info: downloading component 'rustc'
info: installing component 'cargo'
info: installing component 'rust-std'
info: installing component 'rustc'

info: default toolchain set to 'stable-x86_64-unknown-linux-gnu'
  stable-x86_64-unknown-linux-gnu installed - rustc 1.76.0 (07dca489a 2024-02-04)


Rust is installed now. Great!

To get started you may need to restart your current shell.
This would reload your PATH environment variable to include
Cargo's bin directory ($HOME/.cargo/bin).

To configure your current shell, run:
source "$HOME/.cargo/env"
WARN[0026] SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format 
--> 76738c834599
STEP 11/15: RUN echo "1577b99b74751a5ddeea757198cee3b600fce3ef18990540e4d0e667edcf1b5f  aqua-installer" | sha256sum -c
aqua-installer: OK
WARN[0028] SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format 
--> 47dec0a6c277
STEP 12/15: RUN chmod +x aqua-installer
WARN[0029] SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format 
--> 9bc4742ee9ff
STEP 13/15: RUN ./aqua-installer -v v2.23.1
[INFO] Installing aqua v2.22.0 for bootstrapping...
[INFO] Downloading https://github.com/aquaproj/aqua/releases/download/v2.22.0/aqua_linux_amd64.tar.gz ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 6578k  100 6578k    0     0  5663k      0  0:00:01  0:00:01 --:--:-- 9344k
[INFO] Verifying checksum of aqua v2.22.0 ...
aqua_linux_amd64.tar.gz: OK
[INFO] /tmp/tmp.QWbmczWeXD/aqua update-aqua v2.23.1
INFO[0000] download and unarchive the package            aqua_version=2.22.0 env=linux/amd64 new_version=v2.23.1 package_name=aquaproj/aqua package_version=v2.23.1 program=aqua registry=
INFO[0000] verify a package with slsa-verifier           aqua_version=2.22.0 env=linux/amd64 new_version=v2.23.1 package_name=aquaproj/aqua package_version=v2.23.1 program=aqua registry=
INFO[0000] download and unarchive the package            aqua_version=2.22.0 env=linux/amd64 new_version=v2.23.1 package_name=slsa-framework/slsa-verifier package_version=v2.4.1 program=aqua registry=
Verified signature against tlog entry index 68699067 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a769569930edd1e1cf2ea9486eb1da26a46df11bbb030527a972db52d4c34fc7d
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0" at commit 65fb59915fced5e16413e59cd17b3f0a1b42b972
Verifying artifact /tmp/088656240: PASSED

PASSED: Verified SLSA provenance
INFO[0004] create a symbolic link                        aqua_version=2.22.0 command=aqua env=linux/amd64 new_version=v2.23.1 package_name=aquaproj/aqua package_version=v2.23.1 program=aqua

===============================================================
[INFO] aqua is installed into /root/aquaproj-aqua/bin/aqua
[INFO] Please add the path to the environment variable "PATH"
[INFO] export PATH=${AQUA_ROOT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/aquaproj-aqua}/bin:$PATH
===============================================================

aqua version 2.23.1 (65fb59915fced5e16413e59cd17b3f0a1b42b972)
WARN[0035] SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format 
--> c18e135eaef4
STEP 14/15: COPY aqua-test.yaml aqua.yaml
WARN[0035] SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format 
--> 109c07ba539c
STEP 15/15: COPY aqua-policy.yaml aqua-policy.yaml
COMMIT aquaproj/aqua-registry
WARN[0036] SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format 
--> 47c026dd5078
Successfully tagged localhost/aquaproj/aqua-registry:latest
47c026dd50781e2f310d61bece5bbbccdc06d153c865e79ac3e9149f89d3dc45
[INFO] Checking if the container aqua-registry exists
[INFO] Creaing a container aqua-registry
[INFO] Get a GitHub Access token by gh auth token
e9c7723e4cbba947612f16f6326bdcf0e239ddfa4f060f1ce7c20c1a75b76952
+ pkg=iamhsa/pkenv
+ cmd=
+ limit=
+ '[' -d pkgs/iamhsa/pkenv ']'
+ docker exec -ti -w /aqua-registry aqua-registry aqua policy allow
INFO[0000] no policy file is found                       aqua_version=2.23.1 env=linux/amd64 program=aqua
+ docker exec -ti -w /aqua-registry aqua-registry aqua i -l
INFO[0000] download and unarchive the package            aqua_version=2.23.1 env=linux/amd64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
INFO[0000] create a symbolic link                        aqua_version=2.23.1 command=aqua-proxy env=linux/amd64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
+ opts=
+ '[' -n '' ']'
+ '[' -n '' ']'
+ docker exec -ti -w /aqua-registry aqua-registry aqua-registry scaffold iamhsa/pkenv
Error: crun: executable file `aqua-registry` not found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found
exit status 127 

Debug output

Output isn't different with AQUA_LOG_LEVEL=debug set.

Expected behaviour

The new package is created in the aqua-registry

Actual behaviour

+ docker exec -ti -w /aqua-registry aqua-registry aqua-registry scaffold iamhsa/pkenv
Error: crun: executable file `aqua-registry` not found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found

Note

No response

[suzuki-shunsuke]

Thank you for your report.
We usually use Docker Desktop and have never tested the task with Podman.
I'll take a look when I have time.
I'm not familiar with Podman, so your contribution is welcome.

[suzuki-shunsuke]

+ docker exec -ti -w /aqua-registry aqua-registry aqua policy allow
INFO[0000] no policy file is found                       aqua_version=2.23.1 env=linux/amd64 program=aqua
+ docker exec -ti -w /aqua-registry aqua-registry aqua i -l
INFO[0000] download and unarchive the package            aqua_version=2.23.1 env=linux/amd64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
INFO[0000] create a symbolic link                        aqua_version=2.23.1 command=aqua-proxy env=linux/amd64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=

The log looks weird.

aqua-policy.yaml wasn't found and symbolic links of aqua-registry wasn't created.

Can you run cmdx con and check the directory /aqua-registry?
The repository root directory should be mounted on /aqua-registry.

e.g.

$ cmdx con     
+ bash scripts/connect.sh
[INFO] Connecting to the container aqua-registry (linux/arm64)
root@f58ef8e7af78:/workspace# cd /aqua-registry/
root@f58ef8e7af78:/aqua-registry# ls
CONTRIBUTING.md  README.md  aqua-all.yaml	 aqua-policy.yaml	     aqua.yaml	docker	registry.yaml	scripts
LICENSE		 aqua	    aqua-checksums.json  aqua-registry-updater.yaml  cmdx.yaml	pkgs	renovate.json5
root@f58ef8e7af78:/aqua-registry# cat aqua-policy.yaml 
---
# aqua Policy
# https://aquaproj.github.io/docs/guides/policy-as-code
registries:
  - type: standard
    ref: semver(">= 3.0.0")
  - type: local
    name: local
    path: registry.yaml
packages:
  - registry: standard
  - registry: local
root@f58ef8e7af78:/aqua-registry# cat aqua.yaml 
---
# aqua - Declarative CLI Version Manager
# https://aquaproj.github.io/
checksum:
  enabled: true
registries:
  - name: standard
    type: local
    path: registry.yaml
packages:
  - name: aquaproj/registry-tool@v0.2.3
  - name: rhysd/actionlint@v1.6.26
  - name: suzuki-shunsuke/cmdx@v1.7.4
  - name: jqlang/jq@jq-1.7.1
  - name: cli/cli@v2.44.1

[suzuki-shunsuke]

I couldn't reproduce the issue on my laptop.

$ aqua info
{
  "version": "2.23.1",
  "commit_hash": "65fb59915fced5e16413e59cd17b3f0a1b42b972",
  "os": "darwin",
  "arch": "arm64",
  "pwd": "/Users/(USER)/repos/src/github.com/aquaproj/aqua-registry",
  "root_dir": "/Users/(USER)/.local/share/aquaproj-aqua",
  "env": {
    "AQUA_GLOBAL_CONFIG": "/Users/(USER)/repos/src/github.com/suzuki-shunsuke/dotfiles/aqua.yaml:/Users/(USER)/repos/src/github.com/aquaproj/aqua-registry/aqua-all.yaml",
    "AQUA_PROGRESS_BAR": "true"
  },
  "config_files": [
    {
      "path": "/Users/(USER)/repos/src/github.com/aquaproj/aqua-registry/aqua.yaml"
    }
  ]
}

I installed Podman Desktop on M3 Mac Pro.

$ podman version
Client:       Podman Engine
Version:      4.9.2
API Version:  4.9.2
Go Version:   go1.21.6
Git Commit:   f9a48ebcfa9a39144be0f86f4ba842752835f945
Built:        Sat Feb  3 08:31:39 2024
OS/Arch:      darwin/arm64

Server:       Podman Engine
Version:      4.9.0
API Version:  4.9.0
Go Version:   go1.21.6
Built:        Wed Jan 24 19:07:09 2024
OS/Arch:      linux/arm64

Created a symbolic link.

$ ln -s /opt/podman/bin/podman ~/bin/docker
$ docker version
Client:       Podman Engine
Version:      4.9.2
API Version:  4.9.2
Go Version:   go1.21.6
Git Commit:   f9a48ebcfa9a39144be0f86f4ba842752835f945
Built:        Sat Feb  3 08:31:39 2024
OS/Arch:      darwin/arm64

Server:       Podman Engine
Version:      4.9.0
API Version:  4.9.0
Go Version:   go1.21.6
Built:        Wed Jan 24 19:07:09 2024
OS/Arch:      linux/arm64

Ran cmdx s iamhsa/pkenv then it succeeded.

$ cmdx s iamhsa/pkenv

$ cmdx s iamhsa/pkenv

+ set -eu
if [ "false" = true ]; then
  cmdx rm
fi
bash scripts/start.sh
bash scripts/scaffold.sh "iamhsa/pkenv" "" ""
bash scripts/test.sh "iamhsa/pkenv"
bash scripts/start.sh aqua-registry-windows
bash scripts/test-windows.sh "iamhsa/pkenv"

/Users/shunsukesuzuki/bin/docker
Error: no such object: "aquaproj/aqua-registry"
[INFO] Building the docker image aquaproj/aqua-registry
STEP 1/15: FROM golang:1.22.0-bookworm
Resolving "golang" using unqualified-search registries (/etc/containers/registries.conf.d/999-podman-machine.conf)
Trying to pull docker.io/library/golang:1.22.0-bookworm...
Getting image source signatures
Copying blob sha256:056502cbc32b718fd7404acbc281be34cf53ab4f8088a500577ad81b17155f87
Copying blob sha256:d3436c315a5dcd9b17acc96236fdf378dcf2deb72fe9dafb42d894a3c362ac75
Copying blob sha256:c2964e85ea54bbef26d274e85fa0a3fde68f074e0774d0729e6ebe341e24eee1
Copying blob sha256:a23d83702b673f096f3ad08d6fd0e17210ca2820cc17e8200245f59d0673551f
Copying blob sha256:b64f8be2f5605845877a9fa07d02f4e446d47bf5eacd419b6f8c50dcfa51cf85
Copying blob sha256:603ae72c83b17aae41ce6857f0063bfd35b5f00dc5d7e1ad47fa18debb28b2c7
Copying blob sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
Copying config sha256:9cbeef2f2690917b347a6bc06aef96b4480907e55a2f079a207066c305cf92a0
Writing manifest to image destination
STEP 2/15: WORKDIR /workspace
--> 0f2a5f7ec27e
STEP 3/15: ENV AQUA_ROOT_DIR=/root/aquaproj-aqua
--> 19c400a303a2
STEP 4/15: ENV AQUA_LOG_COLOR=always
--> 50483a03d45f
STEP 5/15: ENV AQUA_POLICY_CONFIG=/workspace/aqua-policy.yaml
--> 5b9b235064b5
STEP 6/15: ENV PATH=$AQUA_ROOT_DIR/bin:/root/.cargo/bin:$PATH
--> 9c26f007a787
STEP 7/15: SHELL ["/bin/bash", "-o", "pipefail", "-c"]
time="2024-02-24T09:41:46+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> 03fe821761a2
STEP 8/15: RUN   apt-get update &&   apt-get install --no-install-recommends -y tree &&   apt-get clean &&   rm -rf /var/lib/apt/lists/*
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main arm64 Packages [8685 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main arm64 Packages [12.5 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages [140 kB]
Fetched 9092 kB in 1s (8283 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
  tree
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 50.9 kB of archives.
After this operation, 169 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main arm64 tree arm64 2.1.0-1 [50.9 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 50.9 kB in 0s (1389 kB/s)
Selecting previously unselected package tree.
(Reading database ... 15633 files and directories currently installed.)
Preparing to unpack .../tree_2.1.0-1_arm64.deb ...
Unpacking tree (2.1.0-1) ...
Setting up tree (2.1.0-1) ...
time="2024-02-24T09:41:48+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> 6e217351ec96
STEP 9/15: RUN curl -sSfL -O https://raw.githubusercontent.com/aquaproj/aqua-installer/v2.3.0/aqua-installer
time="2024-02-24T09:41:49+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> 0a6ff65f22d2
STEP 10/15: RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
info: downloading installer
info: profile set to 'minimal'
info: default host triple is aarch64-unknown-linux-gnu
info: syncing channel updates for 'stable-aarch64-unknown-linux-gnu'
info: latest update on 2024-02-08, rust version 1.76.0 (07dca489a 2024-02-04)
info: downloading component 'cargo'
info: downloading component 'rust-std'
info: downloading component 'rustc'
info: installing component 'cargo'
info: installing component 'rust-std'
info: installing component 'rustc'
info: default toolchain set to 'stable-aarch64-unknown-linux-gnu'

  stable-aarch64-unknown-linux-gnu installed - rustc 1.76.0 (07dca489a 2024-02-04)


Rust is installed now. Great!

To get started you may need to restart your current shell.
This would reload your PATH environment variable to include
Cargo's bin directory ($HOME/.cargo/bin).

To configure your current shell, run:
source "$HOME/.cargo/env"
time="2024-02-24T09:42:01+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> a0cfadf62f92
STEP 11/15: RUN echo "1577b99b74751a5ddeea757198cee3b600fce3ef18990540e4d0e667edcf1b5f  aqua-installer" | sha256sum -c
aqua-installer: OK
time="2024-02-24T09:42:06+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> cc44d27e9b21
STEP 12/15: RUN chmod +x aqua-installer
time="2024-02-24T09:42:06+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> 2b398c91c9bb
STEP 13/15: RUN ./aqua-installer -v v2.23.1
[INFO] Installing aqua v2.22.0 for bootstrapping...
[INFO] Downloading https://github.com/aquaproj/aqua/releases/download/v2.22.0/aqua_linux_arm64.tar.gz ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 6082k  100 6082k    0     0  7146k      0 --:--:-- --:--:-- --:--:-- 7146k
[INFO] Verifying checksum of aqua v2.22.0 ...
aqua_linux_arm64.tar.gz: OK
[INFO] /tmp/tmp.lp2KzgAdcL/aqua update-aqua v2.23.1
INFO[0000] download and unarchive the package            aqua_version=2.22.0 env=linux/arm64 new_version=v2.23.1 package_name=aquaproj/aqua package_version=v2.23.1 program=aqua registry=
INFO[0000] verify a package with slsa-verifier           aqua_version=2.22.0 env=linux/arm64 new_version=v2.23.1 package_name=aquaproj/aqua package_version=v2.23.1 program=aqua registry=
INFO[0000] download and unarchive the package            aqua_version=2.22.0 env=linux/arm64 new_version=v2.23.1 package_name=slsa-framework/slsa-verifier package_version=v2.4.1 program=aqua registry=
Verified signature against tlog entry index 68699067 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a769569930edd1e1cf2ea9486eb1da26a46df11bbb030527a972db52d4c34fc7d
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0" at commit 65fb59915fced5e16413e59cd17b3f0a1b42b972
Verifying artifact /tmp/790688413: PASSED

PASSED: Verified SLSA provenance
INFO[0006] create a symbolic link                        aqua_version=2.22.0 command=aqua env=linux/arm64 new_version=v2.23.1 package_name=aquaproj/aqua package_version=v2.23.1 program=aqua
[INFO] aqua is installed into /root/aquaproj-aqua/bin/aqua
[INFO] Please add the path to the environment variable "PATH"
[INFO] export PATH=${AQUA_ROOT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/aquaproj-aqua}/bin:$PATH

===============================================================
===============================================================

aqua version 2.23.1 (65fb59915fced5e16413e59cd17b3f0a1b42b972)
time="2024-02-24T09:42:14+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> f89a5b19ebf0
STEP 14/15: COPY aqua-test.yaml aqua.yaml
time="2024-02-24T09:42:14+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> f261b3bf91c3
STEP 15/15: COPY aqua-policy.yaml aqua-policy.yaml
COMMIT aquaproj/aqua-registry
time="2024-02-24T09:42:14+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> e8253aca81c1
Successfully tagged localhost/aquaproj/aqua-registry:latest
e8253aca81c113b209fcb496493d5059fd73c377088d5c9851643f8ff9ae7275
[INFO] Checking if the container aqua-registry exists
[INFO] Creaing a container aqua-registry
[INFO] Get a GitHub Access token by gh auth token
a6ce9fb64d892c63d9c7c1991387f94471a9613cb292f5e9c801852574dd1480
+ pkg=iamhsa/pkenv
+ cmd=
+ limit=
+ '[' -d pkgs/iamhsa/pkenv ']'
+ rm -R pkgs/iamhsa/pkenv
+ docker exec -ti -w /aqua-registry aqua-registry aqua policy allow
+ docker exec -ti -w /aqua-registry aqua-registry aqua i -l
INFO[0000] download and unarchive the package            aqua_version=2.23.1 env=linux/arm64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
INFO[0001] create a symbolic link                        aqua_version=2.23.1 command=aqua-proxy env=linux/arm64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
INFO[0001] create a symbolic link                        aqua_version=2.23.1 command=aqua-registry env=linux/arm64 program=aqua
INFO[0001] create a symbolic link                        aqua_version=2.23.1 command=actionlint env=linux/arm64 program=aqua
INFO[0001] create a symbolic link                        aqua_version=2.23.1 command=cmdx env=linux/arm64 program=aqua
INFO[0001] create a symbolic link                        aqua_version=2.23.1 command=jq env=linux/arm64 program=aqua
INFO[0001] create a symbolic link                        aqua_version=2.23.1 command=gh env=linux/arm64 program=aqua
+ opts=
+ '[' -n '' ']'
+ '[' -n '' ']'
+ docker exec -ti -w /aqua-registry aqua-registry aqua-registry scaffold iamhsa/pkenv
INFO[0000] download and unarchive the package            aqua_version=2.23.1 env=linux/arm64 exe_name=aqua-registry package_name=aquaproj/registry-tool package_version=v0.2.3 program=aqua registry=standard
INFO[0000] verify a package with slsa-verifier           aqua_version=2.23.1 env=linux/arm64 exe_name=aqua-registry package_name=aquaproj/registry-tool package_version=v0.2.3 program=aqua registry=standard
Verified signature against tlog entry index 49719525 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a1362688809ea23832eb8f7476aa422bec34de617b2cb0e35f6f31abaabb8c89f
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0" at commit 0ae103452e9e2197d918600a3b2c90cb49390859
Verifying artifact /tmp/884624902: PASSED

PASSED: Verified SLSA provenance
+ aqua gr --out-testdata pkgs/iamhsa/pkenv/pkg.yaml iamhsa/pkenv > pkgs/iamhsa/pkenv/registry.yaml
Update registry.yaml
INFO[0000] download and unarchive the package            aqua_version=2.23.1 env=linux/amd64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
INFO[0000] download and unarchive the package            aqua_version=2.23.1 env=darwin/amd64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
INFO[0000] download and unarchive the package            aqua_version=2.23.1 env=darwin/arm64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
/Users/shunsukesuzuki/bin/docker
[INFO] Checking if the container aqua-registry-windows exists
[INFO] Creaing a container aqua-registry-windows
[INFO] Get a GitHub Access token by gh auth token
76e09562685271c21a7b0f511724d169bd59d054b8283f681e9af0608ab078da

[tadayosi]

I guess the issue might be related to the way podman names an image without hostname (like docker.io). After I run cmdx s <package> I get:

$ podman images
REPOSITORY                                             TAG              IMAGE ID      CREATED         SIZE
localhost/aquaproj/aqua-registry                       latest           55d991505793  41 minutes ago  1.45 GB

So probably cmdx instead expects aquaproj/aqua-registry where podman creates localhost/aquaproj/aqua-registry by the default naming settings?

[tadayosi]

So, for me:

$ cmdx con
+ bash scripts/connect.sh
[INFO] Connecting to the container aqua-registry (linux/amd64)
ERRO[0000] install the registry                          aqua_version=2.23.1 env=linux/amd64 error="local registry isn't found" local_registry_file_path=/workspace/registry.yaml program=aqua registry_name=standard
FATA[0000] aqua failed                                   aqua_version=2.23.1 env=linux/amd64 error="it failed to install some registries" program=aqua
exit status 1

I use Fedora 39 and Podman 4.9.3.

[tadayosi]

Turned out it's not because the name is localhost/aquaproj/aqua-registry, but for Podman and Fedora it just needs --privilege to run the image. See my pull req #20473.

[suzuki-shunsuke]

@tadayosi Thank you for looking into this issue!

📝

podman run --help

      --privileged                               Give extended privileges to container

https://docs.podman.io/en/latest/markdown/podman-run.1.html#privileged

Give extended privileges to this container. The default is false.

By default, Podman containers are unprivileged (=false) and cannot, for example, modify parts of the operating system. This is because by default a container is only allowed limited access to devices. A “privileged” container is given the same access to devices as the user launching the container, with the exception of virtual consoles (/dev/tty\d+) when running in systemd mode (--systemd=always).

A privileged container turns off the security features that isolate the container from the host. Dropped Capabilities, limited devices, read-only mount points, Apparmor/SELinux separation, and Seccomp filters are all disabled. Due to the disabled security features, the privileged field should almost never be set as containers can easily break out of confinement.

Containers running in a user namespace (e.g., rootless containers) cannot have more privileges than the user that launched them.

According to your error message, /workspace/registry.yaml wasn't found. #20289 (comment)

But this file should be copied by docker cp command.

aqua-registry/scripts/test.sh

Line 9 in 096332d

docker cp "pkgs/$pkg/registry.yaml" "$container_name:/workspace/registry.yaml"

Did the command cmdx s output any error or warning before the above error?

--privilege option may resolve the issue, but I'd like to understand the cause correctly.

I can't reproduce the issue even if privileged is false on M3 Pro.

$ podman inspect aqua-registry | grep rivilege
               "Privileged": false,

[tadayosi]

@suzuki-shunsuke

I can't reproduce the issue even if privileged is false on M3 Pro.

Because it's a SELinux/Apparmor issue. I'm not sure how the podman machine (CoreOS) on Mac works in terms of SELinux but I guess it's disabled or permissive already? This article is a good source for learning how podman with the privileged option is supposed to work [1].

[1] https://www.redhat.com/sysadmin/container-permission-denied-errors

When I run cmdx s without that --privileged, indeed the aqua-registry container is created and running. And as you said those files are copied under /workspace.

podman exec aqua-registry ls -l /workspace
total 16
-rwxr-xr-x. 1 root root 3469 Mar  1 11:56 aqua-installer
-rw-r--r--. 1 root root  242 Mar  2 06:36 aqua-policy.yaml
-rw-r--r--. 1 root root  229 Feb 29 10:00 aqua.yaml
-rw-r--r--. 1 root root   43 Mar  2 06:40 pkg.yaml

The issue is not that those files are not copied but aqua fails to read them without --privileged. Actually, when I run cmdx s after sudo setenforce 0 (disabling SELinux) it also works even without --privileged. So I think it's a SELinux issue and SELinux just prohibits accessing those files by default (probably because it's root owned?).

Containers running in a user namespace (e.g., rootless containers) cannot have more privileges than the user that launched them.

So even with privileged it shouldn't get more privileges than the host user so it would be still safer than Docker which runs with sudo.

[suzuki-shunsuke]

Oh, I see.
Thank you for your kind explanation.

So even with privileged it shouldn't get more privileges than the host user so it would be still safer than Docker which runs with sudo.

Looks good.