-
-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues with podman #20289
Comments
Thank you for your report. |
The log looks weird. aqua-policy.yaml wasn't found and symbolic links of aqua-registry wasn't created. Can you run e.g. $ cmdx con
+ bash scripts/connect.sh
[INFO] Connecting to the container aqua-registry (linux/arm64)
root@f58ef8e7af78:/workspace# cd /aqua-registry/
root@f58ef8e7af78:/aqua-registry# ls
CONTRIBUTING.md README.md aqua-all.yaml aqua-policy.yaml aqua.yaml docker registry.yaml scripts
LICENSE aqua aqua-checksums.json aqua-registry-updater.yaml cmdx.yaml pkgs renovate.json5
root@f58ef8e7af78:/aqua-registry# cat aqua-policy.yaml
---
# aqua Policy
# https://aquaproj.github.io/docs/guides/policy-as-code
registries:
- type: standard
ref: semver(">= 3.0.0")
- type: local
name: local
path: registry.yaml
packages:
- registry: standard
- registry: local
root@f58ef8e7af78:/aqua-registry# cat aqua.yaml
---
# aqua - Declarative CLI Version Manager
# https://aquaproj.github.io/
checksum:
enabled: true
registries:
- name: standard
type: local
path: registry.yaml
packages:
- name: aquaproj/registry-tool@v0.2.3
- name: rhysd/actionlint@v1.6.26
- name: suzuki-shunsuke/cmdx@v1.7.4
- name: jqlang/jq@jq-1.7.1
- name: cli/cli@v2.44.1 |
I couldn't reproduce the issue on my laptop. $ aqua info
{
"version": "2.23.1",
"commit_hash": "65fb59915fced5e16413e59cd17b3f0a1b42b972",
"os": "darwin",
"arch": "arm64",
"pwd": "/Users/(USER)/repos/src/github.com/aquaproj/aqua-registry",
"root_dir": "/Users/(USER)/.local/share/aquaproj-aqua",
"env": {
"AQUA_GLOBAL_CONFIG": "/Users/(USER)/repos/src/github.com/suzuki-shunsuke/dotfiles/aqua.yaml:/Users/(USER)/repos/src/github.com/aquaproj/aqua-registry/aqua-all.yaml",
"AQUA_PROGRESS_BAR": "true"
},
"config_files": [
{
"path": "/Users/(USER)/repos/src/github.com/aquaproj/aqua-registry/aqua.yaml"
}
]
} I installed Podman Desktop on M3 Mac Pro. $ podman version
Client: Podman Engine
Version: 4.9.2
API Version: 4.9.2
Go Version: go1.21.6
Git Commit: f9a48ebcfa9a39144be0f86f4ba842752835f945
Built: Sat Feb 3 08:31:39 2024
OS/Arch: darwin/arm64
Server: Podman Engine
Version: 4.9.0
API Version: 4.9.0
Go Version: go1.21.6
Built: Wed Jan 24 19:07:09 2024
OS/Arch: linux/arm64 Created a symbolic link. $ ln -s /opt/podman/bin/podman ~/bin/docker
$ docker version
Client: Podman Engine
Version: 4.9.2
API Version: 4.9.2
Go Version: go1.21.6
Git Commit: f9a48ebcfa9a39144be0f86f4ba842752835f945
Built: Sat Feb 3 08:31:39 2024
OS/Arch: darwin/arm64
Server: Podman Engine
Version: 4.9.0
API Version: 4.9.0
Go Version: go1.21.6
Built: Wed Jan 24 19:07:09 2024
OS/Arch: linux/arm64 Ran $ cmdx s iamhsa/pkenv $ cmdx s iamhsa/pkenv+ set -eu
if [ "false" = true ]; then
cmdx rm
fi
bash scripts/start.sh
bash scripts/scaffold.sh "iamhsa/pkenv" "" ""
bash scripts/test.sh "iamhsa/pkenv"
bash scripts/start.sh aqua-registry-windows
bash scripts/test-windows.sh "iamhsa/pkenv"
/Users/shunsukesuzuki/bin/docker
Error: no such object: "aquaproj/aqua-registry"
[INFO] Building the docker image aquaproj/aqua-registry
STEP 1/15: FROM golang:1.22.0-bookworm
Resolving "golang" using unqualified-search registries (/etc/containers/registries.conf.d/999-podman-machine.conf)
Trying to pull docker.io/library/golang:1.22.0-bookworm...
Getting image source signatures
Copying blob sha256:056502cbc32b718fd7404acbc281be34cf53ab4f8088a500577ad81b17155f87
Copying blob sha256:d3436c315a5dcd9b17acc96236fdf378dcf2deb72fe9dafb42d894a3c362ac75
Copying blob sha256:c2964e85ea54bbef26d274e85fa0a3fde68f074e0774d0729e6ebe341e24eee1
Copying blob sha256:a23d83702b673f096f3ad08d6fd0e17210ca2820cc17e8200245f59d0673551f
Copying blob sha256:b64f8be2f5605845877a9fa07d02f4e446d47bf5eacd419b6f8c50dcfa51cf85
Copying blob sha256:603ae72c83b17aae41ce6857f0063bfd35b5f00dc5d7e1ad47fa18debb28b2c7
Copying blob sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
Copying config sha256:9cbeef2f2690917b347a6bc06aef96b4480907e55a2f079a207066c305cf92a0
Writing manifest to image destination
STEP 2/15: WORKDIR /workspace
--> 0f2a5f7ec27e
STEP 3/15: ENV AQUA_ROOT_DIR=/root/aquaproj-aqua
--> 19c400a303a2
STEP 4/15: ENV AQUA_LOG_COLOR=always
--> 50483a03d45f
STEP 5/15: ENV AQUA_POLICY_CONFIG=/workspace/aqua-policy.yaml
--> 5b9b235064b5
STEP 6/15: ENV PATH=$AQUA_ROOT_DIR/bin:/root/.cargo/bin:$PATH
--> 9c26f007a787
STEP 7/15: SHELL ["/bin/bash", "-o", "pipefail", "-c"]
time="2024-02-24T09:41:46+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> 03fe821761a2
STEP 8/15: RUN apt-get update && apt-get install --no-install-recommends -y tree && apt-get clean && rm -rf /var/lib/apt/lists/*
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main arm64 Packages [8685 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main arm64 Packages [12.5 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages [140 kB]
Fetched 9092 kB in 1s (8283 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
tree
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 50.9 kB of archives.
After this operation, 169 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main arm64 tree arm64 2.1.0-1 [50.9 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 50.9 kB in 0s (1389 kB/s)
Selecting previously unselected package tree.
(Reading database ... 15633 files and directories currently installed.)
Preparing to unpack .../tree_2.1.0-1_arm64.deb ...
Unpacking tree (2.1.0-1) ...
Setting up tree (2.1.0-1) ...
time="2024-02-24T09:41:48+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> 6e217351ec96
STEP 9/15: RUN curl -sSfL -O https://raw.githubusercontent.com/aquaproj/aqua-installer/v2.3.0/aqua-installer
time="2024-02-24T09:41:49+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> 0a6ff65f22d2
STEP 10/15: RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
info: downloading installer
info: profile set to 'minimal'
info: default host triple is aarch64-unknown-linux-gnu
info: syncing channel updates for 'stable-aarch64-unknown-linux-gnu'
info: latest update on 2024-02-08, rust version 1.76.0 (07dca489a 2024-02-04)
info: downloading component 'cargo'
info: downloading component 'rust-std'
info: downloading component 'rustc'
info: installing component 'cargo'
info: installing component 'rust-std'
info: installing component 'rustc'
info: default toolchain set to 'stable-aarch64-unknown-linux-gnu'
stable-aarch64-unknown-linux-gnu installed - rustc 1.76.0 (07dca489a 2024-02-04)
Rust is installed now. Great!
To get started you may need to restart your current shell.
This would reload your PATH environment variable to include
Cargo's bin directory ($HOME/.cargo/bin).
To configure your current shell, run:
source "$HOME/.cargo/env"
time="2024-02-24T09:42:01+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> a0cfadf62f92
STEP 11/15: RUN echo "1577b99b74751a5ddeea757198cee3b600fce3ef18990540e4d0e667edcf1b5f aqua-installer" | sha256sum -c
aqua-installer: OK
time="2024-02-24T09:42:06+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> cc44d27e9b21
STEP 12/15: RUN chmod +x aqua-installer
time="2024-02-24T09:42:06+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> 2b398c91c9bb
STEP 13/15: RUN ./aqua-installer -v v2.23.1
[INFO] Installing aqua v2.22.0 for bootstrapping...
[INFO] Downloading https://github.com/aquaproj/aqua/releases/download/v2.22.0/aqua_linux_arm64.tar.gz ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 6082k 100 6082k 0 0 7146k 0 --:--:-- --:--:-- --:--:-- 7146k
[INFO] Verifying checksum of aqua v2.22.0 ...
aqua_linux_arm64.tar.gz: OK
[INFO] /tmp/tmp.lp2KzgAdcL/aqua update-aqua v2.23.1
INFO[0000] download and unarchive the package aqua_version=2.22.0 env=linux/arm64 new_version=v2.23.1 package_name=aquaproj/aqua package_version=v2.23.1 program=aqua registry=
INFO[0000] verify a package with slsa-verifier aqua_version=2.22.0 env=linux/arm64 new_version=v2.23.1 package_name=aquaproj/aqua package_version=v2.23.1 program=aqua registry=
INFO[0000] download and unarchive the package aqua_version=2.22.0 env=linux/arm64 new_version=v2.23.1 package_name=slsa-framework/slsa-verifier package_version=v2.4.1 program=aqua registry=
Verified signature against tlog entry index 68699067 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a769569930edd1e1cf2ea9486eb1da26a46df11bbb030527a972db52d4c34fc7d
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0" at commit 65fb59915fced5e16413e59cd17b3f0a1b42b972
Verifying artifact /tmp/790688413: PASSED
PASSED: Verified SLSA provenance
INFO[0006] create a symbolic link aqua_version=2.22.0 command=aqua env=linux/arm64 new_version=v2.23.1 package_name=aquaproj/aqua package_version=v2.23.1 program=aqua
[INFO] aqua is installed into /root/aquaproj-aqua/bin/aqua
[INFO] Please add the path to the environment variable "PATH"
[INFO] export PATH=${AQUA_ROOT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/aquaproj-aqua}/bin:$PATH
===============================================================
===============================================================
aqua version 2.23.1 (65fb59915fced5e16413e59cd17b3f0a1b42b972)
time="2024-02-24T09:42:14+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> f89a5b19ebf0
STEP 14/15: COPY aqua-test.yaml aqua.yaml
time="2024-02-24T09:42:14+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> f261b3bf91c3
STEP 15/15: COPY aqua-policy.yaml aqua-policy.yaml
COMMIT aquaproj/aqua-registry
time="2024-02-24T09:42:14+09:00" level=warning msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"
--> e8253aca81c1
Successfully tagged localhost/aquaproj/aqua-registry:latest
e8253aca81c113b209fcb496493d5059fd73c377088d5c9851643f8ff9ae7275
[INFO] Checking if the container aqua-registry exists
[INFO] Creaing a container aqua-registry
[INFO] Get a GitHub Access token by gh auth token
a6ce9fb64d892c63d9c7c1991387f94471a9613cb292f5e9c801852574dd1480
+ pkg=iamhsa/pkenv
+ cmd=
+ limit=
+ '[' -d pkgs/iamhsa/pkenv ']'
+ rm -R pkgs/iamhsa/pkenv
+ docker exec -ti -w /aqua-registry aqua-registry aqua policy allow
+ docker exec -ti -w /aqua-registry aqua-registry aqua i -l
INFO[0000] download and unarchive the package aqua_version=2.23.1 env=linux/arm64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
INFO[0001] create a symbolic link aqua_version=2.23.1 command=aqua-proxy env=linux/arm64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
INFO[0001] create a symbolic link aqua_version=2.23.1 command=aqua-registry env=linux/arm64 program=aqua
INFO[0001] create a symbolic link aqua_version=2.23.1 command=actionlint env=linux/arm64 program=aqua
INFO[0001] create a symbolic link aqua_version=2.23.1 command=cmdx env=linux/arm64 program=aqua
INFO[0001] create a symbolic link aqua_version=2.23.1 command=jq env=linux/arm64 program=aqua
INFO[0001] create a symbolic link aqua_version=2.23.1 command=gh env=linux/arm64 program=aqua
+ opts=
+ '[' -n '' ']'
+ '[' -n '' ']'
+ docker exec -ti -w /aqua-registry aqua-registry aqua-registry scaffold iamhsa/pkenv
INFO[0000] download and unarchive the package aqua_version=2.23.1 env=linux/arm64 exe_name=aqua-registry package_name=aquaproj/registry-tool package_version=v0.2.3 program=aqua registry=standard
INFO[0000] verify a package with slsa-verifier aqua_version=2.23.1 env=linux/arm64 exe_name=aqua-registry package_name=aquaproj/registry-tool package_version=v0.2.3 program=aqua registry=standard
Verified signature against tlog entry index 49719525 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a1362688809ea23832eb8f7476aa422bec34de617b2cb0e35f6f31abaabb8c89f
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0" at commit 0ae103452e9e2197d918600a3b2c90cb49390859
Verifying artifact /tmp/884624902: PASSED
PASSED: Verified SLSA provenance
+ aqua gr --out-testdata pkgs/iamhsa/pkenv/pkg.yaml iamhsa/pkenv > pkgs/iamhsa/pkenv/registry.yaml
Update registry.yaml
INFO[0000] download and unarchive the package aqua_version=2.23.1 env=linux/amd64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
INFO[0000] download and unarchive the package aqua_version=2.23.1 env=darwin/amd64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
INFO[0000] download and unarchive the package aqua_version=2.23.1 env=darwin/arm64 package_name=aqua-proxy package_version=v1.2.5 program=aqua registry=
/Users/shunsukesuzuki/bin/docker
[INFO] Checking if the container aqua-registry-windows exists
[INFO] Creaing a container aqua-registry-windows
[INFO] Get a GitHub Access token by gh auth token
76e09562685271c21a7b0f511724d169bd59d054b8283f681e9af0608ab078da |
I guess the issue might be related to the way podman names an image without hostname (like $ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/aquaproj/aqua-registry latest 55d991505793 41 minutes ago 1.45 GB So probably |
So, for me: $ cmdx con
+ bash scripts/connect.sh
[INFO] Connecting to the container aqua-registry (linux/amd64)
ERRO[0000] install the registry aqua_version=2.23.1 env=linux/amd64 error="local registry isn't found" local_registry_file_path=/workspace/registry.yaml program=aqua registry_name=standard
FATA[0000] aqua failed aqua_version=2.23.1 env=linux/amd64 error="it failed to install some registries" program=aqua
exit status 1 I use Fedora 39 and Podman 4.9.3. |
The `aqua-registry` image doesn't work well with podman unless it's run with `--privileged` option. Fix aquaproj#20289
The `aqua-registry` image doesn't work well with podman unless it's run with `--privileged` option. Fix aquaproj#20289
Turned out it's not because the name is |
The `aqua-registry` image doesn't work well with podman on Fedora unless it's run with `--privileged` option. Fix aquaproj#20289
The `aqua-registry` image doesn't work well with podman on Fedora unless it's run with `--privileged` option. Fix aquaproj#20289
@tadayosi Thank you for looking into this issue! 📝
https://docs.podman.io/en/latest/markdown/podman-run.1.html#privileged
According to your error message, But this file should be copied by Line 9 in 096332d
Did the command
I can't reproduce the issue even if $ podman inspect aqua-registry | grep rivilege
"Privileged": false, |
Because it's a SELinux/Apparmor issue. I'm not sure how the podman machine (CoreOS) on Mac works in terms of SELinux but I guess it's disabled or permissive already? This article is a good source for learning how podman with the privileged option is supposed to work [1]. [1] https://www.redhat.com/sysadmin/container-permission-denied-errors When I run
The issue is not that those files are not copied but aqua fails to read them without
So even with privileged it shouldn't get more privileges than the host user so it would be still safer than Docker which runs with sudo. |
Oh, I see.
Looks good. |
The `aqua-registry` image doesn't work well with podman on Fedora unless it's run with `--privileged` option. Fix #20289
aqua info
Overview
Trying to add a new package to aqua-registry with podman on Fedora 39:
How to reproduce
Executed command and output
Debug output
Output isn't different with
AQUA_LOG_LEVEL=debug
set.Expected behaviour
The new package is created in the aqua-registry
Actual behaviour
Note
No response
The text was updated successfully, but these errors were encountered: