New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yum fails to run in a container built/launched with rootless buildah/podman #1657
Comments
Thanks for the issue report @junwang123 |
We really need to repeat this on a little more up2date versions of podman and buildah. Decent chance that these could be fixed in the latest releases. |
In a privileged container launched by docker (running on macOS), reading from
|
|
This was fixed in even newer versions of buildah, I believe. |
@rhatdan
With
The attempt to upgrade
|
Awesome. We should be getting these newer versions in in the next release. |
@rhatdan ,
|
@rhatdan, Using the The original
|
|
an unprivileged user (rootless) has not enough privileges for using |
Correct, if you have to create device nodes, then you have to run as root. |
Thanks Giuseppe and Daniel. In addtion, in a container launched with a rootless run, i.e. with
|
no, there is no way to get Bind mounting a device from the host should work fine:
it will show up in the container owned by the |
@giuseppe is somewhat correct on --privileged. But I would like to clarify it a little. --privileged in a rootless container means, do not further restrict the container from a security point of view, then the program launching podman. From a Linux Capability point of view, it says do not modify the current NAMESPACED capabilities. Since most likely the user process that is launching the container does not have any REAL capabilities. A Even though you might have a Namespaced capability of MKNOD, it does not mean it allows you to create Device nodes, since the process would also need a REAL Capability of MKNOD. |
@giuseppe, Bind mounting the @rhatdan, I see, so the effects of those options are subject to capability inheritance limits from the container launcher user process. Thanks for the explanation. |
Description
The build of CentOS 7 container base image using this approach works with docker, but not with rootless
buildah
/podman
due to ayum
failure inchroot.sh
. For the detailed log, refer to centos7-buildah-podman.log on issue #362 of base-images-docker repo.Steps to reproduce the issue:
On a system running CentOS 7.6.1810, and with buildah/podman and vbatts's shadow-utils-newxidmap installed,
Describe the results you received:
In running
yum -y -q --releasever=7 install yum centos-release
inchroot /target ./chroot.sh
inbuild.sh
,Describe the results you expected:
yum install succeeds and
chroot.sh
proceeds to build a base container image.Output of
rpm -q buildah
orapt list buildah
:Output of
buildah version
:Output of
podman version
if reporting apodman build
issue:Output of
cat /etc/*release
:Output of
uname -a
:Output of
cat /etc/containers/storage.conf
:The text was updated successfully, but these errors were encountered: