-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Building Ubuntu container fails with dpkg errors #6976
Comments
Thanks for reaching out! Can you share the Dockerfile as a reproducer? @rhatdan PTAL |
This looks like selinux is enabled within the container? $ podman run fedora id -Z |
I am having the same error in Fedora 31 while trying to build oss-fuzz images based on Ubuntu. The command above returns that it is
|
The above command returns the same error as @Jakuje . I'll attach a version of the dockerfile here where I've just removed where our source code is attached, all the apt-get commands are the same (also added .txt file extension because Github yelled at me): |
Thanks, @trgeiger! I can reproduce on F32 with with Podman v2.0.2 and the Dockerfile: FROM ruby:2.2.4
ENV PDFTK_VERSION 2.02
RUN sed -i '/jessie-updates/d' /etc/apt/sources.list # Now archived
RUN apt-get update && apt-get -y install build-essential
# System prerequisites
RUN apt-get update && apt-get -y install libpq-dev
# If you require additional OS dependencies, install them here:
# Added libxml2-dev to avoid errors compiling libxml-ruby-3.0.0(libxml/xmlversion.h)
RUN apt-get update && apt-get -y install imagemagick libmysqlclient-dev libxml2-dev
RUN DEBIAN_FRONTEND=noninteractive \
apt-get -y install default-jre-headless && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
RUN apt-get update && apt-get install zip -y
ENV PORT 3002
EXPOSE 3002
EXPOSE 8982 @rhatdan there must be something going on with SELinux in Podman. Using |
Did you get AVC messages? ausearch -m avc -ts recent |
@rhatdan, you should be able to reproduce on Fedora using the upper Dockerfile. |
I have encountered the same, building an Ubuntu container on a Fedora 31 host.
|
Can also confirm that passing exactly the same Dockerfile and command line options to |
I added the setfscreate access to container-selinux-2.139.0 |
@rhatdan, so it's a policy issue? Can we close this issue? |
Sure not sure why this happens in one way and not the other, but the AVC is not a problem to be allowed. |
With current
Even after complete cleanup, I an unable to run the container:
The complete error from podman:
Please, reopen. |
This is fixed in Buildah, and a PR is being prepared to vendor into Podman to fix this everywhere. |
A friendly reminder that this issue had no activity for 30 days. |
Seems like it is finally fixed in my Fedora 32 and I am able to build oss-fuzz containers. Please, confirm. In that case, we can probably close this issue. |
I'm going to go ahead and close, given that the Buildah fix appears to have landed in several releases. |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Recently my existing container setup has stopped building when using rootless podman. It's a simple Ubuntu container with a Ruby on Rails application.
One of the first steps in the build is
STEP 4: RUN apt-get update && apt-get -y install build-essential
. This fails with a couple of error lines:dpkg: error processing archive /var/cache/apt/archives/libtimedate-perl_2.3000-2_all.deb (--unpack): cannot get security labeling handle: No such file or directory
and
I haven't changed any configuration files or changed my Dockerfiles for this build, which used to work without root. It does build successfully when using sudo.
Steps to reproduce the issue:
Build an Ubuntu container with ruby:2.2.4
During the build process, install build-essential
Describe the results you received:
The error messages above, and a failed build.
Describe the results you expected:
Successful build of the image and container.
Additional information you deem important (e.g. issue happens only occasionally):
I reached out on the Kubernetes Slack crio channel and was asked to include the AVCs that came up in my journal:
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Additional environment details (AWS, VirtualBox, physical, etc.):
Fedora 32
The text was updated successfully, but these errors were encountered: