-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
additionalimagestores Not Working as Expected #1827
Comments
@giuseppe PTAL |
Closes: containers#1827 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
opened a PR: #1828 |
Closes: containers#1827 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
after the commit "overlay: replace rmdir with rename", it is safe to assume it is never deleted. Closes: containers#1827 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
after the commit "overlay: replace rmdir with rename", it is safe to assume it is never deleted. Closes: containers#1827 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
after the commit "overlay: replace rmdir with rename", it is safe to assume it is never deleted. Closes: containers#1827 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Good morning, Do I also need to build buildah with the new storage library?
Podman Info:
|
does the |
part of the fix is to never remove that directory. But if your storage was created without the fix in place, that directory might not be present. |
The directory did exist but was seeded with an older Podman version. I rebuilt the image cache using Podman 5.0.0-rc5 and still get the chown error when building an image based one in the cache.
|
follow-up for ccb70a7 more information here: containers#1827 (comment) Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
then it looks like we might still get the EPERM, as we attempt the chown. Could you please try if #1858 solve the problem? |
follow-up for ccb70a7 more information here: containers#1827 (comment) Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
follow-up for ccb70a7 more information here: containers#1827 (comment) Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
follow-up for ccb70a7 more information here: containers#1827 (comment) Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Good news! I built 5.0.0-rc5 with the storage library from github.com/giuseppe/storage@create-merged-only-if-it-doesnot-exist (v1.19.2-0.20240311145129-0fbd068b4eee) and I no longer get the chown error building an image based on the cache. I still need to test a bit more but it looks good. |
follow-up for ccb70a7 more information here: containers#1827 (comment) Addresses: https://issues.redhat.com/browse/ACCELFIX-244 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
follow-up for ccb70a7 more information here: containers#1827 (comment) Addresses: https://issues.redhat.com/browse/ACCELFIX-244 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
follow-up for ccb70a7 more information here: containers#1827 (comment) Addresses: https://issues.redhat.com/browse/ACCELFIX-244 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
follow-up for ccb70a7 more information here: containers#1827 (comment) Addresses: https://issues.redhat.com/browse/ACCELFIX-244 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
follow-up for ccb70a7 more information here: containers#1827 (comment) Addresses: https://issues.redhat.com/browse/ACCELFIX-244 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
follow-up for ccb70a7 more information here: containers#1827 (comment) Addresses: https://issues.redhat.com/browse/ACCELFIX-244 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Issue Description
I have been able to successfully follow the guide for setting up a read-only image store as described here:
https://www.redhat.com/sysadmin/image-stores-podman
Unfortunately, the store does not seem read-only at all. If the user does not have write permissions to the files on the image store, he is unable to build images using a store image as the FROM base.
We are running rootless Podman on RHEL 8 with all of the latest patches from the RHEL repos.
Steps to reproduce the issue
Steps to reproduce the issue
Pull down images with the
--root
flag as described here.chmod the files so that other users can read the files
force_mask='shared'
storage.conf setting but this still doesn't seem to affect the file mode on the pulled files (they're still 0700)At this stage, another rootless user on the system can point
additionalimagestores
to the image store directory and do simple things like view the images and run a container instance. However, image builds do not work correctly unless the rootless user has full write permissions to the image store.Describe the results you received
I see permissions errors on container image builds based on the RO image cache.
Describe the results you expected
I expect the
additionalimagestores
images to be read-only and useful for container image builds.podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
The storage.conf configuration is as follows:
Additional information
No response
The text was updated successfully, but these errors were encountered: