Cannot copy Dockerfile

[abergmeier]

Actual behavior
When trying to start Kaniko there error message is:

Error: error resolving dockerfile path: copying dockerfile: open /kaniko/Dockerfile: permission denied

Expected behavior
It should just build container fine.

To Reproduce
Steps to reproduce the behavior:

1. Part of my Kubernetes yaml:

- name: build-dump
  image: gcr.io/kaniko-project/executor:latest
  args: ["--dockerfile=my/magic/dump/Dockerfile",
         "--context=/cache/workspace",
         "--destination=registry.openshift-internal.mycompany.com/magic/dump",
         "--reproducible",
         "--cache=true",
  ]
  volumeMounts:
  - name: cache-volume
    mountPath: /cache

[alextrs]

Have the same problem with OpenShift (running under random user id)

Use image: gcr.io/kaniko-project/executor:debug, connected to bash and manually tried to kick build using

/kaniko/executor --dockerfile Dockerfile --context /docker --no-push -v debug

and got back
DEBU[0000] Copying file /docker/Dockerfile to /kaniko/Dockerfile Error: error resolving dockerfile path: copying dockerfile: open /kaniko/Dockerfile: permission denied

Folder permissions (docker is mounted volume)

drwxrwsrwx    2 0        10588200        24 Jun 20 02:31 docker
drwxr-xr-x    2 0        0               66 Jun 19 19:03 etc
drwxr-xr-x    1 0        0               21 Jun 19 18:01 kaniko
dr-xr-xr-x  260 0        0                0 Jun 19 19:03 proc

[rayanebel]

Hello,

Did anyone find a workaround or something else to make it working with openshift ? Or do we have any update on this issue ? Because I don't want to enable anyuid on our cluster.

Thanks.

[faust64]

Looking at tekton catalog, they would show you how to build your images using a buildah container, which seems to work just fine on OpenShift.

See: https://github.com/tektoncd/catalog/blob/master/buildah/buildah.yaml

[faust64]

Sidenote, as I'm struggling with weird Buildah errors (eg: can't change date on files and other permission denied, that would occur after installing packages, broken pipes, i/o errors, ...). You do not need adding your ServiceAccount to any SCC, using Kaniko.

I can't explain how this is possible, though I can confirm that, creating a SA dedicated to image builds, and granting it with the system:image-builder role (pushing images/OpenShift context), I can build my images.

oc create sa tkn
oc adm policy add-role-to-user system:image-builder -z tkn

Task:

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: kaniko-build
spec:
  inputs:
    params:
    - name: fromimage
      description: Forces FROM in Dockerfile.
      default: ""
      type: string
    - name: dockerfile
      description: Path to the Dockerfile to build.
      default: ./Dockerfile
    - name: CONTEXT
      description: The build context used by Kaniko.
      default: ./
    - name: EXTRA_ARGS
      default: ""
    resources:
    - name: source
      type: git
  outputs:
    resources:
    - name: image
      type: image
  steps:
  - name: patch-from
    image: quay.io/buildah/stable
    workingDir: /workspace/source
    command:
    - /bin/bash
    - -c
    - if test "$(inputs.params.fromimage)"; then sed -i "s|^[ ]*FROM[ ]*[^ ]*$|FROM $(inputs.params.fromimage)|" "$(inputs.params.dockerfile)"; fi
  - name: build-and-push
    workingdir: /workspace/source
    image: gcr.io/kaniko-project/executor:v0.13.0
    env:
    - name: DOCKER_CONFIG
      value: /builder/home/.docker
    command:
    - /kaniko/executor
    - $(inputs.params.EXTRA_ARGS)
    - --skip-tls-verify-pull
    - --skip-tls-verify
    - --dockerfile=$(inputs.params.dockerfile)
    - --context=/workspace/source/$(inputs.params.CONTEXT)
    - --destination=$(outputs.resources.image.url)
    resources:
      limits:
        cpu: 500m
        memory: 4Gi
      requests:
        cpu: 100m
        memory: 2Gi
    securityContext:
      runAsUser: 0

Pipeline:

apiVersion: tekton.dev/v1alpha1
kind: Pipeline
metadata:
  name: kaniko-build
spec:
  params:
  - default: ""
    description: Forces FROM in Dockerfile.
    name: fromimage
    type: string
  resources:
  - name: app-git
    type: git
  - name: app-image
    type: image
  tasks:
  - name: build
    params:
    - name: fromimage
      value: "$(params.fromimage)"
    resources:
      inputs:
      - name: source
        resource: app-git
      outputs:
      - name: image
        resource: app-image
    taskRef:
      name: kaniko-build

Pipelinerun:

apiVersion: tekton.dev/v1alpha1
kind: PipelineRun
metadata:
  name: build-java-kaniko
spec:
  pipelineRef:
    name: kaniko-build
  resources:
  - name: app-git
    resourceRef:
      name: java-git
  - name: app-image
    resourceRef:
      name: java-img
  serviceAccount: tkn

[wtam2018]

Running as root seems to fix it.
securityContext: runAsUser: 0

[cvgw]

Running as root seems to fix it.
securityContext: runAsUser: 0

AFAIK kaniko must run as root at this time. It's something we've discussed fixing but I don't think has been addressed yet.

[yashcodecollab]

Hi I am still running into the same issue. Is there a resolution for this @tejal29

Error: error resolving dockerfile path: copying dockerfile: creating file: open /kaniko/Dockerfile: permission denied

[BobbyNie]

Have the same problem with OpenShift (running under random user id)

Use image: gcr.io/kaniko-project/executor:debug, connected to bash and manually tried to kick build using

/kaniko/executor --dockerfile Dockerfile --context /docker --no-push -v debug

and got back DEBU[0000] Copying file /docker/Dockerfile to /kaniko/Dockerfile Error: error resolving dockerfile path: copying dockerfile: open /kaniko/Dockerfile: permission denied

Folder permissions (docker is mounted volume)

drwxrwsrwx    2 0        10588200        24 Jun 20 02:31 docker
drwxr-xr-x    2 0        0               66 Jun 19 19:03 etc
drwxr-xr-x    1 0        0               21 Jun 19 18:01 kaniko
dr-xr-xr-x  260 0        0                0 Jun 19 19:03 proc

make a new image chmod 777 to /kaniko
Dockerfile like this:

FROM gcr.io/kaniko-project/executor as kaniko
FROM bash:latest
COPY --from=kaniko / /
RUN chmod -R 777 /kaniko
ENTRYPOINT ["/kaniko/executor"]
WORKDIR /workspace
ENV DOCKER_CREDENTIAL_GCR_CONFIG=/kaniko/.config/gcloud/docker_credential_gcr_config.json
ENV DOCKER_CONFIG=/kaniko/.docker/
ENV SSL_CERT_DIR=/kaniko/ssl/certs
ENV PATH=/usr/locdal/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/kaniko
ENV HOME=/kaniko

[BobbyNie]

docker pull bobbynie/kaniko-bash:latest

[BobbyNie]

kaniko must run as root at this time. It's something we've discussed fixing but I don't think has been addressed

openshift can't run as root

[mirekphd]

kaniko must run as root at this time. It's something we've discussed fixing but I don't think has been addressed

openshift can't run as root

Or rather: by default it can't or it is a malpractice to make it do so.
This includes OKD distros as well, based on latest k8s.