-
Notifications
You must be signed in to change notification settings - Fork 231
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lchown failures on img pull
when running on k8s
#40
Comments
We need to wait for opencontainers/runc#1693 or use ptrace hack. Please refer to README for further info |
Ah! I asssumed that r.j3ss.co/img already had a hacked runc in there to work around the setgroup issue. |
I just pushed a new build with it
On Sat, Feb 24, 2018 at 14:21 Joe Beda ***@***.***> wrote:
Ah! I asssumed that r.j3ss.co/img already had a hacked runc in there to
work around the setgroup issue.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#40 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABYNbGGeil08uyqgHVvXj9BDIGcBPHXxks5tYGE3gaJpZM4SR93F>
.
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu <http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3>
|
We actually not with that one with the other one... I'll do them all tho later |
@jessfraz |
or this tag: https://github.com/AkihiroSuda/runc/tree/demo-rootless.20180116-0 |
I'm not sure which one you are talking about... but I just tried with your new image and I'm seeing the same behavior. I'm a bit confused still about what patches y'all are talking about and the necessary setup for those to work. But I'll let y'all figure this out. @jessfraz if this is being tracked in a different place feel free to close this issue. |
I'm going to make some k8s examples and carry the patches on my flight this afternoon, sorry was doing saturday things :) |
then we can work out all the rough edges, I also hope that then we can help with them testing this upstream (re comment here: moby/moby#32925 (comment)) I know the last time the builder in docker was replaced we had to test a lot to find the weird bashisms that broke and odd bugs in the old builder that were being used as features, etc |
seems closable now? |
I'm having a similar issue (Operation not permitted), but only when trying to use a different state directory (need build cache with PVC): apiVersion: batch/v1
kind: Job
metadata:
name: img-build
namespace: amze-2029
spec:
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/build: unconfined
container.seccomp.security.alpha.kubernetes.io/build: unconfined
spec:
initContainers:
- name: git-clone
image: r.j3ss.co/img:v0.5.7
command:
- /bin/sh
args:
- -c
- git clone https://github.com/amazeeio/drupal-example.git
workingDir: /home/user/src
volumeMounts:
- mountPath: /home/user/src
name: src
containers:
- name: build
image: r.j3ss.co/img:v0.5.7
command:
- /bin/sh
args:
- -c
- >
id &&
echo "RUN apk add --no-cache tcpdump" >> drupal-example/lagoon/php.dockerfile &&
img build -s /tmp -t registry.ch-gva-2.exo.appuio.ch/amze-2029/drupal-example:latest -f drupal-example/lagoon/php.dockerfile
--build-arg CLI_IMAGE=registry.ch-gva-2.exo.appuio.ch/amze-2029/drupal-example:cli drupal-example &&
img push -s /tmp registry.ch-gva-2.exo.appuio.ch/amze-2029/drupal-example:latest
securityContext:
# privileged: true
#runAsUser: 1000
#runAsGroup: 0
procMount: Unmasked
workingDir: /home/user/src
volumeMounts:
- mountPath: /home/user/src
name: src
- mountPath: /tmp
name: cache
- mountPath: /home/user/.docker/config.json
subPath: config.json
name: registries
restartPolicy: Never
volumes:
- name: src
emptyDir: {}
- name: cache
persistentVolumeClaim:
claimName: img-cache
- name: registries
secret:
secretName: regcred
items:
- key: .dockerconfigjson
path: config.json
backoffLimit: 0 log excerpt:
I started trying different parameters (was using |
some issue here. |
This may be an issue with my setup so all bets are off...
My setup:
echo 1 > /proc/sys/kernel/unprivileged_userns_clone
run on each node (not sure if it is necessary).YAML file for workload:
Then:
I haven't had time to debug further.
The text was updated successfully, but these errors were encountered: