FROM/layer-extraction on ltsc2019 fails: link operation for Windows/INF/basicrender.inf on cross-platform building from Linux
#493
Assignees
Labels
bug
Something isn't working
Comments
|
Also possibly worth noting |
|
which image is |
|
|
For reference, we have this PR now in place to unblock CI: googleforgames/agones#3829 |
|
Tried it myself on a build node I have been using for years, though I have updated docker buildx since: I did use this version before KubeCon, and I did use |
|
This looks to be an issue with the image patches released Yesterday (May 14th). Work around is use April's patch images as done in #493 (comment) |
|
/cc @akarshm |
|
Adding link to the slack discussion where we narrowed it down to the patch release https://kubernetes.slack.com/archives/C0SJ4AFB7/p1715733067064539 |
|
/cc @profnandaa |
7 tasks
github-merge-queue bot
pushed a commit
to microsoft/retina
that referenced
this issue
May 15, 2024
# Description Pin the Windows base images by SHA. A good security practice, but also a fix to the build because the latest servercore:ltsc2019 image is broken. ## Related Issue microsoft/Windows-Containers#493 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/contributing). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. Signed-off-by: Evan Baker <rbtr@users.noreply.github.com>
4 tasks
|
UPDATE: we've been investigating this issue, a few things worth noting:
PS. will be nice to re-tittle the issue to |
4 tasks
dduportal
added a commit
to dduportal/docker-agent
that referenced
this issue
May 30, 2024
… until microsoft/Windows-Containers#493 is fixed Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
dduportal
added a commit
to dduportal/docker-agent
that referenced
this issue
May 30, 2024
… until microsoft/Windows-Containers#493 is fixed Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
|
Hello, is there any plan / timeline to fix Windows images to be usable on Linux? We as Kubernetes community cannot release our images based on the |
|
@jsafrane -- a fix is currently going through validation; will update here once it's released. |
profnandaa
changed the title
Windows/INF/basicrender.inf on cross-platform building from Linux
|
hi, @profnandaa, can I gently ask you about a rough ETA for a fix? |
6 tasks
masap
added a commit
to masap/sonobuoy
that referenced
this issue
Jul 1, 2024
ERROR: failed to solve: failed to compute cache key: mount callback failed on /tmp/containerd-mount1917080101: link /tmp/containerd-mount1917080101/Windows/INF/basicrender.inf /tmp/containerd-mount1917080101/Windows/System32/DriverStore/FileRepository/basicrender.inf_amd64_efdc64af60c69a6d/basicrender.inf: no such file or directory Error: Process completed with exit code 1. According to [1], we need to use ltsc2022 as a tag. [1] microsoft/Windows-Containers#493 Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
masap
added a commit
to masap/sonobuoy
that referenced
this issue
Jul 1, 2024
ERROR: failed to solve: failed to compute cache key: mount callback failed on /tmp/containerd-mount1917080101: link /tmp/containerd-mount1917080101/Windows/INF/basicrender.inf /tmp/containerd-mount1917080101/Windows/System32/DriverStore/FileRepository/basicrender.inf_amd64_efdc64af60c69a6d/basicrender.inf: no such file or directory Error: Process completed with exit code 1. According to [1], we need to use ltsc2022 as a tag. [1] microsoft/Windows-Containers#493 Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
matmerr
pushed a commit
to matmerr/retina
that referenced
this issue
Jul 3, 2024
# Description Pin the Windows base images by SHA. A good security practice, but also a fix to the build because the latest servercore:ltsc2019 image is broken. ## Related Issue microsoft/Windows-Containers#493 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/contributing). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. Signed-off-by: Evan Baker <rbtr@users.noreply.github.com>
3 tasks
|
The updated images released as part of the July 2024 security update today include the fix for this issue. |
|
Sure, this is now fixed: Guards have been put in place to prevent similar issues from happening in future. Anyone else can ACK and we can proceed to close the issue. |
|
I might be doing something wrong, but 41f42aa4ad39d85e4d30642b8111ca6454ca2275f188f012934b9afbaf63a647 does not work for me. Dockerfile.reproduce: Build output: Fedora 39, with docker-ce-27.0.3-1.fc39.x86_64. I tried plain |
|
@jsafrane I got the same error as you when trying building Windows images with docker build on MacOS. Try using docker buildx instead: |
Same error as |
|
I should have looked more closely your Dockerfile.reproduce: you can't use Example of a working Windows Dockerfile built on MacOS: FROM mcr.microsoft.com/windows/servercore:ltsc2019@sha256:41f42aa4ad39d85e4d30642b8111ca6454ca2275f188f012934b9afbaf63a647
COPY README.md README.md |
|
Docker did not even reach RUN, it's stuck at unpacking layers from |
|
sorry about that, reopening to investigate. |
|
Thanks, @jsafrane. Closing this issue. |
franknstyle
pushed a commit
to vmware-tanzu/sonobuoy
that referenced
this issue
Jul 29, 2024
* Bump golangci-lint to v1.54.2 We upgraded golang lang 1.20 -> 1.21 by commit 9a64023. But according to [2], go1.21 is officially supported since golangci-lint v1.54.1. So, this PR upgrades golangci-lint to v1.54.2. Signed-off-by: Masashi Honma <masashi.honma@gmail.com> * Bump golang version for build to 1.21.11 According to trivy, golang 1.21.4 has trailing vulnerabilities. We upgrade it to 1.21.11 to fix the vulnerabilities. $ trivy image masap20220915/sonobuoy:amd64-v0.57 2024-07-01T09:50:21+09:00 INFO Vulnerability scanning is enabled 2024-07-01T09:50:21+09:00 INFO Secret scanning is enabled 2024-07-01T09:50:21+09:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-07-01T09:50:21+09:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection 2024-07-01T09:50:24+09:00 INFO Detected OS family="debian" version="12.5" 2024-07-01T09:50:24+09:00 INFO [debian] Detecting vulnerabilities... os_version="12" pkg_num=3 2024-07-01T09:50:24+09:00 INFO Number of language-specific files num=1 2024-07-01T09:50:24+09:00 INFO [gobinary] Detecting vulnerabilities... masap20220915/sonobuoy:amd64-v0.57 (debian 12.5) Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) sonobuoy (gobinary) Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 1, CRITICAL: 1) ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.21.4 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │ │ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │ │ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45288 │ HIGH │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │ │ │ │ │ │ │ │ CONTINUATION frames causes DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │ │ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-39326 │ MEDIUM │ │ │ 1.20.12, 1.21.5 │ golang: net/http/internal: Denial of Service (DoS) via │ │ │ │ │ │ │ │ Resource Consumption via HTTP requests... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39326 │ │ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45289 │ │ │ │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of │ │ │ │ │ │ │ │ sensitive headers and cookies on HTTP redirect... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45289 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45290 │ │ │ │ │ golang: net/http: memory exhaustion in │ │ │ │ │ │ │ │ Request.ParseMultipartForm │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45290 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24783 │ │ │ │ │ golang: crypto/x509: Verify panics on certificates with an │ │ │ │ │ │ │ │ unknown public key algorithm... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24783 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24784 │ │ │ │ │ golang: net/mail: comments in display names are incorrectly │ │ │ │ │ │ │ │ handled │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24784 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24785 │ │ │ │ │ golang: html/template: errors returned from MarshalJSON │ │ │ │ │ │ │ │ methods may break template escaping │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24785 │ │ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24789 │ │ │ │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │ └─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘ Signed-off-by: Masashi Honma <masashi.honma@gmail.com> * Fix Windows build ERROR: failed to solve: failed to compute cache key: mount callback failed on /tmp/containerd-mount1917080101: link /tmp/containerd-mount1917080101/Windows/INF/basicrender.inf /tmp/containerd-mount1917080101/Windows/System32/DriverStore/FileRepository/basicrender.inf_amd64_efdc64af60c69a6d/basicrender.inf: no such file or directory Error: Process completed with exit code 1. According to [1], we need to use ltsc2022 as a tag. [1] microsoft/Windows-Containers#493 Signed-off-by: Masashi Honma <masashi.honma@gmail.com> * Add support for injecting tolerations to sonobuoy pod Resolves #1973. We can inject some tolerations to sonobuoy aggregator pod by adding trailing description into sonobuoy config json. { "AggregatorTolerations": [ { "effect": "NoSchedule", "key": "key1", "operator": "Equal", "value": "value1" }, { "effect": "NoSchedule", "key": "key2", "operator": "Equal", "value": "value2" } ] } Signed-off-by: Masashi Honma <masashi.honma@gmail.com> * Bump golang version for build to 1.21.12 To fix trailing warning. Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0) ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2024-24791 │ MEDIUM │ fixed │ 1.21.11 │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │ │ │ │ │ │ │ │ handling in net/http │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │ └─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────┘ Signed-off-by: Masashi Honma <masashi.honma@gmail.com> --------- Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
COPYcommands have been working normally for years with our lts2019 windows container build on Agones, but started failing today with an error message of:Where
${WINDOWS_VERSION}isltsc2019To Reproduce
To reproduce this, just try copying something in:
(Assuming you have a buildx builder already)
Expected behavior
The image should build 😃
Configuration:
Additional context
You can see a full build output from the Agones build pipeline here: https://console.cloud.google.com/cloud-build/builds/70b984e2-132b-4d1a-915a-862cb03f4830;step=16?e=13803378&project=agones-images
Using the previous SHA of
@sha256:6fdf140282a2f809dae9b13fe441635867f0a27c33a438771673b8da8f3348a4worked.The text was updated successfully, but these errors were encountered: