pack
pack copied to clipboard
buildpacks
Building with podmain fails with: statfs /var/run/docker.sock: permission denied
Summary
I'm trying to build a sample app using podman following this tutorial: https://buildpacks.io/docs/app-developer-guide/building-on-podman/, but it fails with the following error:
ERROR: failed to build: executing lifecycle. This may be the result of using an untrusted builder: failed to create 'analyzer' container: Error response from daemon: container create: statfs /var/run/docker.sock: permission denied
Reproduction
Steps
Note: I'm using Fedora 36
- Install pack and podman:
sudo dnf install podman pack - Enable the podman socket:
systemctl enable --user podman.socket - Start the podman socket:
systemctl start --user podman.socket - Export the DOCKER_HOST env:
export DOCKER_HOST="unix://$(podman info -f "{{.Host.RemoteSocket.Path}}")" - Clone the samples repository:
git clone https://github.com/buildpacks/samples.git - Run:
pack build sample-app -p samples/apps/ruby-bundler/ -B cnbs/sample-builder:bionic
Current behavior
The build fails like this:
Builder cnbs/sample-builder:bionic is untrusted
As a result, the phases of the lifecycle which require root access will be run in separate trusted ephemeral containers.
For more information, see https://medium.com/buildpacks/faster-more-secure-builds-with-pack-0-11-0-4d0c633ca619
Pulling image index.docker.io/cnbs/sample-builder:bionic
4ba66ae81588: Already exists
8324fe50bc12: Already exists
e0076bce74bf: Already exists
9a6c0ea32714: Already exists
434bcdf2418f: Already exists
c4e3bdcbb8c3: Already exists
c238db6a02a5: Already exists
22c5ef60a68e: Already exists
357fefdf9bc9: Already exists
04f9e5a54d38: Already exists
5c2e4179bee1: Already exists
98438d9c08b1: Already exists
0cceee8a8cb0: Already exists
db1bbcc47135: Already exists
4f4fb700ef54: Already exists
53a52c7f9926: Already exists
a302059dbdba: Already exists
3b17b9b118df: Download complete
Selected run image cnbs/sample-stack-run:bionic
Pulling image cnbs/sample-stack-run:bionic
434bcdf2418f: Already exists
8324fe50bc12: Already exists
22c5ef60a68e: Already exists
f23bff10fb1a: Download complete
Creating builder with the following buildpacks:
-> samples/[email protected]
-> samples/[email protected]
-> samples/[email protected]
-> samples/[email protected]
-> samples/[email protected]
-> samples/[email protected]
Pulling image buildpacksio/lifecycle:0.14.1
4f80531f7622: Already exists
36698cfa5275: Already exists
0fc9d7cf1104: Download complete
Using build cache volume pack-cache-library_sample-app_latest-4d7a3eca056d.build
===> ANALYZING
Running the analyzer on OS linux with:
Container Settings:
Args: /cnb/lifecycle/analyzer -log-level debug -daemon -stack /layers/stack.toml -run-image cnbs/sample-stack-run:bionic -launch-cache /launch-cache sample-app
System Envs: CNB_USER_ID=1000 CNB_GROUP_ID=1000 CNB_PLATFORM_API=0.9
Image: buildpacksio/lifecycle:0.14.1
User: root
Labels: map[author:pack]
Host Settings:
Binds: /var/run/docker.sock:/var/run/docker.sock pack-cache-library_sample-app_latest-4d7a3eca056d.launch:/launch-cache pack-layers-qgdrogqqrq:/layers pack-app-aayrvsnodn:/workspace
Network Mode:
ERROR: failed to build: executing lifecycle. This may be the result of using an untrusted builder: failed to create 'analyzer' container: Error response from daemon: container create: statfs /var/run/docker.sock: permission denied
Expected behavior
The container should build successfully.
Environment
pack info
Pack:
Version: 0.0.0
OS/Arch: linux/amd64
Default Lifecycle Version: 0.14.1
Supported Platform APIs: 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9
Config:
(no config file found at /home/davide/.pack/config.toml)
podman info
host:
arch: amd64
buildahVersion: 1.27.0
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.0-2.fc36.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.0, commit: '
cpuUtilization:
idlePercent: 89.97
systemPercent: 2.66
userPercent: 7.37
cpus: 4
distribution:
distribution: fedora
variant: workstation
version: "36"
eventLogger: journald
hostname: MiWiFi-R3-srv
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 5.19.4-200.fc36.x86_64
linkmode: dynamic
logDriver: journald
memFree: 2178199552
memTotal: 8208855040
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.5-1.fc36.x86_64
path: /usr/bin/crun
version: |-
crun version 1.5
commit: 54ebb8ca8bf7e6ddae2eb919f5b82d1d96863dea
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-0.2.beta.0.fc36.x86_64
version: |-
slirp4netns version 1.2.0-beta.0
commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
libslirp: 4.6.1
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.3
swapFree: 8208248832
swapTotal: 8208248832
uptime: 0h 25m 21.00s
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /home/davide/.config/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 0
stopped: 1
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/davide/.local/share/containers/storage
graphRootAllocated: 998500204544
graphRootUsed: 349348642816
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 6
runRoot: /run/user/1000/containers
volumePath: /home/davide/.local/share/containers/storage/volumes
version:
APIVersion: 4.2.0
Built: 1660228937
BuiltTime: Thu Aug 11 16:42:17 2022
GitCommit: ""
GoVersion: go1.18.4
Os: linux
OsArch: linux/amd64
Version: 4.2.0
You can add --trust-builder flag after the pack build cmd. Or you can use pack config to make the builder to be the trust builder first.
@cxrus Thanks for the answer, I've tried to add --trust-builder flag but I'm having the same issue.
@b1zzu you need to make sure that pack mounts correct socket to build container:
pack build sample-app -p samples/apps/ruby-bundler/ -B cnbs/sample-builder:bionic --docker-host=inherit
Note the --docker-host=inherit.
Another way is to use the --publish flag, with that pack won't mount daemon socket, but rather pushes image directly to registry.
Hi @matejvasek, with --docker-host=inherit it works fine, thank I think the documentation should be updated to reflect the need of the --docker-host=inherit option, wdyt?
@b1zzu actually the doc mentions it:
NOTE: If using a socket connection, for example on Linux, you’ll need to pass an additional flag in order to provide the proper socket location to the lifecycle: --docker-host=inherit
However that's not entirely true with latest podman: on macOS with podman you shouldn't use --docker-host=inherit with the tunnelled VM unix socket, it wouldn't work.
@matejvasek thanks for your help here :) it sounds like the issue was resolved - can we close it?
