search

GoogleCloudPlatform / cloud-foundation-toolkit

The Cloud Foundation toolkit provides GCP best practices as code.
Apache License 2.0
947 stars 450 forks source link

developer-tools 1.2 does not run with rootless docker/podman #1021

Closed jawnsy closed 1 year ago

jawnsy commented 2 years ago

TL;DR

There seems to be a change between 1.1 and 1.2 which prevents the developer-tools image from running under podman (userspace mode) or docker (inside sysbox, similar to rootless docker).

Expected behavior

I'd expect the image to run normally.

Observed behavior

Running with docker in sysbox, I get the following error:

$ docker run --rm -it gcr.io/cloud-foundation-cicd/cft/developer-tools:1.2
docker: failed to register layer: ApplyLayer exit status 1 stdout:  stderr: lchown /build/terraform-validator: invalid argument.

Running version 1.1 works fine:

$ docker run --rm -it gcr.io/cloud-foundation-cicd/cft/developer-tools:1.1
Loading /usr/local/bin/task_helper_functions.sh from ~/.bashrc
Invoking init_credentials from ~/.bashrc
Disable this behavior by setting CFT_DISABLE_INIT_CREDENTIALS=yes
Error: SERVICE_ACCOUNT_JSON must contain the JSON string (not the
file path) of the service account credentials.  For example:
export SERVICE_ACCOUNT_JSON=$(< ~/.credentials/my-sa-key.json)
[root@bdd688f8bb2a workspace]#

I get a similar error message when running on podman on my laptop, so this may just be an issue caused by running in rootless mode:

$ podman run --rm -it gcr.io/cloud-foundation-cicd/cft/developer-tools:1.2
Error: writing blob: adding layer with blob "sha256:cd161d4c1a089eaebfd0f869672c4d18d849997b8f1ce20887250ad61820844e": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 806984:89939 for /build/terraform-validator): Check /etc/subuid and /etc/subgid: lchown /build/terraform-validator: invalid argument

Things run okay with podman in rootful mode:

$ sudo podman run --rm -it gcr.io/cloud-foundation-cicd/cft/developer-tools:1.2
Loading /usr/local/bin/task_helper_functions.sh from ~/.bashrc
Invoking init_credentials from ~/.bashrc
Disable this behavior by setting CFT_DISABLE_INIT_CREDENTIALS=yes
Error: SERVICE_ACCOUNT_JSON must contain the JSON string (not the
file path) of the service account credentials.  For example:
export SERVICE_ACCOUNT_JSON=$(< ~/.credentials/my-sa-key.json)
[root@da7317ac1498 workspace]#

I'm not sure if this is a bug in sysbox, docker/runc, or something to do with this image.

I filed a bug with more info in the sysbox repository: https://github.com/nestybox/sysbox/issues/443 -- there's also a similar-looking docker bug here: https://github.com/moby/moby/issues/41821

bharathkkb commented 2 years ago

Seems to be due to https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/pull/1006 but I dont see anything off in the install script. I also saw a similar question on SO.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days