rootless podman build: Build from scratch fails

[adityashah1212]

Description I am having a problem making a rootless build using podman. The Dockerfile I am using looks like this.

FROM scratch

ADD centos.tar.xz /

CMD ["/usr/bin/bash"]

Steps to reproduce the issue:

1. Download https://github.com/CentOS/sig-cloud-instance-images/blob/CentOS-7.5.1804/docker/centos-7-docker.tar.xz as centos.tar.xz
2. In the same directory place the above Dockerfile
3. Run podman build -t centos/base:7.5.1804-1 -f Dockerfile --squash .

Describe the results you received:

[<user>@localhost build]$ podman build -t centos/base:7.5.1804-1 -f Dockerfile --squash .
STEP 1: FROM scratch
STEP 2: ADD centos.tar.xz /
error building at step {Env:[ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] Command:add Args:[centos.tar.xz /] Flags:[] Attrs:map[] Message:ADD centos.tar.xz / Original:ADD centos.tar.xz /}: error extracting "/home/<user>/build/centos.tar.xz" into "/home/<user>/.local/share/containers/storage/vfs/dir/f55ea40fe875d45078038dd71b399e87db961c69eabfdcb4dd2d963677aca50a": Error processing tar file(exit status 1): lchown /run/lock/lockdev: invalid argument

Describe the results you expected: A image should be built and loaded with tag localhost/centos/base:7.5.1804-1

Output of rpm -q podman : I am using podman, so giving podman info (rpm is built using https://git.centos.org/commit/rpms!podman.git/538a8cad666447915d68b242070adab42ec034a7). buildah is not installed

podman-0.10.1.3-1.gitdb08685.el7.x86_64

Output of podman version if reporting a podman build issue:

Version:       0.10.1.3
Go Version:    go1.10.2
OS/Arch:       linux/amd64

*Output of `cat /etc/release`:**

CentOS Linux release 7.5.1804 (Core) 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.5.1804 (Core) 
CentOS Linux release 7.5.1804 (Core) 

Output of uname -a:

Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

# storage.conf is the configuration file for all tools
# that share the containers/storage libraries
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver
driver = "overlay"

# Temporary storage location
runroot = "/var/run/containers/storage"

# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"

[storage.options]
# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
]

# Size is used to set a maximum size of the container image.  Only supported by
# certain container storage drivers.
size = ""

# OverrideKernelCheck tells the driver to ignore kernel checks based on kernel version
override_kernel_check = "true"

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to UIDs/GIDs as they should appear outside of the container, and
# the length of the range of UIDs/GIDs.  Additional mapped sets can be listed
# and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = 0:1668442479:65536
# remap-gids = 0:1668442479:65536

# Remap-User/Group is a name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
# with an in-container ID of 0 and the a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped container-level ID,
# until all of the entries have been used for maps.
#
# remap-user = "storage"
# remap-group = "storage"

[storage.options.thinpool]
# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be
# grown. This is specified in terms of % of pool size. So a value of 20 means
# that when threshold is hit, pool will be grown by 20% of existing
# pool size.
# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms
# of percentage of pool size. For example, if threshold is 60, that means when
# pool is 60% full, threshold has been hit.
# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which
# limits the size of images and containers.
# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.
# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the
# thin pool. Required if you setup devicemapper
# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem
# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.
# fs="xfs"

# log_level sets the log level of devicemapper.
# 0: LogLevelSuppress 0 (Default)
# 2: LogLevelFatal
# 3: LogLevelErr
# 4: LogLevelWarn
# 5: LogLevelNotice
# 6: LogLevelInfo
# 7: LogLevelDebug
# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for
# new device creation to succeed. Valid values are from 0% - 99%.
# Value 0% disables
# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""

# mountopt specifies extra mount options used when mounting the thin devices.
# mountopt = ""

# use_deferred_removal Marking device for deferred removal
# use_deferred_removal = "True"

# use_deferred_deletion Marking device for deferred deletion
# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should
# attempt to complete IO when ENOSPC (no space) error is returned by
# underlying storage device.
# xfs_nospace_max_retries = "0"

[rhatdan]

Are you running this as nonroot?

[rhatdan]

On RHEL/Centos systems, we currently do not support running as non-root. These systems do not have a newuidmap and newgidmap (Part of newer versions of shadow-utils). We are hoping to get this package updated in RHEL7.7 and hopefully earlier.

[adityashah1212]

Are you running this as nonroot?

Yes this was without root.

On RHEL/Centos systems, we currently do not support running as non-root. These systems do not have a newuidmap and newgidmap (Part of newer versions of shadow-utils). We are hoping to get this package updated in RHEL7.7 and hopefully earlier.

Any suggestions on how should I go about this. Lets just say, I can't use root on the machine I intend to make the images on, and I can't use anything above RHEL 7.5.

[rhatdan]

Well you could build the latest shadow-utils and install it on this system, then configure the /etc/subuid and /etc/subgid files, and it would work.

[adityashah1212]

That sounds reasonable I guess. What would be the minimum version of shadow-utils required?

[adityashah1212]

I used the source rpm from fedora 29 base image. It works now. Thanks :)

BTW can we have this issue related to newgidmap and newuidmap documented somewhere. For people ignorant of internal workings, it is easy for them to miss.

[TomSweeneyRedHat]

@adityashah1212 good suggestion. I'll see if I can at least get a note up on the install RHEL instructions.

[rhatdan]

@adityashah1212 can we close this issue?