search

containers / buildah

A tool that facilitates building OCI images.
https://buildah.io
Apache License 2.0
7.24k stars 766 forks source link

buildah run (from scratch): executable file not found in $PATH: No such file or directory #2481

Closed cryobry closed 4 years ago

cryobry commented 4 years ago

Description

I am creating a simple container from scratch, following: https://www.projectatomic.io/blog/2017/08/buildah-getting-fit/

However, I cannot get anything to execute with buildah run in a container built from scratch (everything works as expected when starting with an existing image).

Steps to reproduce the issue:

#!/usr/bin/env bash
cnt=$(buildah from scratch)
mnt=$(buildah unshare buildah mount "$cnt")

buildah unshare \
    dnf install -y \
        --installroot "$mnt" \
        --releasever=32 \
        --setopt install_weak_deps=false \
        bash coreutils

buildah run "$cnt" -- /usr/bin/bash

Describe the results you received:

2020-07-19T16:45:34.000790064Z: executable file not found in $PATH: No such file or directory
error running container: error creating container for [/usr/bin/bash]: : exit status 1
error while running runtime: exit status 1
ERRO exit status 1

Describe the results you expected:

Enter a bash shell in the working container.

Output of rpm -q buildah or apt list buildah:

buildah-1.15.0-1.fc32.x86_64

Output of buildah version:

Version:         1.15.0
Go Version:      go1.14.3
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        0.4.0
libcni Version:  
image Version:   5.5.1
Git Commit:      
Built:           Wed Dec 31 19:00:00 1969
OS/Arch:         linux/amd64

Output of podman version if reporting a podman build issue:

Version:      2.0.2
API Version:  1
Go Version:   go1.14.3
Built:        Wed Dec 31 19:00:00 1969
OS/Arch:      linux/amd64

*Output of `cat /etc/release`:**

NAME=Fedora
VERSION="32 (Workstation Edition)"
ID=fedora
VERSION_ID=32
VERSION_CODENAME=""
PLATFORM_ID="platform:f32"
PRETTY_NAME="Fedora 32 (Workstation Edition)"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:32"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f32/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=32
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=32
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Workstation Edition"
VARIANT_ID=workstation

Output of uname -a:

Linux laptop 5.7.7-200.fc32.x86_64 #1 SMP Wed Jul 1 19:53:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

# This file is is the configuration file for all tools
# that use the containers/storage library.
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver
driver = "overlay"

# Temporary storage location
runroot = "/var/run/containers/storage"

# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"

# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"

[storage.options]
# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
]

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
# listed and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = 0:1668442479:65536
# remap-gids = 0:1668442479:65536

# Remap-User/Group is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
# with an in-container ID of 0 and then a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps.
#
# remap-user = "containers"
# remap-group = "containers"

# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partioned
# to containers configured to create automatically a user namespace.  Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
# auto-userns-max-size=65536

[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids.  Note multiple UIDs will be
# squashed down to the default uid in the container.  These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
#ignore_chown_errors = false

# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#mount_program = "/usr/bin/fuse-overlayfs"

# mountopt specifies comma separated list of extra mount options
mountopt = "nodev,metacopy=on"

# Size is used to set a maximum size of the container image.
# size = ""

[storage.options.thinpool]
# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be
# grown. This is specified in terms of % of pool size. So a value of 20 means
# that when threshold is hit, pool will be grown by 20% of existing
# pool size.
# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms
# of percentage of pool size. For example, if threshold is 60, that means when
# pool is 60% full, threshold has been hit.
# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which
# limits the size of images and containers.
# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.
# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the
# thin pool. Required if you setup devicemapper.
# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem.
# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.
# fs="xfs"

# log_level sets the log level of devicemapper.
# 0: LogLevelSuppress 0 (Default)
# 2: LogLevelFatal
# 3: LogLevelErr
# 4: LogLevelWarn
# 5: LogLevelNotice
# 6: LogLevelInfo
# 7: LogLevelDebug
# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for
# new device creation to succeed. Valid values are from 0% - 99%.
# Value 0% disables
# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""

# Size is used to set a maximum size of the container image.
# size = ""

# use_deferred_removal marks devicemapper block device for deferred removal.
# If the thinpool is in use when the driver attempts to remove it, the driver
# tells the kernel to remove it as soon as possible. Note this does not free
# up the disk space, use deferred deletion to fully remove the thinpool.
# use_deferred_removal = "True"

# use_deferred_deletion marks thinpool device for deferred deletion.
# If the device is busy when the driver attempts to delete it, the driver
# will attempt to delete device every 30 seconds until successful.
# If the program using the driver exits, the driver will continue attempting
# to cleanup the next time the driver is used. Deferred deletion permanently
# deletes the device and all data stored in device will be lost.
# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should
# attempt to complete IO when ENOSPC (no space) error is returned by
# underlying storage device.
# xfs_nospace_max_retries = "0"

Additional Info It appears that the executable is in place and with the correct permissions:

buildah unshare ls -al "$mnt/usr/bin" | grep bash
-rwxr-xr-x.  1 root root 1224424 Jun  2 08:45 bash
rhatdan commented 4 years ago

This worked when I ran it for root, (Eliminating the buildah unshare calls).

rhatdan commented 4 years ago

@edsantiago PTAL. I am trying to get this to work, with something like:

cnt=$(buildah from scratch)
buildah unshare sh -c 'mnt=$(buildah mount $cnt) \
    dnf install -y \
        --installroot $mnt
        --releasever=32 \
        --setopt install_weak_deps=false \
        bash coreutils'

buildah run "$cnt" -- /usr/bin/bash

But failing miserably.

@cryobry I believe the issue is that The mount point here: mnt=$(buildah unshare buildah mount "$cnt") Will not survive after buildah unshare finishes, Since the mount namespace is created and destroyed in the call to buildah unshare. The next buildah unshare is just writing onto the upper directory at that path, but the container is not mounted. When you execute the buildah run command, then buildah again mounts the image, and there is no content, since the content you wrote to is now mounted over. Running the buildah mount and the dnf install in the same buildah unshare is the correct way to do this. but you need to do some bash gymnastics to make it work.

cryobry commented 4 years ago

That would also explain why I could never successfully unmount using buildah unshare buildah unmount.

Doesn't this imply that buildah unshare buildah unmount is pointless? Is there a drawback to not specifying a subsequent buildah unmount in the singular buildah unshare command, considering the namespace is destroyed upon command completion? Obviously the $mnt dir is not removed if buildah unmount is not run in the buildah mount namespace which has led to this bug report.

In light of this, could it be possible to create a persistent and reusable buildah unshare namespace to ease shell scripting (assuming it is even possible with subshells--I will give it a go today)?

If it is not possible, when the mount namespace is destroyed after the buildah unshare command finishes, shouldn't the $mnt dir also be removed even if buildah unmount is not explicitly called? Maybe that is too much hand-holding, but at least utilities like dnf would complain about installing to a non-existent directory.

edsantiago commented 4 years ago

@rhatdan first things first: simplify.

# cnt=$(buildah from scratch)

That works fine. But before we go any further, we need to export it because it is referenced in a subshell. Let's also just stick with the basics, try just the unshare/mount:

# export cnt
# buildah unshare sh -c 'buildah mount $cnt'
ERRO error unmounting /var/lib/containers/storage/overlay/b5931cfc16feeefe9b2d14d6c00f31682acf183da3864fbd1791689214d3ca75/merged: invalid argument
error mounting "working-container" container "working-container": error mounting build container "1ac0f2595607c01d50e3e48daded7938ae65346cf0f004861f6626242bebcb45": error creating overlay mount to /var/lib/containers/storage/overlay/b5931cfc16feeefe9b2d14d6c00f31682acf183da3864fbd1791689214d3ca75/merged: operation not permitted
ERRO exit status 125
ERRO exit status 125

(same thing with buildah unshare buildah mount $cnt, FWIW).

"error unmounting" surprised me, so I considered the possibility that the mount was succeeding but then something died when unshare exited. Nope:

# buildah unshare sh -c 'mnt=$(buildah mount $cnt); echo $mnt'
[same error]
                     <---- now with a blank line at the end, presumably showing the empty $mnt

I don't see how this helps, but I don't understand unshare so am posting anyway in hopes that it will help you converge on an understanding of the problem.

cryobry commented 4 years ago

Thanks for the hints, now this is successful:

declare -x cnt=$(buildah from scratch)
buildah unshare sh -c '\
    mnt=$(buildah mount $cnt) && \
    dnf install -y \
        --installroot $mnt \
        --releasever=32 \
        --setopt install_weak_deps=false \
        bash coreutils && \
    buildah unmount $cnt'
buildah run "$cnt" /usr/bin/bash
bash-5.0#

Feel free to close @rhatdan. I'm satisfied running everything inside buildah unshare even though it's a bit messy.

rhatdan commented 4 years ago

Excellent, although I like this as an example. Running buildah as root would be a lot easier.
How about something like this which would work both as root and non root, and it is easier to understand.

cat /tmp/buildah.sh
#!/bin/sh
build() {
    cnt=$(buildah from scratch)
    mnt=$(buildah mount $cnt)
    dnf install -y \
    --installroot $mnt \
    --releasever=32 \
    --setopt install_weak_deps=false \
    bash coreutils
    buildah run "$cnt" /usr/bin/bash
}
if [[ $EUID -ne 0 ]]; then
    exec buildah unshare $0
fi
build