search

containers / buildah

A tool that facilitates building OCI images.
https://buildah.io
Apache License 2.0
7.3k stars 770 forks source link

podman build appears to ignore containerignore #3427

Closed kierun closed 3 years ago

kierun commented 3 years ago

/kind bug

Description

A directory owned by root and in .containerignore is still being added to the build.

Steps to reproduce the issue:

  1. printf "FROM quay.io/libpod/testimage:20210610\nCOPY ./ ./\n" >Dockerfile
  2. mkdir -p volume/data
  3. cd volume
  4. sudo chown root:root data
  5. sudo chmod 700 data
  6. cd ..
  7. echo "volume/ > .containerignore
  8. podman build -f Dockerfile

Describe the results you received:

Build fails with:

√ ; podman build -f Dockerfile
STEP 1: FROM quay.io/libpod/testimage:20210610
STEP 2: COPY ./ ./
Error: error building at STEP "COPY ./ ./": error reading "/home/yann/tmp/podman": error during bulk transfer for copier.request{Request:"GET", Root:"/", preservedRoot:"/home/yann/tmp/podman", rootPrefix:"/home/yann/tmp/podman", Directory:"/", preservedDirectory:"/home/yann/tmp/podman", Globs:[]string{"/"}, preservedGlobs:[]string{"/home/yann/tmp/podman"}, StatOptions:copier.StatOptions{CheckForArchives:false, Excludes:[]string(nil)}, GetOptions:copier.GetOptions{UIDMap:[]idtools.IDMap(nil), GIDMap:[]idtools.IDMap(nil), Excludes:[]string{"volume"}, ExpandArchives:false, ChownDirs:(*idtools.IDPair)(0xc0005af510), ChmodDirs:(*fs.FileMode)(nil), ChownFiles:(*idtools.IDPair)(0xc0005af520), ChmodFiles:(*fs.FileMode)(nil), StripSetuidBit:true, StripSetgidBit:true, StripStickyBit:false, StripXattrs:false, KeepDirectoryNames:false, Rename:map[string]string(nil), NoDerefSymlinks:false, IgnoreUnreadable:false, NoCrossDevice:false}, PutOptions:copier.PutOptions{UIDMap:[]idtools.IDMap(nil), GIDMap:[]idtools.IDMap(nil), DefaultDirOwner:(*idtools.IDPair)(nil), DefaultDirMode:(*fs.FileMode)(nil), ChownDirs:(*idtools.IDPair)(nil), ChmodDirs:(*fs.FileMode)(nil), ChownFiles:(*idtools.IDPair)(nil), ChmodFiles:(*fs.FileMode)(nil), StripXattrs:false, IgnoreXattrErrors:false, IgnoreDevices:false, NoOverwriteDirNonDir:false, Rename:map[string]string(nil)}, MkdirOptions:copier.MkdirOptions{UIDMap:[]idtools.IDMap(nil), GIDMap:[]idtools.IDMap(nil), ChownNew:(*idtools.IDPair)(nil), ChmodNew:(*fs.FileMode)(nil)}, RemoveOptions:copier.RemoveOptions{All:false}}: copier: get: "/"("/"): copier: get: error reading "/volume/data": open /volume/data: permission denied
✗ 125 ; ls -ld volume
drwxr-xr-x yann yann 8 B Thu Aug  5 15:06:33 2021  volume/
√ ; ls -ld volume/data
drwx------ root root 0 B Thu Aug  5 15:06:33 2021  volume/data/

Describe the results you expected:

Build should succeed.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      3.2.3
API Version:  3.2.3
Go Version:   go1.16.6
Built:        Mon Aug  2 20:39:21 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.21.3
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.29-2.fc34.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: '
  cpus: 24
  distribution:
    distribution: fedora
    version: "34"
  eventLogger: journald
  hostname: nightwatch.neverness.org
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.13.5-200.fc34.x86_64
  linkmode: dynamic
  memFree: 5768396800
  memTotal: 33572855808
  ociRuntime:
    name: crun
    package: crun-0.20.1-1.fc34.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.20.1
      commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.9-1.fc34.x86_64
    version: |-
      slirp4netns version 1.1.8+dev
      commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 24696053760
  swapTotal: 24696053760
  uptime: 5h 47m 3.29s (Approximately 0.21 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/yann/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/yann/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 7
  runRoot: /run/user/1000/containers
  volumePath: /home/yann/.local/share/containers/storage/volumes
version:
  APIVersion: 3.2.3
  Built: 1627933161
  BuiltTime: Mon Aug  2 20:39:21 2021
  GitCommit: ""
  GoVersion: go1.16.6
  OsArch: linux/amd64
  Version: 3.2.3

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.2.3-2.fc34.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

N.A.

mheon commented 3 years ago

@TomSweeneyRedHat PTAL

edsantiago commented 3 years ago

Fails on main @ b243185e4fbf002c381b4d6cf9be1fe25450f4b9; fails even if file is named .dockerignore, and even if file content is * (star).

rhatdan commented 3 years ago

@nalind PTAL

nalind commented 3 years ago

~It looks like ADD and COPY need to always set the IgnoreUnreadable flag we introduced in #3060.~

nalind commented 3 years ago

Hmm, does docker build also produce an error when you point it at your build context? I get error checking context: 'can't stat '/tmp/copier-original-test/volume/data'' when I tried it with your reproducer, with both moby-engine-20.10.7-2.fc35 on Fedora 35 and docker-ce-19.03.12-3.fc30 on Fedora 30. The error message is different, to be sure, but it's looking like the behavior is about right.

kierun commented 3 years ago

Hmm, does docker build also produce an error when you point it at your build context?

docker build works fine for me. It did not, with the same message as you got, until I added ./volume to .dockerignore. When I tried podman, this file should be .containerignore. In the main repo, I had it simlinked.