Build step 2 fails - Rocky Linux 9

freeipa / freeipa-container

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags

https://quay.io/repository/freeipa/freeipa-server?tab=tags

Apache License 2.0

609 stars 258 forks source link

Build step 2 fails - Rocky Linux 9 #595

Closed DarrenRainey closed 8 months ago

DarrenRainey commented 8 months ago

Clean install of Rocky Linux 9 running in a Proxmox LXC containers fails to build at Step 2

Output:

[root@lnx-dc-01 freeipa-container]# podman build -t freeipa-server -f  Dockerfile.rocky-9
STEP 1/54: FROM docker.io/rockylinux/rockylinux:9
STEP 2/54: RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -r -d / -s '/sbin/nologin' kdcproxy
error running container: did not get container start message from parent: EOF
Error: building at STEP "RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -r -d / -s '/sbin/nologin' kdcproxy": setup network: /usr/bin/slirp4netns failed: "open(\"/dev/net/tun\"): No such file or directory\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\nchild failed(1)\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\n"

adelton commented 8 months ago

What does

# podman run --rm docker.io/rockylinux/rockylinux:9 cat /etc/os-release

report?

DarrenRainey commented 8 months ago

I've just made a new fresh container and this is the output / also tried installing docker-ce in a previous container but no change.

[root@CT104 freeipa-container]# podman run --rm docker.io/rockylinux/rockylinux:9 cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

adelton commented 8 months ago

What do you mean by "no change"?

DarrenRainey commented 8 months ago

I though I might be missing some docker dependices with podman but regardless I still get the same error when running with either podman or docker-ce

adelton commented 8 months ago

So if I understand it correctly, you try to build the image by running podman or docker within another container, and you don't have the /dev/net/tun device that slirp4netns requires? The use of slirp4netns suggests that the LXC container is already unprivileged, in spite of that # shell prompt. So this is some type of container in user namespaced container scenario.

And for some reason build fails but running the container works.

I assume building different container images from different Dockerfile, like

FROM docker.io/rockylinux/rockylinux:9
RUN true

will fail as well, is that correct?

What happens if you use --net=host parameter to podman build?

DarrenRainey commented 8 months ago

So I tried doing a manual install of freeipa-serrver using the rocky repo's and ran into some issues with chronyd since the LXC container doesn't have permissions to change kernel paramters.

I've abandoned the LXC container and I am now installing it in a rregular VM which appears to be working as expected (Using the rocky repo's / native install instead of a podman/docker container)

I'll need to do some more testing with LXC but for the moment I'm going to consider this issue closed.