search

genuinetools / img

Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.
https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/
MIT License
3.88k stars 229 forks source link

setting up img Dockerfile #342

Open paleozogt opened 3 years ago

paleozogt commented 3 years ago

I'd like to run img from Docker, but from a Debian-based image:

FROM debian:buster

RUN apt-get update && apt-get install -y \
        curl \
        git \
        uidmap \
 && rm -rf /var/lib/apt/lists/*

RUN export IMG_SHA256="cc9bf08794353ef57b400d32cd1065765253166b0a09fba360d927cfbd158088" \
 && curl -fSL "https://github.com/genuinetools/img/releases/download/v0.5.11/img-linux-amd64" -o "/usr/bin/img" \
 && echo "${IMG_SHA256}  /usr/bin/img" | sha256sum -c - \
 && chmod a+x "/usr/bin/img"

ARG USERNAME=user
RUN adduser --gecos "" --disabled-password --uid 1000 $USERNAME

ENTRYPOINT [ "/usr/bin/img" ]

But building and running it fails:

$ docker build -t myimg .
...
$ docker run --rm -it -v$PWD:$PWD -w$PWD \
   --security-opt seccomp=unconfined \
   --security-opt apparmor=unconfined \
   myimg build -t myimg .
Building docker.io/library/myimg:latest
Setting up the rootfs... this may take a bit.
WARN[0000] Process sandbox is not available, consider unmasking procfs:
WARN[0000] using host network as the default
[+] Building 3.1s (2/2) FINISHED
 => [internal] load .dockerignore                                                                                                                                                                                                    3.1s
 => => transferring context: 2B                                                                                                                                                                                                      0.0s
 => [internal] load build definition from Dockerfile                                                                                                                                                                                 3.1s
 => => transferring dockerfile: 596B                                                                                                                                                                                                 0.1s
Error: failed to solve: failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to mount /tmp/buildkit-mount483403341: [{Type:bind Source:/root/.local/share/img/runc/native/snapshots/snapshots/1 Options:[rbind ro]}]: operation not permitted

However, running with the standard r.j3ss.co/img image works:

$ docker run --rm -it -v$PWD:$PWD -w$PWD \
    --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
    r.j3ss.co/img build -t myimg .
Building docker.io/library/foo:latest
Setting up the rootfs... this may take a bit.
WARN[0000] Process sandbox is not available, consider unmasking procfs: mount: permission denied (are you root?)
WARN[0000] using host network as the default
[+] Building 24.9s (9/9) FINISHED
...
Successfully built docker.io/library/foo:latest

Clearly something is missing from my Dockerfile, but I'm not sure what.

alex-bes commented 2 years ago

Hi paleozogt! did you manage to fix this? I'm facing a very similar issue now...

paleozogt commented 2 years ago

@alex-bes Sadly, no, I wasn't able to figure it out.