search

knative / func

Knative Functions client API and CLI
Apache License 2.0
284 stars 139 forks source link

func can't build with untrusted builder image #2516

Open yozel opened 2 months ago

yozel commented 2 months ago

We are trying to use our own builder image, and it fails with following error:

[detector] ERROR: failed to write group file: open /layers/group.toml: permission denied

We noticed that this only happens because our builder image is not trusted, which is a hardcoded list.

Steps to reproduce

Create the function

knative-func $ func create -l go

It's successfully building with default builder image

knative-func $ func build --builder=pack --builder-image=ghcr.io/knative/builder-jammy-tiny:0.0.240
Building function image
Still building
Still building
Yes, still building
🙌 Function built: index.docker.io/tigerteam/knative-func:latest

Pull and create a tag for the default builder image

knative-func $ docker pull ghcr.io/knative/builder-jammy-tiny:0.0.240
knative-func $ docker tag ghcr.io/knative/builder-jammy-tiny:0.0.240 builder-jammy-tiny:0.0.240-local

Run build with the new tag

knative-func $ func build --builder=pack --builder-image=builder-jammy-tiny:0.0.240-local
Building function image
Error: executing lifecycle: failed with status code: 1

With verbose logging

knative-func $ func build --builder=pack --builder-image=builder-jammy-tiny:0.0.240-local -v
Building function image
Pulling image index.docker.io/library/builder-jammy-tiny:0.0.240-local
CheckReadAccess succeeded for the run image index.docker.io/paketobuildpacks/run-jammy-tiny:latest
Selected run image index.docker.io/paketobuildpacks/run-jammy-tiny:latest
Pulling image index.docker.io/paketobuildpacks/run-jammy-tiny:latest with platform linux/amd64
latest: Pulling from paketobuildpacks/run-jammy-tiny
Digest: sha256:fac4a3749284e198247f4ead26fd8ee2816c4db428ebb44fbfd19e6fef6309dc
Status: Image is up to date for paketobuildpacks/run-jammy-tiny:latest
Pulling image docker.io/buildpacksio/lifecycle:553c041 with platform linux/amd64
553c041: Pulling from buildpacksio/lifecycle
Digest: sha256:41ed46de4c426cd8462ae0e6fca8745f71432236f0c6aa6bfaa956b9d1704bcf
Status: Image is up to date for buildpacksio/lifecycle:553c041
Creating ephemeral lifecycle from docker.io/buildpacksio/lifecycle:553c041 with uid 1001 and gid 1000. With workspace dir
Selecting ephemeral lifecycle image pack.local/lifecycle/707870746e6b6c6d7271:latest for build
Creating builder with the following buildpacks:
-> paketo-community/rust@0.47.0
-> paketo-buildpacks/procfile@5.7.0
-> paketo-buildpacks/syft@1.46.0
-> paketo-community/cargo@0.11.1
-> paketo-community/rust-dist@1.27.1
-> paketo-community/rustup@1.11.0
-> dev.knative-extensions.go@0.0.6
-> paketo-buildpacks/go@4.8.0
-> paketo-buildpacks/ca-certificates@3.6.8
-> paketo-buildpacks/environment-variables@4.5.7
-> paketo-buildpacks/git@1.0.8
-> paketo-buildpacks/go-build@2.2.1
-> paketo-buildpacks/go-dist@2.5.0
-> paketo-buildpacks/go-mod-vendor@1.0.29
-> paketo-buildpacks/image-labels@4.5.6
-> paketo-buildpacks/procfile@5.6.9
-> paketo-buildpacks/watchexec@2.9.0
-> paketo-buildpacks/java-native-image@9.1.0
-> paketo-buildpacks/bellsoft-liberica@10.5.5
-> paketo-buildpacks/ca-certificates@3.6.8
-> paketo-buildpacks/datadog@5.7.0
-> paketo-buildpacks/environment-variables@4.5.7
-> paketo-buildpacks/executable-jar@6.8.5
-> paketo-buildpacks/gradle@7.9.0
-> paketo-buildpacks/image-labels@4.5.6
-> paketo-buildpacks/leiningen@4.7.1
-> paketo-buildpacks/maven@6.15.14
-> paketo-buildpacks/native-image@5.12.9
-> paketo-buildpacks/procfile@5.6.9
-> paketo-buildpacks/quarkus@0.2.5
-> paketo-buildpacks/sbt@6.12.13
-> paketo-buildpacks/spring-boot@5.27.11
-> paketo-buildpacks/syft@1.45.0
-> paketo-buildpacks/upx@3.4.8
-> paketo-buildpacks/java@12.1.0
-> paketo-buildpacks/apache-tomcat@7.15.3
-> paketo-buildpacks/apache-tomee@1.8.2
-> paketo-buildpacks/azure-application-insights@5.18.3
-> paketo-buildpacks/bellsoft-liberica@10.5.5
-> paketo-buildpacks/ca-certificates@3.6.8
-> paketo-buildpacks/clojure-tools@2.8.17
-> paketo-buildpacks/datadog@5.7.0
-> paketo-buildpacks/dist-zip@5.6.10
-> paketo-buildpacks/encrypt-at-rest@4.5.18
-> paketo-buildpacks/environment-variables@4.5.7
-> paketo-buildpacks/executable-jar@6.8.5
-> paketo-buildpacks/google-stackdriver@9.0.1
-> paketo-buildpacks/gradle@7.9.0
-> paketo-buildpacks/image-labels@4.5.6
-> paketo-buildpacks/jattach@1.6.1
-> paketo-buildpacks/java-memory-assistant@1.4.11
-> paketo-buildpacks/leiningen@4.7.1
-> paketo-buildpacks/liberty@4.0.4
-> paketo-buildpacks/maven@6.15.14
-> paketo-buildpacks/node-engine@3.2.2
-> paketo-buildpacks/procfile@5.6.9
-> paketo-buildpacks/quarkus@0.2.5
-> paketo-buildpacks/sbt@6.12.13
-> paketo-buildpacks/spring-boot@5.27.11
-> paketo-buildpacks/syft@1.45.0
-> paketo-buildpacks/watchexec@2.9.0
-> paketo-buildpacks/yarn@1.3.2
-> paketo-buildpacks/procfile@5.7.0
Using build cache volume pack-cache-tigerteam_knative-func_latest-87f1fbc5c86d.build
===> ANALYZING
Running the analyzer on OS linux from image pack.local/lifecycle/707870746e6b6c6d7271:latest with:
Container Settings:
  Args: /cnb/lifecycle/analyzer -gid 0 -uid 0 -log-level debug -daemon -run /layers/run.toml -run-image index.docker.io/paketobuildpacks/run-jammy-tiny:latest -launch-cache /launch-cache index.docker.io/tigerteam/knative-func:latest
  System Envs: CNB_USER_ID=1001 CNB_GROUP_ID=1000 CNB_PLATFORM_API=0.13
  Image: pack.local/lifecycle/707870746e6b6c6d7271:latest
  User: root
  Labels: map[author:pack]
Host Settings:
  Binds: /var/run/docker.sock:/var/run/docker.sock pack-cache-tigerteam_knative-func_latest-87f1fbc5c86d.launch:/launch-cache pack-layers-acmbyzlhkj:/layers pack-app-mzcxvpshoy:/workspace
  Network Mode:
[analyzer] Starting analyzer...
[analyzer] Parsing inputs...
[analyzer] Ensuring privileges...
[analyzer] Executing command...
[analyzer] Timer: Analyzer started at 2024-09-24T09:41:56Z
[analyzer] Found image with identifier "f829c1c66b55b4cc96c91183ea7902e17a55c1a9ba90fbe1051d521bd4e93514"
[analyzer] Restoring data for SBOM from previous image
[analyzer] Retrieving previous image SBOM layer for "sha256:fd1dcfdd1afb7dd174c6631f68c0efef895b19a51946b4fc349b1fcdfef8b878"
[analyzer] Found image with identifier "14e5b5794559c7e301229f2e51ac9ced13aff43206e019d0cd1548f5c7e84552"
[analyzer] Timer: Analyzer ran for 4.048334ms and ended at 2024-09-24T09:41:56Z
[analyzer] Run image info in analyzed metadata is:
[analyzer] {"Reference":"14e5b5794559c7e301229f2e51ac9ced13aff43206e019d0cd1548f5c7e84552","Image":"index.docker.io/paketobuildpacks/run-jammy-tiny:latest","Extend":false,"target":{"os":"linux","arch":"amd64"}}
===> DETECTING
Running the detector on OS linux from image pack.local/builder/676e6767636669706568:latest with:
Container Settings:
  Args: /cnb/lifecycle/detector -app /workspace -log-level debug
  System Envs: CNB_PLATFORM_API=0.13
  Image: pack.local/builder/676e6767636669706568:latest
  User:
  Labels: map[author:pack]
Host Settings:
  Binds: pack-layers-acmbyzlhkj:/layers pack-app-mzcxvpshoy:/workspace
  Network Mode:
[detector] Starting detector...
[detector] Parsing inputs...
[detector] Ensuring privileges...
[detector] Executing command...
[detector] Timer: Detector started at 2024-09-24T09:41:56Z
[detector] Checking for match against descriptor: {linux amd64  []}
[detector] Checking for match against descriptor: {linux amd64  []}
[detector] Checking for match against descriptor: {linux amd64  []}
[detector] Checking for match against descriptor: {linux amd64  []}
[detector] Checking for match against descriptor: {linux amd64  []}
[detector] Checking for match against descriptor: {linux amd64  [{ubuntu 18.04}]}
[detector] ======== Output: paketo-buildpacks/procfile@5.7.0 ========
[detector] SKIPPED: No procfile found from either source path or binding.
[detector] ======== Results ========
[detector] pass: paketo-community/rustup@1.11.0
[detector] pass: paketo-community/rust-dist@1.27.1
[detector] pass: paketo-buildpacks/syft@1.46.0
[detector] fail: paketo-community/cargo@0.11.1
[detector] skip: paketo-buildpacks/procfile@5.7.0
[detector] ======== Results ========
[detector] pass: paketo-buildpacks/go-dist@2.5.0
[detector] pass: dev.knative-extensions.go@0.0.6
[detector] Resolving plan... (try #1)
[detector] paketo-buildpacks/go-dist 2.5.0
[detector] dev.knative-extensions.go 0.0.6
[detector] Timer: Detector ran for 168.826167ms and ended at 2024-09-24T09:41:56Z
[detector] ERROR: failed to write group file: open /layers/group.toml: permission denied

Error: failed to build the function: executing lifecycle: failed with status code: 1
fuson commented 21 hours ago

+ on official https://buildpacks.io/docs/for-app-developers/how-to/special-cases/build-for-arm/ for arm64 recomended docker.io/heroku/buildpacks:24

pls fix this, its ok to write warnings about untrusted builder images, not NOT OK to fail build.