search

redhat-actions / buildah-build

GitHub Action to use 'buildah' to build a container image.
https://github.com/marketplace/actions/buildah-build
MIT License
147 stars 35 forks source link

[BUG] When building a containerfile, ADD with checksum flag fails even with buildah 1.33.7 on Ubuntu 24.04 runners #142

Closed samhclark closed 2 months ago

samhclark commented 2 months ago

Version

redhat-actions/buildah-build@v2

On Ubuntu 24.04 runner Using buildah 1.33.7

Describe the bug

A containerfile that uses the --checksum flag on the ADD command should work; it's been supported since buildah 1.33.0

Instead, I get the error: ADD only supports the --chmod=<permissions> and the --chown=<uid:gid> flag

(more complete logs)

STEP 1/2: FROM scratch
STEP 2/2: ADD --checksum=sha256:b9f30418d8250cac56c2eb6d6fe56f80d316b9996a041df162095f45920dede7     https://github.com/containers/buildah/archive/refs/tags/v1.37.1.tar.gz     buildah-1.37.1.tar.gz
Error: building at STEP "ADD --checksum=sha256:b9f30418d8250cac56c2eb6d6fe56f80d316b9996a041df162095f45920dede7 https://github.com/containers/buildah/archive/refs/tags/v1.37.1.tar.gz buildah-1.37.1.tar.gz": ADD only supports the --chmod=<permissions> and the --chown=<uid:gid> flag
Error: Error: buildah exited with code 125
Error: building at STEP "ADD --checksum=sha256:b9f30418d8250cac56c2eb6d6fe56f80d316b9996a041df162095f45920dede7 https://github.com/containers/buildah/archive/refs/tags/v1.37.1.tar.gz buildah-1.37.1.tar.gz": ADD only supports the --chmod=<permissions> and the --chown=<uid:gid> flag

Steps to reproduce, workflow links, screenshots

Here's a link to a complete minimal example: https://github.com/samhclark/buildah-checksum

To inline some of that here...

A containerfile Containerfile

FROM scratch
ADD --checksum=sha256:b9f30418d8250cac56c2eb6d6fe56f80d316b9996a041df162095f45920dede7 \
    https://github.com/containers/buildah/archive/refs/tags/v1.37.1.tar.gz \
    buildah-1.37.1.tar.gz

A build worklow .github/workflows/build.yaml

name: build-checksum-test
on:
  workflow_dispatch:

jobs:
  build_container:
    name: main
    runs-on: ubuntu-24.04

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Buildah Build
        uses: redhat-actions/buildah-build@v2
        with:
          containerfiles: |
            ./Containerfile
          image: myimage
          tags: |
            ${{ github.sha }}

Running that workflow shows that it is using buildah 1.33.7

Run redhat-actions/buildah-build@v2
  with:
    containerfiles: ./Containerfile

    image: myimage
    tags: d1dc57d2481d41d7ef66c98835e9c7b842997dc8
    context: .
    oci: false
    tls-verify: true
/usr/bin/buildah version
  /usr/bin/buildah version
  Version:         1.33.7
  Go Version:      go1.22.2
  Image Spec:      1.1.0-rc.5
  Runtime Spec:    1.1.0
  CNI Spec:        1.0.0
  libcni Version:  
  image Version:   5.29.2
  Git Commit:      
  Built:           Thu Jan  1 00:00:00 1970
  OS/Arch:         linux/amd64
  BuildPlatform:   linux/amd64

And yet, I get the error above. ADD only supports the --chmod=<permissions> and the --chown=<uid:gid> flag

A link to the exact worflow (I think these are public) https://github.com/samhclark/buildah-checksum/actions/runs/10463728712/job/28976181216

Sorry if I'm missing something obvious, I'm new to GitHub Actions, but I can't figure out why this is failing.

samhclark commented 2 months ago

Closing this because it doesn't look like your issue. Sorry about that. Ubuntu patched out the support for --checksum

The GitHub Actions Ubuntu 24.04 runner really does have buildah v1.33.7 Installing a fresh Ubuntu Server 24.04 VM also gives buildah v1.33.7 From that VM, buildah build -f Containerfile -t 'myimage:latest' also fails with the same error.

The changelog for the current buildah package in Ubuntu 24.04 Noble has this patch

golang-github-containers-buildah (1.33.1+ds1-1) experimental; urgency=medium

  * New upstream release
  * Revert heredoc and --checksum support in Dockerfiles to workaround ancient
    docker.io package in Debian, cf #1051202

 -- Reinhard Tartler <siretart@tauware.de>  Fri, 24 Nov 2023 12:43:20 +0000

That references this now-closed Debian issue https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051202

So, yeah, Ubuntu applies a patch that removes the --checksum functionality from their version of buildah, hence why that feature is missing even though the version looks right. Hope I didn't send anyone on a wild goose chase.