`container_run_and_extract` does not work with Podman
nyoxi opened this issue · comments
🐞 bug report
Affected Rule
The issue is caused by the rule: container_run_and_extract
when run with Podman.
Is this a regression?
I don't have prior experience and I cannot answer this.
Description
When Podman is used instead of Docker to run containers together with linux-sandbox
in Bazel, the execution of container_run_and_extract
command fails with errors because of read-only mounts. E.g.:
time="2023-04-27T05:31:22-04:00" level=error msg="set sticky bit on: chmod /run/user/1000/libpod: read-only file system"
When I try to workaround it by adding several --sandbox_writable_path
arguments the build further fails with:
time="2023-04-27T05:57:26-04:00" level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
time="2023-04-27T05:57:26-04:00" level=error msg="running `/usr/bin/newuidmap 21 0 1000 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted\n"
time="2023-04-27T05:57:26-04:00" level=error msg="invalid internal status, try resetting the pause process with \"/usr/bin/podman system migrate\": cannot set up namespace using \"/usr/bin/newuidmap\": exit status 1"
I am running it as a non-root user if that is relevant.
🔬 Minimal Reproduction
container_run_and_extract(
name = "test",
commands = [
"echo test > /test",
],
extract_file = "/test",
image = "@centos9//image",
)
🔥 Exception or Error
See the description above.
🌍 Your Environment
Operating System:
CentOS Stream 9
Output of bazel version
:
5.4.0
Rules_docker version:
0.25.0
Anything else relevant?
I forgot to mention that a workaround is to use different sandboxing and with --spawn_strategy=processwrapper-sandbox
it works ok. Obviously with all the security implication of it.