Unable to do podman pull starting with version 4.4.1 #745
Comments
|
does the same thing happen with v4.4.4 ? As far as i know, the docker build process between 4.4.0 and 4.4.1 should be the same. |
|
Yes, it does, I originally wanted to use version v4.4.4 (yesterday...) to test the X-Forwarded-Host |
|
It looks like some npm package may be trying to set a specific chown for /usr/src/app/node_modules/content-type/HISTORY.md but it seems it can't because of non-root user limits/range. However if someone knows exactly what I should run to set these properly I could try that. |
It's something that should be fixed at build time and not at runtime, due to the root-less context. HTH, |
|
Did you try running the 'podman-system-migrate' it suggests? From https://docs.podman.io/en/latest/markdown/podman-system-migrate.1.html |
|
The docker image makes a node user at build and tries to run as that user, just FYI |
Yes, I tried that, but it did not work. Podman was giving an unexpected error kind of message (where nothing would work at all), so I reverted back my changes. I'll try again differntly to see. |
|
Just wondering, i wasn't sure it would help. it kind of sounds like it is out of UIDs to assign. |
|
Ok, this time it worked. I edited my subuid and subgid directly. Previously I used the usermod --add-subuids and usermod --add-subgids commands which wasn't doing what I thought would do (as mentioned here: containers/podman#12715) I'm not sure if there are other implications for changing these limits and if that would cause other issues in the future. |
|
I wonder if we should be setting a consistent UID for the node user the docker image creates. that UID does seem really high...i wonder if that is the UID of the node user we create. |
|
I think this would be great, I was thinking that too. Maybe changing the UID somehow. |
|
My thinking is it would be done where we add the user https://github.com/maptiler/tileserver-gl/blob/master/Dockerfile#L59-L60 I have seen that in similar uses before, like https://github.com/nodejs/docker-node/blob/main/docs/BestPractices.md#non-root-user where a uid for the user and group is set in the adduser and addgroup commands. |
It's the one My guessing is that we should HTH, |
|
Related: projectkudu/kudu#2512 (comment) I am experiencing this issue as well when pulling the image inside of dind, e.g. to replicate: $ docker run --privileged -it --rm --entrypoint sh docker:23-dind-rootless -c "dockerd-entrypoint.sh & sleep 10; DOCKER_HOST=unix:///run/user/1000/docker.sock docker pull maptiler/tileserver-gl
whereas v4.4.0 seems to be working: docker run --privileged -it --rm --entrypoint sh docker:23-dind-rootless -c "dockerd-entrypoint.sh & sleep 10; DOCKER_HOST=unix:///run/user/1000/docker.sock docker pull maptiler/tileserver-gl:v4.4.0
|
|
Unfortunately I don't have an answer for this. I'd welcome a PR if someone has ideas on how to fix this. My feeling is this issue is local to your user mapping in your local environment, but this type of situation may be improved if we set a specific uid on the node user we are creating in the dockerfile. but that is a guess based on some other PRs I have seen. |
|
you van not reproduce with the command above? |
|
I can confirm with the command you gave I get the same error. I tried to replicate it using my own fork, with However when I try with my fork, it works...hmm |
|
I think I figured out a fix to this in v4.4.7. It seems like the permissions in the content-type dependency files (inside the docker image) changed between 4.4.0 to 4.4.1(-4.4.6). For some reason those files changed from being owned by root, to a high UID user 1516583083. Only the files in this folder seem to have this high UID user. At first I was thinking maybe this was caused by stangness with the github workflow, however In testing I found this happened even if I built it locally on ubuntu. I was looking into the error message and decided to try and look at the permissions by bypassing the entrypoint. For v4.4.0 I ran However if you look at v.4.4.1 (to v4.4.6), you can see eveything in that folder is owned by a high UID user In v4.4.7 I added a chmod to the DockerFile that sets the files in /usr/src/app/ to be owned by root, and this seems to fix the issue.
|
|
I found this article that mentions this issue |
|
@jfgaudreault-p can you confirm this is working again in v4.4.7 |
|
I had to revert back my extended uids in /etc to revert back my previous changes, and yes I was able to confirm that the new image 4.4.7 no longer give the error! (I also confirmed the older one was giving the error again after I reverted my workaround changes). Thanks a lot! |
|
Good to hear. I'll close this issue for now. v4.4.8 was just released which should fix this issue in the light version too. there is also another SIGTERM fix which related to podman. If you have any issues with the new version let us know. |
When I do
as a NON-root user, (or any newer version of tileserver-gl) I get an error with podman:
This wasn't happening with v4.4.0 or before.
I looked at podman issue list and tried some solutions for similar problems, but so far I have been unsuccessful.
Any help on that would be appreciated.
Also, I am posting this here in case this has to do with the way the container is built that could have changed since it was working fine before.
I am using podman 4.3.1, but was using 3.4.4 before upgrading but geting the same error.
I am on Ubuntu 22.04 based ditro (PopOS).
The issue was also reproduced on Mac inside a linux fedora-coreos-37.20230122.2.0 install and the same problem happen as non-root.
It works as root, but that is not the recommended way for podman.
The text was updated successfully, but these errors were encountered: