I am trying to run podman to pull images from a registry and repackage
them using YP Kirkstone.
My build host is Fedora 38 and podman is version 4.7.0
podman is running newuidmap (I wouldn't understand why it does so when
doing just a 'pull' but that seems to be the case). newuidmap is failing.
I tried two different variants to run podman from a task in the recipe:
do_pull_image() {
podman --log-level debug pull alpine:latest
}
In this case podman runs newuidmap from build/tmp/hosttools:
| time="2023-11-01T01:49:27Z" level=error msg="running
`/develop/projects/yocto/build/tmp/hosttools/newuidmap 205598 0 1000 1 1
100000 65536`: newuidmap: write to uid_map failed: Operation not
permitted\n"
Checking caps:
$ getcap /develop/projects/yocto/build/tmp/hosttools/newuidmap
has no output, albeit
$ ls -l /develop/projects/yocto/build/tmp/hosttools/newuidmap
lrwxrwxrwx. 1 rstreif rstreif 18 Oct 31 17:36
/develop/projects/yocto/build/tmp/hosttools/newuidmap -> /usr/bin/newuidmap
Apparently the link does not inherit the caps of the file it points to.
When I use:
do_pull_image() {
PATH=/usr/bin:${PATH} podman --log-level debug pull alpine:latest
}
| time="2023-11-01T01:50:12Z" level=error msg="running
`/usr/bin/newuidmap 205783 0 1000 1 1 100000 65536`: newuidmap: write to
uid_map failed: Operation not permitted\n"
Checking caps:
$ getcap /usr/bin/newuidmap
/usr/bin/newuidmap cap_setuid=ep
which is fine and works when using podman from a shell.
/etc/subuid and /etc/subgid are fine too:
$ cat /etc/subuid
rstreif:100000:65536
$ cat /etc/subgid
rstreif:100000:65536
I am not sure what's going on here and why it wouldn't be possible for
podman to set it uid map from within a recipe that is run by the user
who is running bitbake. Maybe someone has an idea?
Thanks,
Rudi
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#61545): https://lists.yoctoproject.org/g/yocto/message/61545
Mute This Topic: https://lists.yoctoproject.org/mt/102311702/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-