[yocto] Running podman from recipe

Tue, 31 Oct 2023 19:15:35 -0700

I am trying to run podman to pull images from a registry and repackage them using YP Kirkstone. 

My build host is Fedora 38 and podman is version 4.7.0
podman is running newuidmap (I wouldn't understand why it does so when doing just a 'pull' but that seems to be the case). newuidmap is failing. 

I tried two different variants to run podman from a task in the recipe:

do_pull_image() {
    podman --log-level debug pull alpine:latest
}

In this case podman runs newuidmap from build/tmp/hosttools:
| time="2023-11-01T01:49:27Z" level=error msg="running `/develop/projects/yocto/build/tmp/hosttools/newuidmap 205598 0 1000 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted\n" 

Checking caps:

$ getcap /develop/projects/yocto/build/tmp/hosttools/newuidmap

has no output, albeit

$ ls -l /develop/projects/yocto/build/tmp/hosttools/newuidmap
lrwxrwxrwx. 1 rstreif rstreif 18 Oct 31 17:36 /develop/projects/yocto/build/tmp/hosttools/newuidmap -> /usr/bin/newuidmap 

Apparently the link does not inherit the caps of the file it points to.


When I use:

do_pull_image() {
    PATH=/usr/bin:${PATH} podman --log-level debug pull alpine:latest
}
| time="2023-11-01T01:50:12Z" level=error msg="running `/usr/bin/newuidmap 205783 0 1000 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted\n" 

Checking caps:

$ getcap /usr/bin/newuidmap
/usr/bin/newuidmap cap_setuid=ep

which is fine and works when using podman from a shell.

/etc/subuid and /etc/subgid are fine too:

$ cat /etc/subuid
rstreif:100000:65536

$ cat /etc/subgid
rstreif:100000:65536
I am not sure what's going on here and why it wouldn't be possible for podman to set it uid map from within a recipe that is run by the user who is running bitbake. Maybe someone has an idea? 


Thanks,
Rudi



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#61545): https://lists.yoctoproject.org/g/yocto/message/61545
Mute This Topic: https://lists.yoctoproject.org/mt/102311702/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to