Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ephemeral lifecycle image, enabling podman support #2129

Merged
merged 5 commits into from
May 2, 2024
Merged

Add ephemeral lifecycle image, enabling podman support #2129

merged 5 commits into from
May 2, 2024

Conversation

BarDweller
Copy link
Contributor

@BarDweller BarDweller commented Apr 17, 2024
edited
Loading

Summary

Podman will set ownership for a volume based on ownership of the first mountpoint it is mounted to, or the executing uid/gid if the mountpoint is absent.

pack runs untrusted builds by running the first step (either detect or analyze depending on selected platform version) as root against a matched lifecycle image. Lifecycle images cannot contain a mountpoint for the workspace as lifecycle images are common across many builds that may not use the same uid/gid.

Thus with podman, pack ends up causing the workspace volume to end up owned by root.

Subsequent mounts of the volume are unable to undo the ownership applied by this initial mount, leading to builds failing against podman as it becomes impossible for the build uid/gid to create or remove files within the workspace directory.

This change introduces an ephemeral lifecycle container, akin to the ephemeral builder image already in use.

The ephemeral lifecycle image adds only the workspace directory to the selected lifecycle image, when a lifecycle image will be in use. The workspace directory is added owned by the current build uid/gid, and the ephemeral lifecycle image is used instead of the chosen lifecycle image for all container invocations that would have used the chosen lifecycle image.

Output

Before

Example errors from the build would indicate permissions/ownership of /workspace to be insufficient for the build to proceed.

[extender (build)]   Removing source code
[extender (build)] unable to invoke layer creator
[extender (build)] unable to remove /workspace/.dockerignore
[extender (build)] unlinkat /workspace/.dockerignore: permission denied

After

Afterwards, builds succeed as expected

Successfully built image '127.0.0.1:5000/bardweller/stilettos'

Documentation

  • Should this change be documented?
    • Yes, see #___
    • No

Related

Resolves #___

Updated to swap podman rootless, for just podman, as podman rootful is equally non-functional today

@github-actions github-actions bot added this to the 0.34.0 milestone Apr 17, 2024
@github-actions github-actions bot added the type/enhancement Issue that requests a new feature or improvement. label Apr 17, 2024
@BarDweller
Copy link
Contributor Author

This will help with

@github-actions github-actions bot added the type/chore Issue that requests non-user facing changes. label Apr 17, 2024
@BarDweller BarDweller changed the title Add ephemeral lifecycle image, enabling podman rootless support Add ephemeral lifecycle image, enabling podman support Apr 18, 2024
@BarDweller
add ephemeral lifecycle image
52adfe6 
Signed-off-by: Ozzy Osborne <bardweller@gmail.com>
@BarDweller BarDweller marked this pull request as ready for review April 19, 2024 17:52
@BarDweller BarDweller requested review from a team as code owners April 19, 2024 17:52
@jjbustamante jjbustamante removed this from the 0.34.0 milestone Apr 22, 2024
@natalieparellano natalieparellano added this to the 0.34.0 milestone Apr 25, 2024
natalieparellano
natalieparellano approved these changes Apr 25, 2024
View reviewed changes
Copy link
Member

@natalieparellano natalieparellano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks for the PR @BarDweller 🙏🏼

@jjbustamante
Copy link
Member

@BarDweller I think I am fine with this one, if you can address the comments from Natalie I will merge it on Monday :)

jjbustamante and others added 3 commits April 29, 2024 10:04
@jjbustamante @BarDweller
Updating go version to 1.22.x
c3be6a9 
Signed-off-by: Juan Bustamante <jbustamante@vmware.com>
Signed-off-by: Ozzy Osborne <bardweller@gmail.com>
@BarDweller
Updates from Review comments
5796080 
Signed-off-by: Ozzy Osborne <bardweller@gmail.com>
@jjbustamante @BarDweller
Updating default lifecycle version to 0.19.3
29192dd 
Signed-off-by: Juan Bustamante <jbustamante@vmware.com>
Signed-off-by: Ozzy Osborne <bardweller@gmail.com>
@BarDweller
Merge upstream/main to branch
e90aa83 
Signed-off-by: Ozzy Osborne <bardweller@gmail.com>
jjbustamante
jjbustamante approved these changes May 2, 2024
View reviewed changes
Copy link
Member

@jjbustamante jjbustamante left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jjbustamante jjbustamante merged commit dc59461 into buildpacks:main May 2, 2024
16 checks passed
@natalieparellano natalieparellano mentioned this pull request May 2, 2024
Open
@natalieparellano natalieparellano mentioned this pull request Jul 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jjbustamante jjbustamante jjbustamante approved these changes

@natalieparellano natalieparellano natalieparellano approved these changes

Assignees
No one assigned
Labels
type/chore Issue that requests non-user facing changes. type/enhancement Issue that requests a new feature or improvement.
Projects
None yet
Milestone
0.34.0
Development

Successfully merging this pull request may close these issues.
3 participants
@BarDweller @jjbustamante @natalieparellano