Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

podman build injects empty /etc/resolv.conf into generated layers #4242

Open
cgwalters opened this issue Sep 13, 2022 · 13 comments
Open

podman build injects empty /etc/resolv.conf into generated layers #4242

cgwalters opened this issue Sep 13, 2022 · 13 comments

Comments

@cgwalters
Copy link

cgwalters commented Sep 13, 2022

Description

$ rpm -q podman
podman-4.2.0-2.fc36.x86_64
$ cat Dockerfile
FROM quay.io/fedora/fedora:36
RUN touch /etc/blah
$ podman build -t localhost/test .
$ skopeo copy containers-storage:localhost/test oci:test:latest
$ tar tvf test/blobs/sha256/e2deb0a4365096c1259670b1b825a6574a0db6c6aaab74fdb37c6561d48dd886 
drwxr-xr-x root/root         0 2022-09-13 19:22 etc/
-rw-r--r-- root/root         0 2022-09-13 19:22 etc/blah
-rwx------ root/root         0 2022-09-13 19:22 etc/resolv.conf

Describe the results you received:

Empty /etc/resolv.conf

Describe the results you expected:

No such file. For work on https://fedoraproject.org/wiki/Changes/OstreeNativeContainer we want to have clean content. This issue is very similar to #3523

Output of podman version if reporting a podman build issue:

Client:       Podman Engine
Version:      4.2.0
API Version:  4.2.0
Go Version:   go1.18.4
Built:        Thu Aug 11 14:42:17 2022
OS/Arch:      linux/amd64

Output of cat /etc/*release:

NAME="Fedora Linux"
VERSION="36.20220909.dev.1 (CoreOS)"
@cgwalters
Copy link
Author

(Just like #3523 - docker build doesn't reproduce this problem)

@cgwalters
Copy link
Author

Ah sorry now that I dig a bit this was discussed in #3525 but not resolved there.

I do think we should also fix /etc here.

@rhatdan
Copy link
Member

rhatdan commented Sep 13, 2022

One issue with removing the inode is it prevents the use of readonly containers.
I think Docker has two overlays mounted. The intermediate overlay is for changes it makes.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

kkaempf added a commit to kkaempf/elemental-docs that referenced this issue Aug 16, 2023
See rancher/elemental#935
and containers/buildah#4242

Signed-off-by: Klaus Kämpf <kkaempf@suse.de>
kkaempf added a commit to kkaempf/elemental-docs that referenced this issue Aug 16, 2023
kkaempf added a commit to rancher/elemental-docs that referenced this issue Aug 16, 2023
* Add workaround for buildah DNS issue

See rancher/elemental#935
and containers/buildah#4242

Fixes rancher/elemental#935

Signed-off-by: Klaus Kämpf <kkaempf@suse.de>

* Update docs/customizing.md

Co-authored-by: Andrea Mazzotti <andrea.mazzotti@suse.com>

* Update versioned_docs/version-1.2/customizing.md

Co-authored-by: Andrea Mazzotti <andrea.mazzotti@suse.com>

---------

Signed-off-by: Klaus Kämpf <kkaempf@suse.de>
Co-authored-by: Andrea Mazzotti <andrea.mazzotti@suse.com>
@vrothberg
Copy link
Member

@rhatdan @nalind we'd love to get this issue ironed out for Image Mode. Do we have a path forward to fix the issue?

@rhatdan
Copy link
Member

rhatdan commented Sep 12, 2024

Nope we have not looked at this issue for years. The problem is that these inodes need to exist in order to be setup network and potentially other mount points. Buildah could keep track of whether or not it created the inode, and then remove it when it is done. But what about when users want the inode.

@rhatdan
Copy link
Member

rhatdan commented Sep 12, 2024

 podman build --no-cache -t test /tmp/ | grep etc
/dev/mapper/fedora_localhost--live00-root00 on /etc/hostname type ext4 (rw,seclabel,relatime)
/dev/mapper/fedora_localhost--live00-root00 on /etc/hosts type ext4 (rw,seclabel,relatime)
/dev/mapper/fedora_localhost--live00-root00 on /etc/resolv.conf type ext4 (rw,seclabel,relatime)

@cgwalters
Copy link
Author

I haven't looked at the code but why is this harder than "tar up the overlayfs and don't cross mount points"?

The problem is that these inodes need to exist in order to be setup network and potentially other mount points.

I don't see why any of these files have to exist in the tarball to set up runtime state. At runtime, mount the overlayfs and create the files there right?

@rhatdan
Copy link
Member

rhatdan commented Sep 12, 2024

Looks like this was partially handled #3177 #3525 But not the network mount stuff.

@rhatdan
Copy link
Member

rhatdan commented Sep 12, 2024

Yes the issue is that when the overlay gets committed as a layer these are saved.

@rhatdan
Copy link
Member

rhatdan commented Sep 12, 2024

I think this might be fixed. I built and image with no /etc/hosts, /etc/resolv.conf and /etc/hostname and built an image with this as a from and ended up with no differences after run RUN echo hi.

@vrothberg
Copy link
Member

Did you build with --no-cache?

@cgwalters
Copy link
Author

The empty /etc/resolv.conf ending up in images is papered over by NetworkManager, which basically unconditionally takes it over when configured to do so (which is the default for NM). But that's not the case for systemd-resolved for example, which expects it to be a symlink and won't touch it if it exists.

I am tempted to change bootc to unconditionally ignore /etc/resolv.conf in the container image stream if it's a zero sized file for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants