[CI:DOCS] Document how to get secret mounts working on RHEL8 #18878
Conversation
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
do-not-merge/release-note-label-needed
imphil
force-pushed
the
troubleshooting-secrets-crun
branch
3 times, most recently
from
c81f5d4 to
99cb81e
Compare
rhatdan
changed the title
troubleshooting.md
Outdated
|
|
||
| ### 41) A podman build step with `--mount=type=secret` fails with "operation not permitted" | ||
|
|
||
| Executing a step in a `Dockerfile`/`Containerfile` which mounts secrets using `--mount=type=secret` fails with "operation not permitted" when running on a host filesystem mounted with `nosuid` and when using the `runc` runtime (both of which are true by default on RHEL8). |
There was a problem hiding this comment.
Take out comments on RHEL8, they will not age well.
troubleshooting.md
Outdated
|
|
||
| #### Solution | ||
|
|
||
| * Install `crun`, e.g. with `dnf install crun` on RHEL8. |
troubleshooting.md
Outdated
| #### Solution | ||
|
|
||
| * Install `crun`, e.g. with `dnf install crun` on RHEL8. | ||
| * Use the `crun` runtime by passing `--runtime /usr/bin/crun` to `podman buildx build` (or `podman build` with `DOCKER_BUILDKIT=1` set). |
There was a problem hiding this comment.
Podman build is the same podman buildx build. Also DOCKER_BUILDKIT=1 is ignored.
podman build always does the buildkit mode.
imphil
force-pushed
the
troubleshooting-secrets-crun
branch
from
99cb81e to
baa4529
Compare
|
Thanks for your review, @rhatdan. Updated. |
rhatdan
removed
the
do-not-merge/release-note-label-needed
|
/approve |
openshift-ci
bot
added
the
approved
troubleshooting.md
Outdated
|
|
||
| #### Symptom | ||
|
|
||
| A `RUN` line in `Dockerfile`/`Containerfile` contains a [secret mount](https://github.com/containers/common/blob/main/docs/Containerfile.5.md) such as `--mount=type=secret,id=MY_USER,target=/etc/dnf/vars/MY_USER`. |
There was a problem hiding this comment.
| A `RUN` line in `Dockerfile`/`Containerfile` contains a [secret mount](https://github.com/containers/common/blob/main/docs/Containerfile.5.md) such as `--mount=type=secret,id=MY_USER,target=/etc/dnf/vars/MY_USER`. | |
| A `RUN` line in the `Dockerfile`/`Containerfile` contains a [secret mount](https://github.com/containers/common/blob/main/docs/Containerfile.5.md) such as `--mount=type=secret,id=MY_USER,target=/etc/dnf/vars/MY_USER`. |
troubleshooting.md
Outdated
| #### Symptom | ||
|
|
||
| A `RUN` line in `Dockerfile`/`Containerfile` contains a [secret mount](https://github.com/containers/common/blob/main/docs/Containerfile.5.md) such as `--mount=type=secret,id=MY_USER,target=/etc/dnf/vars/MY_USER`. | ||
| When running `podman buildx build` the process fails with an error message like |
There was a problem hiding this comment.
soft suggestion
| When running `podman buildx build` the process fails with an error message like | |
| When running `podman buildx build` the process fails with an error message like: |
There was a problem hiding this comment.
Remove reference to buildx. Should just be podman build
troubleshooting.md
Outdated
| * Install `crun`, e.g. with `dnf install crun`. | ||
| * Use the `crun` runtime by passing `--runtime /usr/bin/crun` to `podman build`. | ||
|
|
||
| See also https://github.com/containers/buildah/issues/4228 for a full discussion on the problem. |
There was a problem hiding this comment.
| See also https://github.com/containers/buildah/issues/4228 for a full discussion on the problem. | |
| See also [Buildah issue 4228](https://github.com/containers/buildah/issues/4228) for a full discussion of the problem. |
Add a section to the troubleshooting guide describing how to get secret mounts working in an environment with nosuid-mounted file systems and runc, such as RHEL8, as discussed in containers/buildah#4228. Signed-off-by: Philipp Wagner <[email protected]>
imphil
force-pushed
the
troubleshooting-secrets-crun
branch
from
baa4529 to
0ecc0d9
Compare
|
Thanks @TomSweeneyRedHat and @rhatdan, updated with your suggestions. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, imphil, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
Add a section to the troubleshooting guide describing how to get secret mounts working in RHEL8, as discussed in
containers/buildah#4228.
It took me a while to find this information, and a RHEL8 default setup isn't that uncommon, so I thought it would be worth the change.