Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.
Home Page: https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/
License: MIT License
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot]")
![imgbot[bot] avatar](https://avatars.githubusercontent.com/in/4706?v=4 "imgbot[bot]")
![toc-me[bot] avatar](https://avatars.githubusercontent.com/in/13885?v=4 "toc-me[bot]")
To repro:
docker tag ubuntu:16.04 base-ubuntuFROM base-ubuntuimg build -t output .The output is:
Building docker.io/library/output:latest
Setting up the rootfs... this may take a bit.
INFO[0000] resolving docker.io/library/base-ubuntu:latest
solving failed: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Currently you have to unshare -m -U to have unprivileged mounts and map your user id and such.
This should be done by the command before even starting.
I don't have time to try during KubeCon, but it would be worth trying running img with runsc.
Probably it should work in Docker/Kube without RawAccess patch, although it would be significantly slow as in runrootless (rootless-containers/runrootless#14)
Hello.
I've found some problem with prom/prometheus image pulling.
It fails with error:
$ sudo img pull prom/prometheus
Pulling prom/prometheus...
INFO[0000] resolving docker.io/prom/prometheus:latest
content digest sha256:aae7f9829bbbba8f98b3ebd4f2b5c47c09ed8f2e47a4f3022cae5aed546a4c3c: not found
And the same with grafana/grafana:
$ sudo img pull grafana/grafana
Pulling grafana/grafana...
INFO[0000] resolving docker.io/grafana/grafana:latest
content digest sha256:00e2e2ecc3e969d0766d6b9ed6139e8d9ae2d2c62a0a942953d2672636d8c022: not found
But with google/cadvisor and others all is ok:
$ sudo img pull google/cadvisor
Pulling google/cadvisor...
INFO[0000] resolving docker.io/google/cadvisor:latest
INFO[0002] unpacking docker.io/google/cadvisor:latest
Snapshot ref: sha256:81d2f700310845b28ec3fe27eb25a421824246bfb976c5736f0e24e06b088df3
Size: 66.99MiB
Versions:
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
$ uname -a
Linux reddit-app 4.13.0-1011-gcp #15-Ubuntu SMP Mon Feb 12 16:29:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ runc --version
runc version 1.0.0-rc4
spec: 1.0.0
$ img version
img:
version : v0.2.4
git hash : e0622f7
go version : go1.9.4
go compiler : gc
platform : linux/amd64
When doing an img build on Docker (with the example from the README), I get a rando "solving failed" error. For what it's worth, I'm on WSL.
/mnt/c/projects/customer
❯ uname -r && lsb_release -a && ls Dockerfile
3.4.0+
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty
Dockerfile
/mnt/c/projects/customer
❯ docker run --rm -it \
--name img \
--volume /tmp/state:/root/.img \
--volume $(pwd):/src \
--workdir /src \
--privileged \
--volume "${HOME}/.docker:/root/.docker:ro" \
jess/img build -t user/myimage .
Building user/myimage:latest
Setting up the rootfs... this may take a bit.
solving failed: open /tmp/buildkit-mount580779614/Dockerfile: no such file or directoryI had to install a few dependencies on Ubuntu in order for the compiled binary to work. Not sure where the best place in the readme is, or else I'd make this a PR.
img depends on newuidmap and execv. To install these on Ubuntu run sudo apt install setpriv uidmap
runc binary to img binaryrunc binary on first runI am used to build an image which Dockerfile is in a subfolder like images/bla/Dockerfile.
This is possible with docker by:
docker build -f images/bla/Dockerfile .
which makes the whole project available as context but still keeps the root directory save.
Doing the same with img results into:
img build -f images/bla/Dockerfile .
solving failed: invalid filename: images/bla/Dockerfile
While attempting to build some large-ish rather complex images, I encountered issues with modifying files in a parent image. This is a simplified repro:
# img version
img:
version : v0.2.3
git hash : d87fd73
go version : go1.10
go compiler : gc
platform : linux/amd64
Dockerfile:
# cat parent/Dockerfile
FROM alpine:3.5
RUN touch /etc/hosts2
RUN touch /etc/hosts
Works with Docker:
# docker build -t parent:local parent
Sending build context to Docker daemon 2.048kB
Step 1/3 : FROM alpine:3.5
---> 6c6084ed97e5
Step 2/3 : RUN touch /etc/hosts2
---> Running in fa8e9856a390
---> be982136ee56
Removing intermediate container fa8e9856a390
Step 3/3 : RUN touch /etc/hosts
---> Running in 780c5673e180
---> 8ccb2f085b5d
Removing intermediate container 780c5673e180
Successfully built 8ccb2f085b5d
Successfully tagged parent:local
Doesn't work with img:
# img build -t parent:local parent
Building parent:local
Setting up the rootfs... this may take a bit.
INFO[0001] resolving docker.io/library/alpine:3.5@sha256:9148d069e50eee519ec45e5683e56a1c217b61a52ed90eb77bdce674cc212f1e
RUN [/bin/sh -c touch /etc/hosts2]
--->
<--- bc0sl9ywmszi31wmcv8k0ssln 0 <nil>
RUN [/bin/sh -c touch /etc/hosts]
--->
touch: /etc/hosts: Read-only file system
<--- khsm1r5bve0h0bqmkk1l5064j 1 <nil>
solving failed: executor failed running [/bin/sh -c touch /etc/hosts]: exit code 1
img version
img:
version : v0.3.0
git hash : f9fff83
go version : go1.10
go compiler : gc
platform : linux/amd64
Line of my dockerfile that img is failing on.
COPY deploy.sh /deploy.sh
Error
RUN [copy /src-0 /dest/] ---> json: cannot unmarshal object into Go value of type []string <--- 9s7u262uf7w4pcee1wy9x6p01 1 <nil>
At the moment there are none. Probably it should be rmi because of docker but img rmi sounds stupid.
Cool project! I was trying it out on MacOS and ran into the following issues.
The lack of extended file attributes from the volumes seems to cause the README's Running with docker snippet to fail on MacOS.
$ docker run --rm -it \
--name img \
--volume "${HOME}/tmp/imgstate:/tmp/img" \
--volume $(pwd):/src:ro \
--workdir /src \
--volume "${HOME}/.docker:/root/.docker:ro" \
--cap-add SYS_ADMIN \
--security-opt apparmor=unconfined \
--security-opt seccomp=unconfined \
--volume /sys/fs/cgroup:/sys/fs/cgroup \
r.j3ss.co/img build -t mrjensen/imgtest .
Building mrjensen/imgtest:latest
Setting up the rootfs... this may take a bit.
solving failed: failed to xattr Dockerfile: failed to xattr Dockerfile: operation not supported
The error above is returned from fsutil that uses continuity sysx to retrieve xattrs.
Building the same project with docker works as expected.
$ docker build -t imgtest .
Sending build context to Docker daemon 4.096kB
Step 1/6 : FROM golang:1.9.2
---> 138bd936fa29
Step 2/6 : ENV CGO_ENABLED=0
---> Using cache
---> 19cca4248b59
Step 3/6 : ENV GOOS=linux
---> Using cache
---> 1bd9908624e8
Step 4/6 : COPY main.go .
---> Using cache
---> 91b2032665a7
Step 5/6 : RUN go build -o /main ./main.go
---> Using cache
---> 5b095b1cf789
Step 6/6 : CMD ["/main"]
---> Using cache
---> 41e1310da98c
Successfully built 41e1310da98c
Successfully tagged imgtest:latest
Digging a little further, I replaced the xattrs with an empty map in fsutil (not a suggestion for a solution).
$ docker run --rm -it \
--name img \
--volume "${HOME}/tmp/imgstate:/tmp/img" \
--volume $(pwd):/src:ro \
--workdir /src \
--volume "${HOME}/.docker:/root/.docker:ro" \
--cap-add SYS_ADMIN \
--security-opt apparmor=unconfined \
--security-opt seccomp=unconfined \
--volume /sys/fs/cgroup:/sys/fs/cgroup \
img build -t mrjensen/imgtest .
Building mrjensen/imgtest:latest
Setting up the rootfs... this may take a bit.
INFO[0000] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0000] resolving docker.io/library/golang:1.9.2
solving failed: error getting credentials - err: exec: "docker-credential-osxkeychain": executable file not found in $PATH, out: ``
Docker for Mac use the keychain to store login, but mounting another folder without :ro and performing a login should fix that.
Afterward getting the credentials up and running, copy fails caused by the continuity sysx.
$ docker run --rm -it \
--name img \
--volume "${HOME}/tmp/imgstate:/tmp/img" \
--volume $(pwd):/src:ro \
--workdir /src \
--volume "${HOME}/tmp/docker:/root/.docker" \
--cap-add SYS_ADMIN \
--security-opt apparmor=unconfined \
--security-opt seccomp=unconfined \
--volume /sys/fs/cgroup:/sys/fs/cgroup \
img build -t mrjensen/imgtest .
Building mrjensen/imgtest:latest
Setting up the rootfs... this may take a bit.
INFO[0001] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0001] resolving docker.io/library/golang:1.9.2@sha256:947826b5b6bc42f6f25c8fae9fe89d5e2bf18ac87264856742c3baebb150ea9f
INFO[0002] unpacking docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
solving failed: failed to prepare extraction snapshot "extract-814747650-Gj99 sha256:c4151b5a5de5b7e272b2b6a3a4518c980d6e7f580f39c85370330a1bff5821f1": copying of parent failed: failed to copy xattrs: failed to list xattrs on /tmp/img/runc/naive/snapshots/snapshots/4/bin/copy: operation not supported
probably a deadlock, easy to reproduce
There are name collisions that confuse git ( VERSION and version/ for example ). Active development will happen on Linux of course, but for casual clones to browse source on MacOS this can be confusing since it shows files as deleted immediately after a clone.
This branch allows containers to use subuid/subgid (i.e. apt update works): https://github.com/jessfraz/img/compare/master...AkihiroSuda:allow-subuidgid.20180227?expand=1
However, img itself cannot "commit" the cache due to EPERM, as img
itself does not have access to files owned by its subusers (_apt).
solving failed: failed to commit rt3w4yqk2tkibexmj15dtavb8: open /tmp/img/runc/naive/snapshots/snapshots/5/var/lib/apt/lists/partial: permission denied
So I suggest running img itself in userns with newuidmap/newgidmap.
(probably via reexec for better UX)
If we can run img itself in userns, we can also:
then you can view it in ls
Should be like this https://github.com/containerd/containerd/blob/master/diff/apply/apply.go#L56
except minus mount.WithTempMount
see: https://github.com/AkihiroSuda/runrootless
and xattrs for rootless
Happy to take this on as my first feature!
Essentially, calling img build without -t results in an image with no name. The behaviour should be the same as docker.
Example:
><> cat Dockerfile
FROM busybox
><> sudo img build .
Building :latest
Setting up the rootfs... this may take a bit.
INFO[0001] resolving docker.io/library/busybox@sha256:1669a6aa7350e1cdd28f972ddad5aceba2912f589f19a090ac75b7083da748db
INFO[0001] exporting layers
INFO[0001] exporting manifest sha256:5d4c623608b70502543a1a6fb9bdd9af71d04944b765177531aee44e8da6621f
INFO[0001] exporting config sha256:f19c6dac175d9d88f513773037c0e488bea06a10daae9fd639dfb15b6492c515
INFO[0001] naming to :latest
Successfully built :latest
><> sudo img ls
NAME SIZE CREATED AT UPDATED AT DIGEST
:latest 426B About a minute ago 3 seconds ago sha256:5d4c623608b70502543a1a6fb9bdd9af71d04944b765177531aee44e8da6621f
The README states that img is a drop-in replacement for docker (at least for the mentioned subcommands), but the following doesn’t work (whereas the docker variant does):
% img pull stapelberg/ci2
Pulling stapelberg/ci2:latest...
INFO[0000] resolving stapelberg/ci2:latest
failed to do request: Head https://stapelberg/v2/ci2/manifests/latest: dial tcp: lookup stapelberg on 10.0.0.1:53: no such host
On a clean VM (Ubuntu 16.04.2 LTS), attempting to build img itself using img. The build fails with the error namespace is required: failed precondition
$ img build -t jess/img .
Building jess/img:latest
Setting up the rootfs... this may take a bit.
INFO[0004] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0004] resolving docker.io/library/alpine@sha256:7b848083f93822dd21b0a2f14a110bd99f6efb4b838d499df6d04a49d0debf8b
INFO[0004] resolving docker.io/library/golang:1.9-alpine@sha256:ab72eb6db0eda32d429becf8bb28f62081821cc1aa2d49430344083f87b1e6a2
solving failed: creating image docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e in image store failed: namespace is required: failed precondition
If I first manually pull the docker.io/tonistiigi/copy image then the build starts working
img pull docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
img build -t jess/img .Building jess/img:latest
Setting up the rootfs... this may take a bit.
INFO[0001] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0001] resolving docker.io/library/alpine@sha256:7b848083f93822dd21b0a2f14a110bd99f6efb4b838d499df6d04a49d0debf8b
INFO[0001] resolving docker.io/library/golang:1.9-alpine@sha256:ab72eb6db0eda32d429becf8bb28f62081821cc1aa2d49430344083f87b1e6a2
INFO[0009] unpacking docker.io/library/alpine@sha256:7b848083f93822dd21b0a2f14a110bd99f6efb4b838d499df6d04a49d0debf8b
INFO[0009] unpacking docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
RUN [/bin/sh -c apk add --no-cache bash fuse git shadow shadow-uidmap strace]
--->
This seem to happen with 0.2 and 0.3
(demo: https://github.com/AkihiroSuda/runrootless/tree/master/misc/vde)
Slirp is slow and exposing container ports is troublesome, but I think it is ok for image building.
Another idea is to use SUID binary as in lxc-user-net, but it is less secure.
I am testing img and creating the following image: https://github.com/Azure/blackbelt-aks-hackfest/tree/master/app/db Just mongodb with added datafiles.
This is Unbuntu 16.04.3 and I built locally from source.
I run the command: img build -t chzbrgr71/rating-db .
Output:
Building docker.io/chzbrgr71/rating-db:latest
Setting up the rootfs... this may take a bit.
INFO[0001] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0001] resolving docker.io/library/mongo:3.6.1-jessie@sha256:f734d0fbaecefa95e269f8902525a69151cd3626da88cafa5a277d623e4d7c24
INFO[0010] unpacking docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0011] unpacking docker.io/library/mongo:3.6.1-jessie@sha256:f734d0fbaecefa95e269f8902525a69151cd3626da88cafa5a277d623e4d7c24
solving failed: executor failed running [copy /src-0/heroes.json /dest/heroes.json]: operation not permitted
On version 7d0952d of img,
dep ensure failed withgrouped write of manifest, lock and vendor: error while writing out vendor tree: failed to write dep tree: failed to export github.com/moby/buildkit: fatal: Not a valid object name all-changes
If I switched that all-changes to master, dep ensure succeeded.
make build with Go v1.8.3 failed with:go build -tags "seccomp" -ldflags "-w -X github.com/genuinetools/img/version.GITCOMMIT=7e0cd67-dirty -X github.com/genuinetools/img/version.VERSION=v0.3.0" -o img .
# github.com/genuinetools/img/vendor/github.com/dmcgowan/go-tar
vendor/github.com/dmcgowan/go-tar/stat_unix.go:24: undefined: sync.Map
# github.com/genuinetools/img/vendor/github.com/moby/buildkit/client/llb
vendor/github.com/moby/buildkit/client/llb/marshal.go:37: syntax error: unexpected = in type declaration
make: *** [img] Error 2
With Go v1.10, it succeeded.
Using built binaries for version v0.3.0, img login would succeed but any following operation (pull, push, etc) fails with the following error.
snapshotting the image failed: failed to fetch oauth token: unexpected status: 400 Bad Request
I was facing a similar issue using skopeo and found that the issue is with the upstream 'containers/image' dependency. see anchore/anchore-engine#18 for details.
Is it possible that the issue with img is related? anyone else having the same issue with Azure ACR?
Would you be willing to add the img image to your jessfraz space in Docker Hub?
I'm trying to build a container image (privileged) with HEAD from today, which results in the following error:
$ docker run --privileged --rm -it -v $(pwd)/:/app -w /app foo.bar/tools/img:4555214 build .
Building :latest
Setting up the rootfs... this may take a bit.
INFO[0000] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0000] resolving foo.bar/base/openjre:stable@sha256:82c9b96a039c57e5c9ac22b842de2ab91325d74b8f579c2724ad9e83372d9765
INFO[0000] resolving foo.bar/build/gradle:v2.14.1-8u151-jdk-alpine3.7@sha256:5f24ce66c3995c18ed1b91f3eba5344ab489ad1bd676b8a44580d9a8a123d379
INFO[0002] unpacking docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
solving failed: failed to prepare extraction snapshot "extract-755639425-kXql sha256:c4151b5a5de5b7e272b2b6a3a4518c980d6e7f580f39c85370330a1bff5821f1": copying of parent failed: failed to copy xattrs: failed to set xattr "security.selinux" on /tmp/img/runc/naive/snapshots/snapshots/new-590228964/bin/copy: operation not supported
core@ip-10-43-129-95 ~ $ docker info
Containers: 26
Running: 25
Paused: 0
Stopped: 1
Images: 12
Server Version: 17.09.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: v0.13.2 (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
seccomp
Profile: default
selinux
Kernel Version: 4.14.16-coreos
Operating System: Container Linux by CoreOS 1632.2.1 (Ladybug)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.792GiB
Name: ip-10-43-129-95.eu-central-1.compute.internal
ID: KQRT:YD45:RZMK:2UAQ:SKEM:6OIZ:RLCT:Q64P:KQNQ:M5XQ:BNL7:U7B3
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
selinux is permissive on the VM
core@ip-10-43-129-95 ~ $ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
If I don't mount the directory, but clone from within the img-container, the error is somewhat different:
$ docker run --privileged --rm -it --entrypoint sh foo.bar/tools/img:4555214
/ # git clone https://foo.bar/demo.git
Cloning into 'demo'...
remote: Counting objects: 1476, done.
remote: Compressing objects: 100% (592/592), done.
remote: Total 1476 (delta 487), reused 1334 (delta 375)
Receiving objects: 100% (1476/1476), 216.86 KiB | 9.43 MiB/s, done.
Resolving deltas: 100% (487/487), done.
/ # cd demo/
/demo # img build .
Building :latest
Setting up the rootfs... this may take a bit.
INFO[0000] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0000] resolving foo.bar/base/openjre:stable@sha256:82c9b96a039c57e5c9ac22b842de2ab91325d74b8f579c2724ad9e83372d9765
INFO[0000] resolving foo.bar/build/gradle:v2.14.1-8u151-jdk-alpine3.7@sha256:5f24ce66c3995c18ed1b91f3eba5344ab489ad1bd676b8a44580d9a8a123d379
INFO[0002] unpacking foo.bar/base/openjre:stable@sha256:82c9b96a039c57e5c9ac22b842de2ab91325d74b8f579c2724ad9e83372d9765
INFO[0002] unpacking docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0002] Apply failure, attempting cleanup error="mount callback failed on /tmp/containerd-mount849212772: context canceled" key="extract-434175501-XUXU sha256:cd7100a72410606589a54b932cabd804a17f9ae5b42a1882bd56d263e02b6215"
WARN[0003] Extraction snapshot "extract-434175501-XUXU sha256:cd7100a72410606589a54b932cabd804a17f9ae5b42a1882bd56d263e02b6215" removal failed error="context canceled"
solving failed: failed to prepare extraction snapshot "extract-576675886-sWxZ sha256:c4151b5a5de5b7e272b2b6a3a4518c980d6e7f580f39c85370330a1bff5821f1": copying of parent failed: failed to copy xattrs: failed to set xattr "security.selinux" on /tmp/img/runc/naive/snapshots/snapshots/new-452528669/bin/copy: operation not supported
This is more a reminder to myself, mostly was to remove grpc and create a direct client
This may be an issue with my setup so all bets are off...
My setup:
echo 1 > /proc/sys/kernel/unprivileged_userns_clone run on each node (not sure if it is necessary).YAML file for workload:
apiVersion: v1
kind: Pod
metadata:
labels:
run: img
name: img
annotations:
container.apparmor.security.beta.kubernetes.io/img: unconfined
spec:
containers:
- image: r.j3ss.co/img
imagePullPolicy: IfNotPresent
name: img
resources: {}
command:
- sleep
- "600"
restartPolicy: NeverThen:
workstation$ kubectl exec -t -i img -- ash
container# unshare -m -U --map-root-user
ns# img pull alpine
Pulling alpine...
INFO[0000] resolving docker.io/library/alpine:latest
INFO[0001] unpacking docker.io/library/alpine:latest
INFO[0001] Apply failure, attempting cleanup error="mount callback failed on /tmp/containerd-mount735446913: lchown /tmp/containerd-mount735446913/etc/shadow: invalid argument" key="extract-337652914-e-vv sha256:cd7100a72410606589a54b932cabd804a17f9ae5b42a1882bd56d263e02b6215"
failed to extract layer sha256:cd7100a72410606589a54b932cabd804a17f9ae5b42a1882bd56d263e02b6215: mount callback failed on /tmp/containerd-mount735446913: lchown /tmp/containerd-mount735446913/etc/shadow: invalid argumentI haven't had time to debug further.
Hi I'm wondering how can I add tags to an image similar to the docker tag command?
Thanks and this is awesome !
Hello
In the Readme there is
Make sure you have user namespace support enabled. On some distros (Debian and
Arch Linux) this requires running echo 1 > /proc/sys/kernel/unprivileged_ns_clone.
Is it possible to document how to do this?
First of all I have to say I love this tool and want to use.
Problem:
I would love to use the tool to bootstrap a container os with my own CRI (nixing the need for docker to pull images). When I use docker to download my CRI image I need to untar it before I can runc the image. Would you be apposed to me adding an option to the save command to dump the image into a "rootfs" folder?
Solution:
Add option "-u" to img save command that dumps an image to a specified root folder.
Or something else?
I realize this is more of a convenience thing than anything else, but it would be nice.
in the README.md snaphotter should be afaict snapshotter.
With docker image build, it is possible (yet undocumented, I think?) to specify e.g.
FROM scratch
COPY --from=consul:1.0.6 /bin/consul /bin/consulWith img, the build fails with
solving failed: stage consul:1.0.6 not found
To get the same functionality with img, I have to add a separate FROM line for it to work, like so:
FROM consul:1.0.6 AS consul
FROM scratch
COPY --from=consul /bin/consul /bin/consulI was wondering if you were interested in using umoci as a backend, so that you don't have to use the "dodgy" FUSE backend or overlayfs (which requires either root or an Ubuntu kernel + user namespaces). umoci unpack --rootless works on effectively everything I've tried it on. You can take a look at https://github.com/cyphar/orca-build (which is a rootless image builder I wrote quite a long time ago) to see how it works in practice.
(Also, as an aside, now that we have img and orca-builder and Akihiro's PRoot plans and BuildKit and ..., maybe we should start consolidating some of these projects at some point? Re-implementing Dockerfiles isn't something that should be burning 5+ projects worth of development time IMHO.)
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.