Bug 2021551

Summary: Build is not recognizing the USER group from an s2i image
Product: OpenShift Container Platform Reporter: Pamela Escorza <pescorza>
Component: BuildAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Jitendar Singh <jitsingh>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.6.zCC: aos-bugs, gmontero, jortizpa, nalin, pbhattac, pkumari, rsandu, spandura
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: All   
OS: All   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:26:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 2042444    

Description Pamela Escorza 2021-11-09 15:26:53 UTC
Description of problem:
Customer is migrating their CI/CD s2i projects from OCPv3 to OCPv4 and an error when performning the build:
# oc logs test1-nginx-1-build
Caching blobs under "/var/cache/blobs".
Getting image source signatures
Writing manifest to image destination
Storing signatures
Generating dockerfile with builder image image-registry.openshift-image-registry.svc:5000/openshift/nginx-centos7-app@sha256:f3c914f9c5950731f00070161c642446f99cf30a7c8b9d6935bd17bea1616b68
error: build error: image "1001:1001" must specify a user that is numeric and within the range of allowed users

Version-Release number of selected component (if applicable):
customer is facing issues in OCP 4.6 EUS 

How reproducible:

Steps to Reproduce:
1. Build an image specifying the user ID and GROUP, used the s2i example https://github.com/sclorg/nginx-container.git :
# grep USER Dockerfile
    USER 1001:1001
# s2i build test/test-app nginx-centos7 nginx-centos7-app
As per Docker reference this is correct :

2. Upload the image to an OCP cluster, in my case 4.7.34
# oc get images -n openshift | grep app
  sha256:f3c914f9c5950731f00070161c642446f99cf30a7c8b9d6935bd17bea1616b68   image-registry.openshift-image-registry.svc:5000/openshift/nginx-centos7-app@sha256:f3c914f9c5950731f00070161c642446f99cf30a7c8b9d6935bd17bea1616b68

3. Create the app with the s2i reference:
  oc new-app nginx-centos7-app:1.0~https://github.com/sclorg/nginx-container.git --context-dir=1.12/test/test-app/

Actual results:
Build finish with error :
error: build error: image "1001:1001" must specify a user that is numeric and within the range of allowed users

Expected results:
Build the app correctly

Additional info:

Comment 4 Priti Kumari 2022-01-06 13:30:46 UTC
Verified with 4.10.0-0.nightly-2021-12-23-153012


1. Clone https://github.com/sclorg/nginx-container/
2. Modified 1.20/Dockerfile.fedora file user to `USER 1001:1001`
3. $ docker build -t nginx-builder -f Dockerfile.fedora .
4. $ docker tag nginx-builder quay.io/pkumari/testing:s2i
5. $ docker push quay.io/pkumari/testing:s2i
6. inspect the changed content
7. pkumari$ oc new-app quay.io/pkumari/testing:s2i~https://github.com/sclorg/nginx-container.git --context-dir=1.20/test/test-app
--> Found container image f623d99 (18 minutes old) from quay.io for "quay.io/pkumari/testing:s2i"

    Nginx 1.20 
--> Success
    Build scheduled, use 'oc logs -f bc/nginx-container' to track its progress.
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose svc/nginx-container' 
    Run 'oc status' to view your app.
8. $ oc logs -f bc/nginx-container
Cloning "https://github.com/sclorg/nginx-container.git" ...
	Commit:	72be359c981f475af1a26d5c2179e845dfcf5ce5 (Merge pull request #164 from phracek/eol_116_2021)
	Author:	Petr Hracek <phracek>
	Date:	Mon Jan 3 09:19:28 2022 +0100
time="2022-01-06T13:20:42Z" level=info msg="metacopy option not supported on this kernelmetacopy=on"
time="2022-01-06T13:20:42Z" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: failed to mount overlay: invalid argument"
I0106 13:20:42.848724       1 defaults.go:102] Defaulting to storage driver "overlay" with options [mountopt=metacopy=on].
Caching blobs under "/var/cache/blobs".
Trying to pull quay.io/pkumari/testing@sha256:5e6b2e85c6e2e97b79f2d96c174d71af98ba38242b8ed68e0a6467de64133598...
Getting image source signatures
Copying blob sha256:5ae9ec30c19701ea14ae98ed19594df37e62d0aff61d712b060a0305eb995a07
STEP 3/9: ENV OPENSHIFT_BUILD_NAME="nginx-container-1"     OPENSHIFT_BUILD_NAMESPACE="testing-rhel"     OPENSHIFT_BUILD_SOURCE="https://github.com/sclorg/nginx-container.git"     OPENSHIFT_BUILD_COMMIT="72be359c981f475af1a26d5c2179e845dfcf5ce5"
STEP 4/9: USER root
STEP 5/9: COPY upload/src /tmp/src
STEP 6/9: RUN chown -R 1001:0 /tmp/src
STEP 7/9: USER 1001
STEP 8/9: RUN /usr/libexec/s2i/assemble
---> Installing application source
--> 06e8d008570
Successfully tagged temp.builder.openshift.io/testing-rhel/nginx-container-1:491d6034

Pushing image image-registry.openshift-image-registry.svc:5000/testing-rhel/nginx-container:latest ...
Getting image source signatures
Copying blob sha256:a4e09c94fa39a557d8cbc31d4f4abf2a019f345eb2f7a17f6e0385c1e6fe5bf6
Copying blob sha256:99ec1501c5901a0f1e043253464e38b4b0ab0b711c5afeac0c4f8ec994125644
Copying blob sha256:5108d7b06712b7a306e25cd62792fc023fd1bbf08aa4550cb010fcdca9eb9e4a
Copying blob sha256:2109b8980fd6d0e7fc0b39e2a0320969d6c8771839b9dce0901d0b40dcd5e660
Copying blob sha256:5ae9ec30c19701ea14ae98ed19594df37e62d0aff61d712b060a0305eb995a07
Copying blob sha256:6ae6c1c549e7df941d05ba41105ad300258acbd218a5047adfd93611a270fc3b
Copying blob sha256:e0da8b6c708cdf6142af35fa6fe6f296e934c75d24ec2dd73c940b3973ff9995
Copying config sha256:06e8d008570ec61f5beb1bf67c31f1adfd462197f1b0e231e288a7a87633266b
Writing manifest to image destination
Storing signatures
Successfully pushed image-registry.openshift-image-registry.svc:5000/testing-rhel/nginx-container@sha256:51a5b0f796a7c2795b34e7c83e31a8ec63511a328cdc6d171fe23a250ad6aaa9
Push successful

Comment 10 errata-xmlrpc 2022-03-10 16:26:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.