Bug 1688562 - rootless "podman build" doesn't allow network access
Summary: rootless "podman build" doesn't allow network access
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: podman
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-14 00:17 UTC by Jonathan Wakely
Modified: 2019-06-05 02:01 UTC (History)
4 users (show)

Fixed In Version: podman-1.3.1-1.git7210727.fc30 podman-1.3.1-1.git7210727.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-20 01:03:52 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github containers libpod issues 2572 0 None None None 2019-03-14 00:18:43 UTC

Description Jonathan Wakely 2019-03-14 00:17:58 UTC 
Description of problem:

When using "podman build" as a non-root user the new container is unable to connect to the internet. Adding --net host doesn't help.

It works fine when run as root.


Version-Release number of selected component (if applicable):

podman-1.1.2-1.git0ad9b6b.fc29.x86_64


How reproducible:

Always.

Steps to Reproduce:
1. Create a Dockerfile with this content:

FROM ubuntu:16.04
RUN apt-get update
RUN apt-get -y install libz-dev

2. As a non-root user, run "podman build ." in the same directory as the
   Dockerfile
3. Be disappoint.

Actual results:

The apt-get processes in the container fail to download anything:

STEP 1: FROM ubuntu:16.04
Getting image source signatures
Copying blob 34667c7e4631: 41.54 MiB / 41.54 MiB [==========================] 5s
Copying blob d18d76a881a4: 852 B / 852 B [==================================] 5s
Copying blob 119c7358fbfc: 529 B / 529 B [==================================] 5s
Copying blob 2aaf13f3eff0: 169 B / 169 B [==================================] 5s
Copying config 9361ce633ff1: 3.32 KiB / 3.32 KiB [==========================] 0s
Writing manifest to image destination
Storing signatures
STEP 2: RUN apt-get update
Err:1 http://archive.ubuntu.com/ubuntu xenial InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:2 http://security.ubuntu.com/ubuntu xenial-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Reading package lists... Done        
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-backports/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.
--> d14a2cb289a4f2eb3fd1651cbac5e4515fae4dfdd56ab7fb4a6a70ad4bdbe3fe
STEP 3: FROM d14a2cb289a4f2eb3fd1651cbac5e4515fae4dfdd56ab7fb4a6a70ad4bdbe3fe
STEP 4: RUN apt-get -y install libz-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package libz-dev
error building at step {Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] Command:run Args:[apt-get -y install libz-dev] Flags:[] Attrs:map[] Message:RUN apt-get -y install libz-dev Original:RUN apt-get -y install libz-dev}: error while running runtime: exit status 100


Expected results:

Container connects to the internet.


Additional info:

I get the same results running buildah commands manually:

$ buildah from ubuntu:16.04
ubuntu-working-container
cont$ buildah run ubuntu-working-container apt-get update
Err:1 http://archive.ubuntu.com/ubuntu xenial InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:2 http://security.ubuntu.com/ubuntu xenial-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Reading package lists... Done        
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-backports/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

However, that can be fixed by adding --net host to the run commands:

$ buildah run --net host  ubuntu-working-container apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Get:2 http://archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
Get:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Get:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
Get:5 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages [795 kB]
Get:6 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages [1558 kB]
Get:7 http://security.ubuntu.com/ubuntu xenial-security/restricted amd64 Packages [12.7 kB]
Get:8 http://security.ubuntu.com/ubuntu xenial-security/universe amd64 Packages [545 kB]  
Get:9 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages [6117 B]
Get:10 http://archive.ubuntu.com/ubuntu xenial/restricted amd64 Packages [14.1 kB]        
Get:11 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages [9827 kB]
Get:12 http://archive.ubuntu.com/ubuntu xenial/multiverse amd64 Packages [176 kB]
Get:13 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [1189 kB]
Get:14 http://archive.ubuntu.com/ubuntu xenial-updates/restricted amd64 Packages [13.1 kB]
Get:15 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [953 kB]
Get:16 http://archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 Packages [19.0 kB]
Get:17 http://archive.ubuntu.com/ubuntu xenial-backports/main amd64 Packages [7942 B]
Get:18 http://archive.ubuntu.com/ubuntu xenial-backports/universe amd64 Packages [8532 B]
Fetched 15.7 MB in 2s (5803 kB/s)                          
Reading package lists... Done


Adding --net host to the "podman build" command doesn't help though.

This appears to be the same issue as https://github.com/containers/libpod/issues/2572 and is fixed by making podman pass --net host to the buildah commands it runs.

Could that patch please be backported to the f29 package, so that using podman-build rootless actually works?
Comment 1 Giuseppe Scrivano 2019-03-14 13:29:22 UTC 
The issue is solved upstream, we need a new build
Comment 2 Fedora Update System 2019-05-17 17:20:31 UTC 
podman-1.3.1-1.git7210727.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe6ef87556
Comment 3 Fedora Update System 2019-05-17 17:20:41 UTC 
podman-1.3.1-1.git7210727.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a0ddb8df76
Comment 4 Fedora Update System 2019-05-18 00:54:14 UTC 
podman-1.3.1-1.git7210727.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a0ddb8df76
Comment 5 Fedora Update System 2019-05-18 04:11:27 UTC 
podman-1.3.1-1.git7210727.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe6ef87556
Comment 6 Fedora Update System 2019-05-20 01:03:52 UTC 
podman-1.3.1-1.git7210727.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2019-06-05 02:01:11 UTC 
podman-1.3.1-1.git7210727.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.