Description of problem: Dockerfile builds cannot change permissions of /etc/pki/ca-trust or create files inside it. Version-Release number of selected component (if applicable): 4.6 How reproducible: Always Steps to Reproduce: 1. create a Dockerfile with RUN chmod a+w -R /etc/pki/ca-trust/extracted 2. build an image 3. inspect /etc/pki/ca-trust/extracted permissions Actual results: drwxr-xr-x Expected results: drwxrwxrwx Additional info: It affects our ability to build release images: * https://github.com/openshift/image-registry/blob/edd1c864a4cd87e496fdce38aa166f22683eb234/Dockerfile.rhel7#L10 * https://github.com/openshift/cloud-credential-operator/blob/1e5a13b5a796630ef6fa9de5ec974b330b77fd5f/Dockerfile#L11
This was a consequence of fixing https://bugzilla.redhat.com/show_bug.cgi?id=1826183. /etc/pki/ca-trust is a mount point for buildah, the contents of which are managed by the build container. When the build container starts, it adds the cluster-wide CA to the set of anchors, and then runs `update-ca-trust extract` as root. In the case of the image registry, it wants /etc/pki/ca-trust to be writeable so that `update-ca-trust` can be run as non-root.
I think https://bugzilla.redhat.com/show_bug.cgi?id=1826183 needs to be considered for reversion, given the impact on existing build behavior. It means that no one w/ a builder image that includes their own CAs can continue to function as expected, right? Because their CAs will be stomped by the always present mount that that fix introduced.
more specifically, here is my suggested course of action: 1) put in a change to 4.7 and 4.6 that does not mount the content (you can leave the rest of the logic in place) 2) get CI to update to the 4.6.z patch asap 3) reintroduce the mount based on a buildconfig api opt-in field. in 4.6+4.7.
Dropping the sort of error string folks might see into the bug, to help with searching: Copying system trust bundle cp: cannot remove '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem': Permission denied
To facilitate quick backporting to 4.6.z, this BZ will only cover the removal of the buildah mount. Optionally mounting /etc/pki/ca-trust will be addressed in https://bugzilla.redhat.com/show_bug.cgi?id=1895053.
Verified as follow version: Version: 4.7.0-0.nightly-2020-11-05-214617 Using the follow Dockerfile: ``` FROM registry.svc.ci.openshift.org/ocp/4.7:base RUN chmod a+w -R /etc/pki/ca-trust/extracted RUN ls -ld /etc/pki/ca-trust/extracted ``` result: STEP 1: FROM registry.svc.ci.openshift.org/ocp/4.7:base STEP 2: RUN chmod a+w -R /etc/pki/ca-trust/extracted --> 2293d141c56 STEP 3: RUN ls -ld /etc/pki/ca-trust/extracted drwxrwxrwx. 1 root root 70 Sep 1 19:39 /etc/pki/ca-trust/extracted
Added the case:OCP-37309 to the bug, but met issue "The external tracker URL you specified does not belong to a tracker known to Red Hat Bugzilla", anyway cases added.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633