Bug 2021551 - Build is not recognizing the USER group from an s2i image
Summary: Build is not recognizing the USER group from an s2i image
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.6.z
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
: 4.10.0
Assignee: Nalin Dahyabhai
QA Contact: Jitendar Singh
URL:
Whiteboard:
Depends On:
Blocks: 2042444
TreeView+ depends on / blocked
 
Reported: 2021-11-09 15:26 UTC by Pamela Escorza
Modified: 2022-03-10 16:26 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:26:15 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift builder pull 270 0 None open Bug 2021551: getAssembleUser(): strip the group part out before checking the UID 2021-11-09 21:31:23 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:26:37 UTC

Description Pamela Escorza 2021-11-09 15:26:53 UTC
Description of problem:
Customer is migrating their CI/CD s2i projects from OCPv3 to OCPv4 and an error when performning the build:
~~~
# oc logs test1-nginx-1-build
Caching blobs under "/var/cache/blobs".
Getting image source signatures
...
sha256:753e05619c857a23e341c90133506bb139b02b00eec0a1a6a90a1024fda606a7
Writing manifest to image destination
Storing signatures
Generating dockerfile with builder image image-registry.openshift-image-registry.svc:5000/openshift/nginx-centos7-app@sha256:f3c914f9c5950731f00070161c642446f99cf30a7c8b9d6935bd17bea1616b68
error: build error: image "1001:1001" must specify a user that is numeric and within the range of allowed users
~~~

Version-Release number of selected component (if applicable):
customer is facing issues in OCP 4.6 EUS 

How reproducible:


Steps to Reproduce:
1. Build an image specifying the user ID and GROUP, used the s2i example https://github.com/sclorg/nginx-container.git :
~~~
# grep USER Dockerfile
    USER 1001:1001
# s2i build test/test-app nginx-centos7 nginx-centos7-app
~~~
As per Docker reference this is correct :
https://docs.docker.com/engine/reference/builder/#user

2. Upload the image to an OCP cluster, in my case 4.7.34
# oc get images -n openshift | grep app
  sha256:f3c914f9c5950731f00070161c642446f99cf30a7c8b9d6935bd17bea1616b68   image-registry.openshift-image-registry.svc:5000/openshift/nginx-centos7-app@sha256:f3c914f9c5950731f00070161c642446f99cf30a7c8b9d6935bd17bea1616b68

3. Create the app with the s2i reference:
  ~~~
  oc new-app nginx-centos7-app:1.0~https://github.com/sclorg/nginx-container.git --context-dir=1.12/test/test-app/
  ~~~

Actual results:
Build finish with error :
~~~
error: build error: image "1001:1001" must specify a user that is numeric and within the range of allowed users
~~~

Expected results:
Build the app correctly

Additional info:

Comment 4 Priti Kumari 2022-01-06 13:30:46 UTC
Verified with 4.10.0-0.nightly-2021-12-23-153012

========================

1. Clone https://github.com/sclorg/nginx-container/
2. Modified 1.20/Dockerfile.fedora file user to `USER 1001:1001`
3. $ docker build -t nginx-builder -f Dockerfile.fedora .
4. $ docker tag nginx-builder quay.io/pkumari/testing:s2i
5. $ docker push quay.io/pkumari/testing:s2i
6. inspect the changed content
7. pkumari$ oc new-app quay.io/pkumari/testing:s2i~https://github.com/sclorg/nginx-container.git --context-dir=1.20/test/test-app
--> Found container image f623d99 (18 minutes old) from quay.io for "quay.io/pkumari/testing:s2i"

    Nginx 1.20 
[...]
--> Success
    Build scheduled, use 'oc logs -f bc/nginx-container' to track its progress.
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose svc/nginx-container' 
    Run 'oc status' to view your app.
8. $ oc logs -f bc/nginx-container
Cloning "https://github.com/sclorg/nginx-container.git" ...
	Commit:	72be359c981f475af1a26d5c2179e845dfcf5ce5 (Merge pull request #164 from phracek/eol_116_2021)
	Author:	Petr Hracek <phracek>
	Date:	Mon Jan 3 09:19:28 2022 +0100
time="2022-01-06T13:20:42Z" level=info msg="metacopy option not supported on this kernelmetacopy=on"
time="2022-01-06T13:20:42Z" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: failed to mount overlay: invalid argument"
I0106 13:20:42.848724       1 defaults.go:102] Defaulting to storage driver "overlay" with options [mountopt=metacopy=on].
Caching blobs under "/var/cache/blobs".
Trying to pull quay.io/pkumari/testing@sha256:5e6b2e85c6e2e97b79f2d96c174d71af98ba38242b8ed68e0a6467de64133598...
Getting image source signatures
Copying blob sha256:5ae9ec30c19701ea14ae98ed19594df37e62d0aff61d712b060a0305eb995a07
[...]
STEP 3/9: ENV OPENSHIFT_BUILD_NAME="nginx-container-1"     OPENSHIFT_BUILD_NAMESPACE="testing-rhel"     OPENSHIFT_BUILD_SOURCE="https://github.com/sclorg/nginx-container.git"     OPENSHIFT_BUILD_COMMIT="72be359c981f475af1a26d5c2179e845dfcf5ce5"
STEP 4/9: USER root
STEP 5/9: COPY upload/src /tmp/src
STEP 6/9: RUN chown -R 1001:0 /tmp/src
STEP 7/9: USER 1001
STEP 8/9: RUN /usr/libexec/s2i/assemble
---> Installing application source
[...]
--> 06e8d008570
Successfully tagged temp.builder.openshift.io/testing-rhel/nginx-container-1:491d6034
06e8d008570ec61f5beb1bf67c31f1adfd462197f1b0e231e288a7a87633266b

Pushing image image-registry.openshift-image-registry.svc:5000/testing-rhel/nginx-container:latest ...
Getting image source signatures
Copying blob sha256:a4e09c94fa39a557d8cbc31d4f4abf2a019f345eb2f7a17f6e0385c1e6fe5bf6
Copying blob sha256:99ec1501c5901a0f1e043253464e38b4b0ab0b711c5afeac0c4f8ec994125644
Copying blob sha256:5108d7b06712b7a306e25cd62792fc023fd1bbf08aa4550cb010fcdca9eb9e4a
Copying blob sha256:2109b8980fd6d0e7fc0b39e2a0320969d6c8771839b9dce0901d0b40dcd5e660
Copying blob sha256:5ae9ec30c19701ea14ae98ed19594df37e62d0aff61d712b060a0305eb995a07
Copying blob sha256:6ae6c1c549e7df941d05ba41105ad300258acbd218a5047adfd93611a270fc3b
Copying blob sha256:e0da8b6c708cdf6142af35fa6fe6f296e934c75d24ec2dd73c940b3973ff9995
Copying config sha256:06e8d008570ec61f5beb1bf67c31f1adfd462197f1b0e231e288a7a87633266b
Writing manifest to image destination
Storing signatures
Successfully pushed image-registry.openshift-image-registry.svc:5000/testing-rhel/nginx-container@sha256:51a5b0f796a7c2795b34e7c83e31a8ec63511a328cdc6d171fe23a250ad6aaa9
Push successful

Comment 10 errata-xmlrpc 2022-03-10 16:26:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.