Description of problem: Customer is migrating their CI/CD s2i projects from OCPv3 to OCPv4 and an error when performning the build: ~~~ # oc logs test1-nginx-1-build Caching blobs under "/var/cache/blobs". Getting image source signatures ... sha256:753e05619c857a23e341c90133506bb139b02b00eec0a1a6a90a1024fda606a7 Writing manifest to image destination Storing signatures Generating dockerfile with builder image image-registry.openshift-image-registry.svc:5000/openshift/nginx-centos7-app@sha256:f3c914f9c5950731f00070161c642446f99cf30a7c8b9d6935bd17bea1616b68 error: build error: image "1001:1001" must specify a user that is numeric and within the range of allowed users ~~~ Version-Release number of selected component (if applicable): customer is facing issues in OCP 4.6 EUS How reproducible: Steps to Reproduce: 1. Build an image specifying the user ID and GROUP, used the s2i example https://github.com/sclorg/nginx-container.git : ~~~ # grep USER Dockerfile USER 1001:1001 # s2i build test/test-app nginx-centos7 nginx-centos7-app ~~~ As per Docker reference this is correct : https://docs.docker.com/engine/reference/builder/#user 2. Upload the image to an OCP cluster, in my case 4.7.34 # oc get images -n openshift | grep app sha256:f3c914f9c5950731f00070161c642446f99cf30a7c8b9d6935bd17bea1616b68 image-registry.openshift-image-registry.svc:5000/openshift/nginx-centos7-app@sha256:f3c914f9c5950731f00070161c642446f99cf30a7c8b9d6935bd17bea1616b68 3. Create the app with the s2i reference: ~~~ oc new-app nginx-centos7-app:1.0~https://github.com/sclorg/nginx-container.git --context-dir=1.12/test/test-app/ ~~~ Actual results: Build finish with error : ~~~ error: build error: image "1001:1001" must specify a user that is numeric and within the range of allowed users ~~~ Expected results: Build the app correctly Additional info:
Verified with 4.10.0-0.nightly-2021-12-23-153012 ======================== 1. Clone https://github.com/sclorg/nginx-container/ 2. Modified 1.20/Dockerfile.fedora file user to `USER 1001:1001` 3. $ docker build -t nginx-builder -f Dockerfile.fedora . 4. $ docker tag nginx-builder quay.io/pkumari/testing:s2i 5. $ docker push quay.io/pkumari/testing:s2i 6. inspect the changed content 7. pkumari$ oc new-app quay.io/pkumari/testing:s2i~https://github.com/sclorg/nginx-container.git --context-dir=1.20/test/test-app --> Found container image f623d99 (18 minutes old) from quay.io for "quay.io/pkumari/testing:s2i" Nginx 1.20 [...] --> Success Build scheduled, use 'oc logs -f bc/nginx-container' to track its progress. Application is not exposed. You can expose services to the outside world by executing one or more of the commands below: 'oc expose svc/nginx-container' Run 'oc status' to view your app. 8. $ oc logs -f bc/nginx-container Cloning "https://github.com/sclorg/nginx-container.git" ... Commit: 72be359c981f475af1a26d5c2179e845dfcf5ce5 (Merge pull request #164 from phracek/eol_116_2021) Author: Petr Hracek <phracek> Date: Mon Jan 3 09:19:28 2022 +0100 time="2022-01-06T13:20:42Z" level=info msg="metacopy option not supported on this kernelmetacopy=on" time="2022-01-06T13:20:42Z" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: failed to mount overlay: invalid argument" I0106 13:20:42.848724 1 defaults.go:102] Defaulting to storage driver "overlay" with options [mountopt=metacopy=on]. Caching blobs under "/var/cache/blobs". Trying to pull quay.io/pkumari/testing@sha256:5e6b2e85c6e2e97b79f2d96c174d71af98ba38242b8ed68e0a6467de64133598... Getting image source signatures Copying blob sha256:5ae9ec30c19701ea14ae98ed19594df37e62d0aff61d712b060a0305eb995a07 [...] STEP 3/9: ENV OPENSHIFT_BUILD_NAME="nginx-container-1" OPENSHIFT_BUILD_NAMESPACE="testing-rhel" OPENSHIFT_BUILD_SOURCE="https://github.com/sclorg/nginx-container.git" OPENSHIFT_BUILD_COMMIT="72be359c981f475af1a26d5c2179e845dfcf5ce5" STEP 4/9: USER root STEP 5/9: COPY upload/src /tmp/src STEP 6/9: RUN chown -R 1001:0 /tmp/src STEP 7/9: USER 1001 STEP 8/9: RUN /usr/libexec/s2i/assemble ---> Installing application source [...] --> 06e8d008570 Successfully tagged temp.builder.openshift.io/testing-rhel/nginx-container-1:491d6034 06e8d008570ec61f5beb1bf67c31f1adfd462197f1b0e231e288a7a87633266b Pushing image image-registry.openshift-image-registry.svc:5000/testing-rhel/nginx-container:latest ... Getting image source signatures Copying blob sha256:a4e09c94fa39a557d8cbc31d4f4abf2a019f345eb2f7a17f6e0385c1e6fe5bf6 Copying blob sha256:99ec1501c5901a0f1e043253464e38b4b0ab0b711c5afeac0c4f8ec994125644 Copying blob sha256:5108d7b06712b7a306e25cd62792fc023fd1bbf08aa4550cb010fcdca9eb9e4a Copying blob sha256:2109b8980fd6d0e7fc0b39e2a0320969d6c8771839b9dce0901d0b40dcd5e660 Copying blob sha256:5ae9ec30c19701ea14ae98ed19594df37e62d0aff61d712b060a0305eb995a07 Copying blob sha256:6ae6c1c549e7df941d05ba41105ad300258acbd218a5047adfd93611a270fc3b Copying blob sha256:e0da8b6c708cdf6142af35fa6fe6f296e934c75d24ec2dd73c940b3973ff9995 Copying config sha256:06e8d008570ec61f5beb1bf67c31f1adfd462197f1b0e231e288a7a87633266b Writing manifest to image destination Storing signatures Successfully pushed image-registry.openshift-image-registry.svc:5000/testing-rhel/nginx-container@sha256:51a5b0f796a7c2795b34e7c83e31a8ec63511a328cdc6d171fe23a250ad6aaa9 Push successful
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056