img
img copied to clipboard
genuinetools
can't build image if root filesystem is read only
I am not able to build images when enable security best practices to run the container with read-only root file system.
Using --read-only option to make root file system read-only get the following error
$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ docker run --rm -it \
--name img \
--volume $(PWD):/home/user/src:ro \
--workdir /home/user/src \
--security-opt seccomp=unconfined \
--security-opt apparmor=unconfined \
--read-only \
r.j3ss.co/img build -t user/myimage .
Error: error creating dir for embedded binaries: mkdir /home/user/.local: read-only file system
Using temporary file system --tmpfs /home/user/.local
$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ docker run --rm -it \
--name img \
--volume ${PWD}:/home/user/src:ro \
--workdir /home/user/src \
--security-opt seccomp=unconfined \
--security-opt apparmor=unconfined \
--read-only \
--tmpfs /home/user/.local \
r.j3ss.co/img build -t user/myimage .
Error: unable to check runc version
Using volume --volume ${PWD}/.local:/home/user/.local
$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ mkdir .local
$ docker run --rm -it \
--name img \
--volume ${PWD}:/home/user/src:ro \
--workdir /home/user/src \
--security-opt seccomp=unconfined \
--security-opt apparmor=unconfined \
--read-only \
--volume ${PWD}/.local:/home/user/.local \
r.j3ss.co/img build -t user/myimage .
Building docker.io/user/myimage:latest
Setting up the rootfs... this may take a bit.
WARN[0000] Process sandbox is not available, consider unmasking procfs: mount: permission denied (are you root?)
WARN[0000] using host network as the default
[+] Building 0.2s (2/2) FINISHED
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.2s
=> => transferring dockerfile: 62B 0.0s
Error: failed to solve: failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to create temp dir: mkdir /tmp/buildkit-mount103012371: read-only file system
Using volume --volume ${PWD}/.local:/home/user/.local and --tmpfs /tmp
$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ mkdir .local
$ docker run --rm -it \
--name img \
--volume ${PWD}:/home/user/src:ro \
--workdir /home/user/src \
--security-opt seccomp=unconfined \
--security-opt apparmor=unconfined \
--read-only \
--volume ${PWD}/.local:/home/user/.local \
--tmpfs /tmp \
r.j3ss.co/img build -t user/myimage .
Building docker.io/user/myimage:latest
Setting up the rootfs... this may take a bit.
WARN[0000] Process sandbox is not available, consider unmasking procfs: mount: permission denied (are you root?)
WARN[0000] using host network as the default
[+] Building 0.1s (2/2) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 31B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
Error: failed to solve: failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to mount /tmp/buildkit-mount663287699: [{Type:bind Source:/home/user/.local/share/img/runc/native/snapshots/snapshots/2 Options:[rbind ro]}]: operation not permitted
is it posible to use img build with read-only root file system restriction ?
I have the same problem. Please help to fix this issue.
I install img inside a container in Kubernetes
WARN[0000] Process sandbox is not available, consider unmasking procfs:
WARN[0000] using host network as the default
[+] Building 0.0s (2/2) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 32B 0.0s
Error: failed to solve: failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to mount /tmp/buildkit-mount4015711986: [{Type:bind Source:/root/.local/share/img/runc/native/snapshots/snapshots/2 Options:[rbind ro]}]: operation not permitted
UPDATED: It is mentioned here, https://github.com/genuinetools/img/issues/115
