Error while loading a tar docker image permission denied - tar

I am trying to load a tar docker image to my vm (rhel 8.4) using podman with this command.
podman image load -i /tmp/pgsql
I cannot load the image because of the error :
DEBU[0004] No compression detected
DEBU[0004] Using original blob without modification
Copying config 5gr88732911 done
Writing manifest to image destination
Storing signatures
DEBU[0004] Applying tar in /var/lib/containers/storage/overlay/9eb82f04c782ay3f5ik25911e60d75e221ce0fe82e49f0dmmf02c81a3161d1300/diff
DEBU[0005] Error pulling image ref /tmp/pgsql: Error committing the finished image: error adding layer with blob "sha256: 9eb82f04c782ay3f5ik25911e60d75e221ce0fe82e49f0dmmf02c81a3161d1300": Error processing tar file(exit status 1): open /etc/group: permission denied
**Error processing tar file(exit status 1): open /etc/group: permission denied**
DEBU[0005] Error deleting temporary directory: <nil>
DEBU[0005] parsed reference into "[overlay#/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]localhost/tmp/pgsql:latest"
DEBU[0005] Using blob info cache at /var/lib/containers/cache/blob-info-cache-v1.boltdb
DEBU[0005] Error pulling image ref /tmp/pgsql: Error determining manifest MIME type for dir:/tmp/pgsql: open /tmp/pgsql/manifest.json: not a directory
open /tmp/pgsql/manifest.json: not a directory
DEBU[0005] parsed reference into "[overlay#/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]localhost/tmp/pgsql:latest"
DEBU[0005] Error pulling image ref /tmp/pgsql:: Error initializing source oci:/tmp/pgsql:: open /tmp/pgsql/index.json: not a directory
open /tmp/pgsql/index.json: not a directory
Loaded image(s):
it seems that I cannot modify /etc/group
the vm is very hardened so we do not have the rights to write to /etc/group
I have the rights to see the /etc/group
ls -al /etc/group
-rw-r--r- root root root 1262 Apr 22 08:31 /etc/group
i've tried with another image and it isn't working
does anyone have an idea how I can resolve this ? I will be very grateful,
Thank you

Related

docker mount - Error response from daemon: invalid mount config for type "bind"

I am facing an issue with mounting a host directory into docker container with both -v and --mount options.
Using mount:
docker run --mount type=bind,source=/home/myuser/docker_test/out_dir,target=/home/out_dir --user 12345:1000 -it docker-name:0.1 bash
docker: Error response from daemon: invalid mount config for type "bind": stat /home/myuser/docker_test/out_dir: permission denied.
But I am able to do stat on this directory.
stat /home/myuser/docker_test/out_dir
File: '/home/myuser/docker_test/out_dir'
Size: 4096 Blocks: 8 IO Block: 32768 directory
Device: 33h/51d Inode: 9275022755226025350 Links: 2
Access: (0770/drwxrwx---) Uid: (12345/ myuser) Gid: ( 1000/ hercules)
Access: 2022-12-01 02:12:54.430582000 -0500
Modify: 2022-12-01 02:12:38.239629000 -0500
Change: 2022-12-01 02:12:38.239629000 -0500
Birth: -
Using -v:
docker run -v /home/myuser/docker_test/out_dir:/home/out_dir --user 12345:1000 -it docker-name:0.1:0.1 bash
docker: Error response from daemon: error while creating mount source path '/home/myuser/docker_test/out_dir': mkdir /home/myuser/docker_test: permission denied.
ERRO[0000] error waiting for container: context canceled
I don't know why it's trying to do mkdir but /home/myuser/docker_test already exists and is writable for the current user.
Am I missing something here?
BTW - /home is a NFS mounted directory.
EDIT: mounting /tmp worked. So this means it is related to the NFS mounted directory /home.
EDIT 2
I am working on a network machine where I don’t have root (sudo) access.
The docker service is installed by root user.
/home/myuser/docker_test/out_dir has 700 (rwx------) permissions. If I change the permission to 755, it will work. But I can’t change the directory permissions.
My question is why stat is failing when the user starting the docker has the permissions to access the source directory?
Is the stat being called by the docker executable as some ‘other’ user?
Use:
sudo docker run -v /home/myuser/docker_test/out_dir:/home/out_dir --user 12345:1000 -it docker-name:0.1:0.1 bash

Failed to copy local file to the k8s container of the keycloak by using kubectl cp

This is what my commend looks like
kubectl cp /Users/Documents/keycloak-deployment/import/realm-export-sdp.json sdp-steve/keycloak-7458697ddb-tbzp8:/tmp
And I got the error message as below:
rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:235: starting container process caused "exec: \"tar\": executable file not found in $PATH"
error: Internal error occurred: error executing command in container: read unix #->/var/run/docker.sock: read: connection reset by peer
Does anyone know how to handle this error? Thank you in advance.
Your container image must have tar binary present for running kubectl cp subcommand. As a result, you are getting the following error:
"exec: \"tar\": executable file not found in $PATH
See the below snippet:
kubectl cp --help
Copy files and directories to and from containers.
Examples:
# !!!Important Note!!!
# Requires that the 'tar' binary is present in your container
# image. If 'tar' is not present, 'kubectl cp' will fail.
#
# For advanced use cases, such as symlinks, wildcard expansion or
# file mode preservation, consider using 'kubectl exec'.
You may check this page showing why tar is needed.

prisma cloud - twistcli with podman error - destination must be a directory when copying from stdin

i try the first time to use twistcli to scan my images. I have installed podman and twistcli in a separate container(at_ubi8_minimal_adp_jenkins_slave) from where i execute the commands:
podman login
podman pull
twistcli images scan
from the command twistcli images scan i receive this error message:
failed to augment data: time="2022-05-20T08:22:27Z" level=error msg="Unmounting /home/jenkins/.local/share/containers/storage/overlay/acaf4e2debbf7544bed43772631cff07a849b5efe16af0e80495410e75fa7434/merged: invalid argument"
Error: destination must be a directory when copying from stdin
here the detailed output from the jenkins job:
Running on twistcli-500j7-lj54g in /home/jenkins/agent/workspace/prod-images/at_ubi8_minimal_openjdk17_tomcat_9
[Pipeline] {
[Pipeline] script
[Pipeline] {
[Pipeline] sh
+ date -u +%Y-%m-%dT%H:%M:%SZ
[Pipeline] sh
+ twistcli --version
twistcli version 22.01.882
+ podman login --username ***** --password **** ******.azurecr.io
time="2022-05-20T08:19:55Z" level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
Login Succeeded!
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] withCredentials
Masking supported pattern matches of $PASSWORD
[Pipeline] {
[Pipeline] sh
+ podman pull ****.azurecr.io/base-images-untested/at_ubi8_minimal_openjdk17_tomcat_9:latest
Trying to pull *****.azurecr.io/base-images-untested/at_ubi8_minimal_openjdk17_tomcat_9:latest...
Getting image source signatures
Copying blob sha256:f90c6277a08b98bf86bd25eb57a1eb468537eb32981d7505fe0899b9fe4fdbf9
Copying blob sha256:0344366a246a0f7590c2bae4536c01f15f20c6d802b4654ce96ac81047bc23f3
Copying blob sha256:a65df433bed4dabe5b1e2674bf8445f146c74692883416bd13cb2d3220eff12e
Copying blob sha256:2fba5451984251ebb2e5fa24790dafa11fed899762e072f0e2850c735eb72c9b
Copying blob sha256:4752687a61a97d6f352ae62c381c87564bcb2f5b6523a05510ca1fb60d640216
Copying blob sha256:f05c02598dd61f434ad35163b5ba33a78088edd6663230692bc9a86b32f17f08
Copying blob sha256:0344366a246a0f7590c2bae4536c01f15f20c6d802b4654ce96ac81047bc23f3
Copying blob sha256:727d2b3b1e88b86022ad6ad83883eb33125ddf60c5be90b4a60a6e4c17d47747
Copying blob sha256:f90c6277a08b98bf86bd25eb57a1eb468537eb32981d7505fe0899b9fe4fdbf9
Copying blob sha256:f05c02598dd61f434ad35163b5ba33a78088edd6663230692bc9a86b32f17f08
Copying blob sha256:085c9b1c02e10303ae1b89674babfaa65e200ef6a8f7efd54d53b5a09457ff2c
Copying blob sha256:d384ab88b54fb8d6d94389d243defb197150a922d9544df3b7a99b3dba2322fc
Copying blob sha256:2fba5451984251ebb2e5fa24790dafa11fed899762e072f0e2850c735eb72c9b
Copying blob sha256:4752687a61a97d6f352ae62c381c87564bcb2f5b6523a05510ca1fb60d640216
Copying blob sha256:a65df433bed4dabe5b1e2674bf8445f146c74692883416bd13cb2d3220eff12e
Copying blob sha256:727d2b3b1e88b86022ad6ad83883eb33125ddf60c5be90b4a60a6e4c17d47747
Copying blob sha256:d384ab88b54fb8d6d94389d243defb197150a922d9544df3b7a99b3dba2322fc
Copying blob sha256:ccc5a3e54104978dbefc422db00d01071aa635c0213b5e7634ab248804578fe8
Copying blob sha256:5d0a4158bbb9c76f1ad9c2164e11d6dd19286e9e28366340aaa068bc36731343
Copying blob sha256:085c9b1c02e10303ae1b89674babfaa65e200ef6a8f7efd54d53b5a09457ff2c
Copying blob sha256:f05bd034f93deb8750b9bfab26ccf6cd6867f145250640216d9996cd7078a1ed
Copying blob sha256:ccc5a3e54104978dbefc422db00d01071aa635c0213b5e7634ab248804578fe8
Copying blob sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
Copying blob sha256:5d0a4158bbb9c76f1ad9c2164e11d6dd19286e9e28366340aaa068bc36731343
Copying blob sha256:f05bd034f93deb8750b9bfab26ccf6cd6867f145250640216d9996cd7078a1ed
Copying blob sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
Copying config sha256:54900d37234bebdbaf6223504b2d63a5fbeb3906ab1513cac9587cff75d9d297
Writing manifest to image destination
Storing signatures
54900d37234bebdbaf6223504b2d63a5fbeb3906ab1513cac9587cff75d9d297
+ unset http_proxy
+ unset https_proxy
+ unset no_proxy
+ twistcli images scan --details --podman-path podman --address https://***prisma-console*** -u ***** -p **** ****.azurecr.io/base-images-untested/at_ubi8_minimal_openjdk17_tomcat_9:latest
failed to augment data: time="2022-05-20T08:22:27Z" level=error msg="Unmounting /home/jenkins/.local/share/containers/storage/overlay/acaf4e2debbf7544bed43772631cff07a849b5efe16af0e80495410e75fa7434/merged: invalid argument"
Error: destination must be a directory when copying from stdin
does anyone know what this error message means?
There are many questions that would be necessary to understand your implementation, but from my experience the issue is with "/home/jenkins/.local/share/containers/storage/overlay/acaf4e2debbf7544bed43772631cff07a849b5efe16af0e80495410e75fa7434/merged". Does this directory already exist on your container? If not, it would need to be created before it can be a destination path. At a glance, this looks like a temp dir, maybe? That would not work, especially, a rootless scenario. When I see "failed to augment data" my first thoughts are the directory does not exist or I do not have the necessary access for said directory. Hope this helps!

Docker 'is not an absolute path or is a symlink' error

I start docker at private cloud host and get next error
sudo docker run hello-world
docker: Error response from daemon: OCI runtime create failed: /var/lib/docker/overlay2/83d55d497417883ea85b63ebe3138e5f5dbc2b3c8b2db663c1a007e7af1757f1/merged
is not an absolute path or is a symlink: unknown.
ERRO[0000] error waiting for container: context canceled
ll shows next
ll /var/lib/docker/overlay2
lrwxrwxrwx 1 root root 20 Jun 19 15:32 /var/lib/docker/overlay2 -> /dev/docker-overlay2/
Are there any way to fix it ?
I met this problem, I restart docker service, solve it
systemctl restart docker
problem was that someone configured symlink for "fat" directory with images to move it to another disc. Instead of properly configuring in /etc/docker/daemon.json

Amazon EFS & Docker - Error when creating an image

I would like to use docker with amazon's elastic file system (EFS). So I mounted the EFS on the EC2 machine and set an efs-folder as the docker root folder in the docker config file. But when I want to create an image I get this error:
Step 1 : FROM ubuntu:14.04
14.04: Pulling from library/ubuntu
862a3e9af0ae: Extracting [==================================================>] 65.7 MB/65.7 MB
6498e51874bf: Download complete
159ebdd1959b: Download complete
0fdbedd3771a: Download complete
7a1f7116d1e3: Download complete
failed to register layer: Error processing tar file(exit status 1): errno 524
In the docker logs I get this error:
Error trying v2 registry: failed to register layer: Error processing tar file(exit status 1): errno 524
Attempting next endpoint for pull after error: failed to register layer: Error processing tar file(exit status 1): errno 524
Any ideas how I can solve this?
I solved it by adding -s devicemapper to the docker daemoncommand as described in an issue: New Docker versions cannot host datastore on NFS share

Resources