Skip to content

DNM: test staged-layer-creation vendor #27251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

DNM: test staged-layer-creation vendor #27251

wants to merge 1 commit into from

Conversation

@Luap99
Copy link
Member

@Luap99 Luap99 commented Oct 8, 2025

Does this PR introduce a user-facing change?

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 8, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 8, 2025

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot added the do-not-merge/release-note-label-needed Enforce release-note requirement, even if just None label Oct 8, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 8, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 8, 2025
@Luap99 Luap99 mentioned this pull request Oct 8, 2025
Draft
@Luap99 Luap99 force-pushed the staged-layer-creation branch 2 times, most recently from b60c4a4 to 03789f8 Compare October 15, 2025 15:06
@Luap99 Luap99 force-pushed the staged-layer-creation branch from 03789f8 to b5d82ad Compare October 23, 2025 10:34
@openshift-merge-robot
Copy link
Collaborator

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 23, 2025
@Luap99 Luap99 force-pushed the staged-layer-creation branch from b5d82ad to 2cdc301 Compare October 23, 2025 12:16
@Luap99
Copy link
Member Author

Luap99 commented Oct 23, 2025

https://api.cirrus-ci.com/v1/artifact/task/6406639445606400/html/sys-podman-debian-13-root-host-sqlite.log.html

[+0644s] not ok 273 [400] podman container storage is not accessible by unprivileged users in 1708ms
         # (from function `bail-now' in file test/system/[helpers.bash, line 230](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/helpers.bash#L230),
         #  from function `die' in file test/system/[helpers.bash, line 994](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/helpers.bash#L994),
         #  from function `run_podman' in file test/system/[helpers.bash, line 605](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/helpers.bash#L605),
         #  in test file test/system/[400-unprivileged-access.bats, line 14](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/400-unprivileged-access.bats#L14))
         #   `run_podman run --name c_uidmap   --uidmap 0:10000:10000 $IMAGE true' failed
         #
<+     > # # podman run --name c_uidmap --uidmap 0:10000:10000 quay.io/libpod/testimage:20241011 true
<+632ms> # Trying to pull quay.io/libpod/testimage:20241011...
         # Getting image source signatures
         # Copying blob sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
         # Copying blob sha256:33b517cffde0ecb1f424f107b005cdfd614c467b9de2ad334970f800b77a4e70
         # Copying config sha256:b82e560ed57b77a897379e160371adcf1b000ca885e69c62cbec674777a83850
         # Writing manifest to image destination
         # Error: crun: open `/tmp/CI_tBlX/intermediate-mountpoint-0.0/run/.containerenv`: No such file or directory: OCI runtime attempted to invoke a command that was not found
<+006ms> # [ rc=127 (** EXPECTED 0 **) ]
         # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
         # #| FAIL: exit code is 127; expected 0
[+0645s] # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
         # # [teardown]
[+0646s] not ok 274 [400] sensitive mount points are masked without --privileged in 1225ms
         # (from function `bail-now' in file test/system/[helpers.bash, line 230](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/helpers.bash#L230),
         #  from function `assert' in file test/system/[helpers.bash, line 1110](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/helpers.bash#L1110),
         #  in test file test/system/[400-unprivileged-access.bats, line 146](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/400-unprivileged-access.bats#L146))
         #   `assert $status -le 1 "stat exit status: expected 0 or 1"' failed
         #
<+1.11s> # # podman image exists quay.io/libpod/testimage:20241011
         #
<+057ms> # # podman run --rm quay.io/libpod/testimage:20241011 stat -c%n:%F:%h:%T:%t /dev/null /proc/acpi /proc/kcore /proc/keys /proc/timer_list /sys/firmware /sys/dev/block
<+084ms> # Error: creating container storage: creating an ID-mapped copy of layer "5fb2677d7366b1f97f4a4d2851f47b11938cf2d6310523a61f43ab71b2b14e13": error during chown: mapping host ID pair idtools.IDPair{UID:0, GID:42} for "etc/shadow" to container: host ID 0 cannot be mapped to a container ID: exit status 1
<+005ms> # [ rc=125 ]
         # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
         # #|     FAIL: stat exit status: expected 0 or 1
         # #| expected: -le 1
         # #|   actual:     125
         # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
         # # [teardown]
[+0647s] ok 275 [410] podman selinux: check relabel in 800ms # skip selinux not available
[+0648s] not ok 276 [500] podman networking: port with --userns=keep-id for rootless or --uidmap=* for rootful in 1313ms
         # (from function `bail-now' in file test/system/[helpers.bash, line 230](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/helpers.bash#L230),
         #  from function `die' in file test/system/[helpers.bash, line 994](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/helpers.bash#L994),
         #  from function `run_podman' in file test/system/[helpers.bash, line 605](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/helpers.bash#L605),
         #  in test file test/system/[500-networking.bats, line 144](https://github.com/containers/podman/blob/2cdc3016d9496c2d9740041e245379ef6a34baa5/test/system/500-networking.bats#L144))
         #   `run_podman run -d ${userns} $network_arg -p 127.0.0.1:$myport:$myport \' failed
         #
<+2.42s> # # podman run -d --uidmap=0:1111111:65536 --gidmap=0:1111111:65536 --network bridge -p 127.0.0.1:52529:52529 quay.io/libpod/testimage:20241011 nc -l -n -v -p 52529
<+102ms> # Error: creating container storage: creating an ID-mapped copy of layer "5fb2677d7366b1f97f4a4d2851f47b11938cf2d6310523a61f43ab71b2b14e13": error during chown: mapping host ID pair idtools.IDPair{UID:0, GID:42} for "etc/shadow" to container: host ID 0 cannot be mapped to a container ID: exit status 1
<+006ms> # [ rc=125 (** EXPECTED 0 **) ]
         # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
         # #| FAIL: exit code is 125; expected 0
         # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
         # # [teardown]

No idea how this could be related to my changes, I suspect it is a flake and somehow once we get an error with a idmapped pulled image all following commands fail to create the idmapped layer? Seems quite concerning, I am going to press rerun just to be sure.
cc @mtrmac @giuseppe

@Luap99
Copy link
Member Author

Luap99 commented Oct 23, 2025

Ok not a flake I guess, trying to debug why this only fails on debian like that.

@Luap99
Copy link
Member Author

Luap99 commented Oct 23, 2025

So the required step to reproduce this is export _CONTAINERS_OVERLAY_DISABLE_IDMAP=yes to force the traditional chowned files and my rework seems to extract based on wrong mappings, I add more info on the contianer-libs PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/release-note-label-needed Enforce release-note requirement, even if just None do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Luap99 @openshift-merge-robot