quarkus: Quarkus NativeImageBuildStep fails with perm denied with podman 2.x

Describe the bug This bug originated here: https://bugzilla.redhat.com/show_bug.cgi?id=1854738 and here: https://groups.google.com/g/quarkus-dev/c/8LVoqk4G5uc/m/M5MAVopLAwAJ

Basically with podman 1.x --userns=keep-id contained a bug which got fixed with 2.x which results in quarkus build failures with options -Pnative -Dquarkus.native.container-build=true -Dquarkus.native.container-runtime=podman in rootless mode.

Expected behavior Native image build passes. No “Permission Denied” error.

Actual behavior Native image build in the container with mounted volume fails due to “Permission Denied”.

To Reproduce Steps to reproduce the behavior:

  1. Install podman 2.0 (for example in F32)
  2. mvn package -Pnative -Dquarkus.native.container-build=true -Dquarkus.native.container-runtime=podman

Additional context Looking at this podman bug: https://github.com/containers/podman/issues/3990

… it seems podman won’t help with getting permissions correctly set up for volume mounts.

My experiments showed that doing some podman unshare tricks prior the native image build might work. Something like this:

$ CONTAINER_UID=$(podman run --rm --entrypoint /bin/bash -ti quay.io/quarkus/ubi-quarkus-native-image:19.3.1-java11 -c 'id -u' | sed 's/\r//g')
$ podman unshare chown -R $CONTAINER_UID target/getting-started-1.0-SNAPSHOT-native-image-source-jar
$ podman run -v getting-started/target/getting-started-1.0-SNAPSHOT-native-image-source-jar:/project:z --env LANG=C --rm quay.io/quarkus/ubi-quarkus-native-image:19.3.1-java11 -J-Dsun.nio.ch.maxUpdateArraySize=100 -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager -J-Dvertx.logger-delegate-factory-class-name=io.quarkus.vertx.core.runtime.VertxLogDelegateFactory -J-Dvertx.disableDnsResolver=true -J-Dio.netty.leakDetection.level=DISABLED -J-Dio.netty.allocator.maxOrder=1 -J-Duser.language=en -J-Dfile.encoding=UTF-8 --initialize-at-build-time= -H:InitialCollectionPolicy=com.oracle.svm.core.genscavenge.CollectionPolicy\$BySpaceAndTime -H:+JNI -jar getting-started-1.0-SNAPSHOT-runner.jar -H:FallbackThreshold=0 -H:+ReportExceptionStackTraces -H:-AddAllCharsets -H:-IncludeAllTimeZones -H:EnableURLProtocols=http --no-server -H:-UseServiceLoaderFeature -H:+StackTrace getting-started-1.0-SNAPSHOT-runner

Getting the UID the container runs as that way is important as it might change.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 1
  • Comments: 31 (26 by maintainers)

Commits related to this issue

Most upvoted comments

@zakkak if that works, please open a PR and ask @rsvoboda to test

+2
geoand on Jul 30, 2020

@zakkak sure, the auto-detection should kick in only if the -Dquarkus.native.container-runtime is not specified

+1
gastaldi on Dec 1, 2020

hello, I’m having this issue with 1.8.3.

+1
raffaelespazzoli on Nov 26, 2020

@gastaldi Yes. I do have something working, just polishing it and I will soon open a PR.

+1
zakkak on Jul 30, 2020

That’s better than me, none and I don’t think I can even install it 😃

+1
geoand on Jul 30, 2020

@Ladicek maybe?

+1
gsmet on Jul 30, 2020
Read more comments on GitHub
← quarkus: Quarkus Native Jackson InvalidDefinitionException Cannot find a (Map) Key deserializer for type [simple type, class java.math.BigDecimal]
quarkus: Quarkus Oauth2 quarkus.oauth2.enabled doesn't seem to work →