Podman Build and Privilege

Fairly simple question, but I have a command that works when running as a privileged podman container, but now I’m trying to run them in a build and its failing and I can’t figure out why.

What works:

podman run --privileged quay.io/reavessm/reavesos:catalyst catalyst -s latest

What doesn’t work:

podman run quay.io/reavessm/reavesos:catalyst catalyst -s latest

nor

FROM quay.io/reavessm/reavesos:catalyst

#COPY portage/ portage/
#COPY specs/ specs/

RUN catalyst -s latest
#RUN catalyst -pf specs/stage1.spec

Can anybody help trouble shoot this? I can provide more information if needed

Is this the AMD proprietary driver? If not what is catalyst?

If the userid used by the software in the container does not match your userid, then creating temporary files/directories will likely fail. You should be able to figure out the userid used in the container by looking at the original Dockerfile.

1 Like

It’s not the AMD driver, it’s Gentoo’s image builder tool, for use in my Devember project.

I will check the userid, and see if I can read/write to both src and dest dirs

1 Like

can you inspect the image or the container that worked… and see what its using that needs privileges?

1 Like

So its calling rsync and rsync is failing to write to a directory that doesn’t exist. I was able to create the directory and the rsync succeeded but now its failing somewhere else.

Is there no better way to troubleshoot this besides hopping back and forth like this?

A quick glance at the gentoo wiki implies catalyst does most things in /var. You could create a volume and mount it to /var.

podman volume create catalyst-var then use the volume option to make the volume available to the container podman-run(1) — Podman documentation Then the container should be able to write to the volume.

You can get the contents of the volume if needed using podman volume podman-volume(1) — Podman documentation

1 Like

That’s a fine idea, but that won’t solve the problem with the build failing…

I am seeing that the python script is failing calling an ‘unshare’ method which says its a simple binding to the ‘unshare’ linux syscall. I’m guessing that’s the culprit but I’m not sure.

Yeah on second thought mounting as /var is likely a bad idea since it will remove some existing paths from the container.

Don’t have anything else for you. I did find this: GitHub - pandather/catalyst-containerized not sure if you’ve seen it or if it will be helpful. Good luck.

1 Like

yeah that’s entirely using docker but I guess I can give it a try. I also filed a bug with Gentoo’s dev team so we’ll see what comes out of that.

https://bugs.gentoo.org/829214

1 Like