Building docker image in github actions leads to skopeo related issues

dbarrosop · March 2, 2024, 12:14pm

Hello,
I am trying to build a docker image using a fromImage in github actions and this leads to the following issue:

copying path '/nix/store/hxrpgrpgx72qwcrghny749mvw5ac3j8p-skopeo-1.14.2' from 'https://cache.nixos.org'...
xxxxxx> created 441 symlinks in user environment
building '/nix/store/i0r95cq15z71b7h3zmj9aqs16kxx5ycm-docker-image-ubuntu-mantic-20231011.tar.drv'...
docker-image-ubuntu-mantic> FATA[0000] initializing source docker://ubuntu@sha256:7708743264cbb7f6cf7fc13e915faece45a6cdda455748bc55e58e8de3d27b63: getting username and password: 1 error occurred:
docker-image-ubuntu-mantic>     * reading JSON file "/run/containers/1001/auth.json": open /run/containers/1001/auth.json: permission denied

The fromImage is important as without this the issue doesn’t occur. Unfortunately, this is needed in this case. Doing some research I tracked this down to the following issue:

github.com/containers/skopeo

Using skopen in github actions

opened 09:11PM - 25 May 22 UTC

closed 01:02PM - 25 Jun 22 UTC

lburgazzoli

stale-issue locked - please file new issue/PR

I have a [very simple action](https://github.com/lburgazzoli/lb-actions-playgrou…nd/blob/master/.github/workflows/playground.yml) to test how to use skopeo in a GitHub Action ```yaml name: run on: pull_request: branches: - master workflow_dispatch: jobs: kustomize: runs-on: ubuntu-22.04 steps: - name: "Skopeo" run: | skopeo --version skopeo inspect docker://busybox:latest ``` When running the action, skopeo fails with the following error: ``` time="2022-05-25T21:0[7](https://github.com/lburgazzoli/lb-actions-playground/runs/6600214480?check_suite_focus=true#step:2:8):37Z" level=fatal msg="Error parsing image name \"docker://busybox:latest\": getting username and password: 1 error occurred:\n\t* reading JSON file \"/run/containers/1001/auth.json\": open /run/containers/1001/auth.json: permission denied\n\n" ``` Note that the version provided by the runner is 1.4.1

But I am unsure how to pass --authfile to skopeo here. I am also unsure what would be the correct value in this case what one problem at a time

Does anyone know how to fix this?

Thanks!

norpol · March 5, 2024, 7:20pm

Do you maybe have an example nix snippet? It seems to me that the linked issue is dealing with an unrelated problem.

Are you pulling from a private or public repo? Can you run the nix build locally? You could also give nix2container a try (example with nix2container).

dbarrosop · March 5, 2024, 7:46pm

I prepared a very simple repo that reproduces the issue. The relevant bits are:

And here is a build with the issue I mention

Locally it builds just fine. I will give nix2container a try but I’d love to make this work if possible.

norpol · March 10, 2024, 10:35pm

Sorry, somehow I haven’t received an email notification.
So I looked into this.

First I run just nix with docker run -it --rm ubuntu:22.04 /bin/bash -l and ran apt-get update; apt install nix. nix bulid .#docker-image in there which succeeds.

Then I tried the same with nixos/nix:latest which also succeeds.

I’ve tried overriding the XDG_RUNTIME_DIR and do nix build --impure in your GitHub action which also failed.

With GitHub - mxschmitt/action-tmate: Debug your GitHub Actions via SSH by using tmate to get access to the runner system itself. I was able to get a shell into the current environment, which reveals that /run/containers is only accessible for the root user.

Adding this to your GitHub action makes it work.

        sudo chmod 755 /run/containers
        sudo mkdir -p "/run/containers/$(id -u runner)"
        sudo chown runner: "/run/containers/$(id -u runner)"
        nix build

I’ve also tested this behavior inside the nixos/nix:latest by just creating the directory /run/containers and chown 000 /run/containers which ends up with the same error message.

The correct way to resolve this is sending an upstream pull request to nixpkgs to point XDG_RUNTIME_DIR to sandboxBuildDir.

github.com

NixOS/nixpkgs/blob/c916d4cbac62b2d8b70a3940d3471dbd0c57d2f4/pkgs/build-support/docker/default.nix#L1225


      
            # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1046-L1047
            # TODO: Make configurable?
            NIX_BUILD_CORES = "1";
          
          
} // drvEnv // {
          
          
  # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1008-L1010
            NIX_BUILD_TOP = sandboxBuildDir;
          
          
  # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1012-L1013
            TMPDIR = sandboxBuildDir;
            TEMPDIR = sandboxBuildDir;
            TMP = sandboxBuildDir;
            TEMP = sandboxBuildDir;
          
          
  # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1015-L1019
            PWD = sandboxBuildDir;
          
          
  # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1071-L1074
            # We don't set it here because the output here isn't handled in any special way
            # NIX_LOG_FD = "2";

That being said, the Skopeo documentation should also receive a pull request/fix, since it documents the use of XDG_RUNTIME_DIR incorrectly, at least for this scenario:

github.com

containers/skopeo/blob/7001d7014e8f7f0223671ced5fa2a2dab47873be/README.md?plain=1#L31:


      
          
          
Skopeo operates on the following image and repository types:
          
          
* containers-storage:docker-reference
                  An image located in a local containers/storage image store.  Both the location and image store are specified in /etc/containers/storage.conf. (This is  the backend for [Podman](https://podman.io), [CRI-O](https://cri-o.io), [Buildah](https://buildah.io) and friends)
          
          
* dir:path
                  An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
          
          
* docker://docker-reference
                  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `skopeo login`.
          
          
* docker-archive:path[:docker-reference]
                  An image is stored in a `docker save`-formatted file.  docker-reference is only used when creating such a file, and it must not contain a digest.
          
          
* docker-daemon:docker-reference
                  An image docker-reference stored in the docker daemon internal storage.  docker-reference must contain either a tag or a digest.  Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
          
          
* oci:path:tag
                  An image tag in a directory compliant with "Open Container Image Layout Specification" at path.

It appers to be looking in /run/containers/<UID>/auth.json. Not /run/user/<UID>/auth.json.

dbarrosop · March 11, 2024, 9:35am

A million thanks for delving into this. I can confirm the workaround you suggested works. I also +1d the PR you opened (in case that helps somehow).

Thanks again for this!