Building docker image in github actions leads to skopeo related issues

I am trying to build a docker image using a fromImage in github actions and this leads to the following issue:

copying path '/nix/store/hxrpgrpgx72qwcrghny749mvw5ac3j8p-skopeo-1.14.2' from ''...
xxxxxx> created 441 symlinks in user environment
building '/nix/store/i0r95cq15z71b7h3zmj9aqs16kxx5ycm-docker-image-ubuntu-mantic-20231011.tar.drv'...
docker-image-ubuntu-mantic> FATA[0000] initializing source docker://ubuntu@sha256:7708743264cbb7f6cf7fc13e915faece45a6cdda455748bc55e58e8de3d27b63: getting username and password: 1 error occurred:
docker-image-ubuntu-mantic>     * reading JSON file "/run/containers/1001/auth.json": open /run/containers/1001/auth.json: permission denied

The fromImage is important as without this the issue doesn’t occur. Unfortunately, this is needed in this case. Doing some research I tracked this down to the following issue:

But I am unsure how to pass --authfile to skopeo here. I am also unsure what would be the correct value in this case what one problem at a time :stuck_out_tongue:

Does anyone know how to fix this?


Do you maybe have an example nix snippet? It seems to me that the linked issue is dealing with an unrelated problem.

Are you pulling from a private or public repo? Can you run the nix build locally? You could also give nix2container a try (example with nix2container).

I prepared a very simple repo that reproduces the issue. The relevant bits are:

And here is a build with the issue I mention

Locally it builds just fine. I will give nix2container a try but I’d love to make this work if possible.

Sorry, somehow I haven’t received an email notification.
So I looked into this.

First I run just nix with docker run -it --rm ubuntu:22.04 /bin/bash -l and ran apt-get update; apt install nix. nix bulid .#docker-image in there which succeeds.

Then I tried the same with nixos/nix:latest which also succeeds.

I’ve tried overriding the XDG_RUNTIME_DIR and do nix build --impure in your GitHub action which also failed.

With GitHub - mxschmitt/action-tmate: Debug your GitHub Actions via SSH by using tmate to get access to the runner system itself. I was able to get a shell into the current environment, which reveals that /run/containers is only accessible for the root user.

Adding this to your GitHub action makes it work.

        sudo chmod 755 /run/containers
        sudo mkdir -p "/run/containers/$(id -u runner)"
        sudo chown runner: "/run/containers/$(id -u runner)"
        nix build

I’ve also tested this behavior inside the nixos/nix:latest by just creating the directory /run/containers and chown 000 /run/containers which ends up with the same error message.

The correct way to resolve this is sending an upstream pull request to nixpkgs to point XDG_RUNTIME_DIR to sandboxBuildDir.

That being said, the Skopeo documentation should also receive a pull request/fix, since it documents the use of XDG_RUNTIME_DIR incorrectly, at least for this scenario:

It appers to be looking in /run/containers/<UID>/auth.json. Not /run/user/<UID>/auth.json.

A million thanks for delving into this. I can confirm the workaround you suggested works. I also +1d the PR you opened (in case that helps somehow).

Thanks again for this!

1 Like