Hello,
I am trying to build a docker image using a fromImage in github actions and this leads to the following issue:
copying path '/nix/store/hxrpgrpgx72qwcrghny749mvw5ac3j8p-skopeo-1.14.2' from 'https://cache.nixos.org'...
xxxxxx> created 441 symlinks in user environment
building '/nix/store/i0r95cq15z71b7h3zmj9aqs16kxx5ycm-docker-image-ubuntu-mantic-20231011.tar.drv'...
docker-image-ubuntu-mantic> FATA[0000] initializing source docker://ubuntu@sha256:7708743264cbb7f6cf7fc13e915faece45a6cdda455748bc55e58e8de3d27b63: getting username and password: 1 error occurred:
docker-image-ubuntu-mantic> * reading JSON file "/run/containers/1001/auth.json": open /run/containers/1001/auth.json: permission denied
The fromImage is important as without this the issue doesn’t occur. Unfortunately, this is needed in this case. Doing some research I tracked this down to the following issue:
But I am unsure how to pass --authfile to skopeo here. I am also unsure what would be the correct value in this case what one problem at a time
Do you maybe have an example nix snippet? It seems to me that the linked issue is dealing with an unrelated problem.
Are you pulling from a private or public repo? Can you run the nix build locally? You could also give nix2container a try (example with nix2container).
Sorry, somehow I haven’t received an email notification.
So I looked into this.
First I run just nix with docker run -it --rm ubuntu:22.04 /bin/bash -l and ran apt-get update; apt install nix. nix bulid .#docker-image in there which succeeds.
Then I tried the same with nixos/nix:latest which also succeeds.
I’ve tried overriding the XDG_RUNTIME_DIR and do nix build --impure in your GitHub action which also failed.
I’ve also tested this behavior inside the nixos/nix:latest by just creating the directory /run/containers and chown 000 /run/containers which ends up with the same error message.
That being said, the Skopeo documentation should also receive a pull request/fix, since it documents the use of XDG_RUNTIME_DIR incorrectly, at least for this scenario:
It appers to be looking in /run/containers/<UID>/auth.json. Not /run/user/<UID>/auth.json.