我正在努力确定这里发生了什么。在用户空间中运行的 Podman 运行良好,但服务器硬重启,现在……由于缺乏更准确的技术评估,陷入困境。
[grant@patches2 patches]$ podman build --tag local/patches-python:latest --squash-all -f ${SCRIPT_DIR}/python_container/Dockerfile.python --build-arg "PYTHON_CONTAINER_DIR=podman-build/python_container" ${TOP_DIR}
[1/2] STEP 1/7: FROM python:3.12.0a7-slim-bullseye AS builder
[1/2] STEP 2/7: ARG PYTHON_CONTAINER_DIR
[1/2] STEP 3/7: WORKDIR /app
[1/2] STEP 4/7: RUN apt-get update && apt-get install -y build-essential libffi-dev
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
Reading package lists...
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (22: Invalid argument)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)
Error: building at STEP "RUN apt-get update && apt-get install -y build-essential libffi-dev": while running runtime: exit status 100
[grant@patches2 patches]$ cat /etc/subuid
root:200000:1001
grant:200000:1001
[grant@patches2 patches]$ cat /etc/subgid
root:200000:1001
grant:200000:1001
[grant@patches2 patches]$ podman system migrate
[grant@patches2 patches]$ podman build --tag local/patches-python:latest --squash-all -f ${SCRIPT_DIR}/python_container/Dockerfile.python --build-arg "PYTHON_CONTAINER_DIR=podman-build/python_container" ${TOP_DIR}
[1/2] STEP 1/7: FROM python:3.12.0a7-slim-bullseye AS builder
[1/2] STEP 2/7: ARG PYTHON_CONTAINER_DIR
[1/2] STEP 3/7: WORKDIR /app
[1/2] STEP 4/7: RUN apt-get update && apt-get install -y build-essential libffi-dev
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
Reading package lists...
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (22: Invalid argument)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)
Error: building at STEP "RUN apt-get update && apt-get install -y build-essential libffi-dev": while running runtime: exit status 100
[grant@patches2 patches]$ cat /etc/group | grep 65534
nobody:x:65534:
我有点不知道该去哪里,因为我根本不清楚问题是什么。
这是有问题的 dockerfile:
FROM python:3.12.0b4-slim-bookworm AS builder
ARG PYTHON_CONTAINER_DIR
WORKDIR /app
# Install build essentials for compiling C code
RUN apt-get update && apt-get install -y build-essential libffi-dev
RUN pip install --upgrade pip
# Copy files to the working directory
COPY ${PYTHON_CONTAINER_DIR}/requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
# Production stage
FROM python:3.12.0b4-slim-bookworm
ARG PYTHON_CONTAINER_DIR
WORKDIR /app
# Copy files from the build stage
COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/python3.12/site-packages/
COPY ${PYTHON_CONTAINER_DIR}/generate_certificates.py .
COPY ${PYTHON_CONTAINER_DIR}/generate_certificates_entrypoint.sh .
COPY ${PYTHON_CONTAINER_DIR}/configure_nginx.py .
COPY ${PYTHON_CONTAINER_DIR}/configure_nginx_entrypoint.sh .
COPY ${PYTHON_CONTAINER_DIR}/import_keys.py .
COPY ${PYTHON_CONTAINER_DIR}/import_keys_entrypoint.sh .
COPY ${PYTHON_CONTAINER_DIR}/helper_functions.py .
RUN chmod +x ./generate_certificates_entrypoint.sh
RUN chmod +x ./configure_nginx_entrypoint.sh
RUN chmod +x ./import_keys_entrypoint.sh
这看起来可能是 podman 内部的错误?我不太确定在这里看什么。
更新了 subuid/subgid
[1/2] STEP 1/7: FROM python:3.12.0a7-slim-bullseye AS builder
[1/2] STEP 2/7: ARG PYTHON_CONTAINER_DIR
[1/2] STEP 3/7: WORKDIR /app
[1/2] STEP 4/7: RUN apt-get update && apt-get install -y build-essential libffi-dev
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 100 failed - seteuid (22: Invalid argument)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
rm: cannot remove '/var/cache/apt/archives/partial/*.deb': Permission denied
Reading package lists...
W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (22: Invalid argument)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (22: Invalid argument)
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 100 failed - seteuid (22: Invalid argument)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (1: Operation not permitted)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)
Error: building at STEP "RUN apt-get update && apt-get install -y build-essential libffi-dev": while running runtime: exit status 100
[grant@patches2 patches]$ cat /etc/subuid
root:200000:1001
grant:200000:65536
[grant@patches2 patches]$ cat /etc/subgid
root:200000:1001
grant:200000:65536
[grant@patches2 patches]$
答案1
grant:200000:1001
您的映射最后一个值是(UID)计数,而不是 UID 或 GID。所以这里的 1001 并不意味着 UID 1001,而是 200000 到 201000 之间的 1001 个可映射值的池。
podman 将使用 setuidmap/setgidmap 来映射用户的范围。它没有做任何奇特的事情:当前用户变为 0(root),200000 到 201000(包括)之间的简单连续范围将映射到 1-1001
由于 65534 > 1001 它未映射,因此在容器内使用时会产生错误 (EINVAL)。
请注意,值 1001 不是创建用户时系统默认创建的值。正常范围是 65536,与传统 2^16 可能值兼容,永远不会有这样的问题。
最简单的修复方法是编辑(以 root 身份)/etc/subuid并/etc/subgid通过将 1001 替换为 65536 来获得通常的 65536 值范围。如果这与其他用户重叠,您应该选择一个新的未使用的范围。 (请注意,当前您的两个用户根和授予具有相同的映射:它们确实重叠,从责任的角度来看这并不是很好)。
还有其他选项podman run(--uid-map+--gid-map或 else --userns)可以使用有限范围的 UID/GID,但它们似乎都在之前或期间涉及 root 用户。