Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

func can't build with untrusted builder image #2516

Open
yozel opened this issue Sep 24, 2024 · 0 comments
Open

func can't build with untrusted builder image #2516

yozel opened this issue Sep 24, 2024 · 0 comments

Comments

@yozel
Copy link

yozel commented Sep 24, 2024
edited
Loading

We are trying to use our own builder image, and it fails with following error:

[detector] ERROR: failed to write group file: open /layers/group.toml: permission denied

We noticed that this only happens because our builder image is not trusted, which is a hardcoded list.

Steps to reproduce

Create the function

knative-func $ func create -l go

It's successfully building with default builder image

knative-func $ func build --builder=pack --builder-image=ghcr.io/knative/builder-jammy-tiny:0.0.240
Building function image
Still building
Still building
Yes, still building
🙌 Function built: index.docker.io/tigerteam/knative-func:latest

Pull and create a tag for the default builder image

knative-func $ docker pull ghcr.io/knative/builder-jammy-tiny:0.0.240
knative-func $ docker tag ghcr.io/knative/builder-jammy-tiny:0.0.240 builder-jammy-tiny:0.0.240-local

Run build with the new tag

knative-func $ func build --builder=pack --builder-image=builder-jammy-tiny:0.0.240-local
Building function image
Error: executing lifecycle: failed with status code: 1

With verbose logging

knative-func $ func build --builder=pack --builder-image=builder-jammy-tiny:0.0.240-local -v
Building function image
Pulling image index.docker.io/library/builder-jammy-tiny:0.0.240-local
CheckReadAccess succeeded for the run image index.docker.io/paketobuildpacks/run-jammy-tiny:latest
Selected run image index.docker.io/paketobuildpacks/run-jammy-tiny:latest
Pulling image index.docker.io/paketobuildpacks/run-jammy-tiny:latest with platform linux/amd64
latest: Pulling from paketobuildpacks/run-jammy-tiny
Digest: sha256:fac4a3749284e198247f4ead26fd8ee2816c4db428ebb44fbfd19e6fef6309dc
Status: Image is up to date for paketobuildpacks/run-jammy-tiny:latest
Pulling image docker.io/buildpacksio/lifecycle:553c041 with platform linux/amd64
553c041: Pulling from buildpacksio/lifecycle
Digest: sha256:41ed46de4c426cd8462ae0e6fca8745f71432236f0c6aa6bfaa956b9d1704bcf
Status: Image is up to date for buildpacksio/lifecycle:553c041
Creating ephemeral lifecycle from docker.io/buildpacksio/lifecycle:553c041 with uid 1001 and gid 1000. With workspace dir
Selecting ephemeral lifecycle image pack.local/lifecycle/707870746e6b6c6d7271:latest for build
Creating builder with the following buildpacks:
-> paketo-community/rust@0.47.0
-> paketo-buildpacks/procfile@5.7.0
-> paketo-buildpacks/syft@1.46.0
-> paketo-community/cargo@0.11.1
-> paketo-community/rust-dist@1.27.1
-> paketo-community/rustup@1.11.0
-> dev.knative-extensions.go@0.0.6
-> paketo-buildpacks/go@4.8.0
-> paketo-buildpacks/ca-certificates@3.6.8
-> paketo-buildpacks/environment-variables@4.5.7
-> paketo-buildpacks/git@1.0.8
-> paketo-buildpacks/go-build@2.2.1
-> paketo-buildpacks/go-dist@2.5.0
-> paketo-buildpacks/go-mod-vendor@1.0.29
-> paketo-buildpacks/image-labels@4.5.6
-> paketo-buildpacks/procfile@5.6.9
-> paketo-buildpacks/watchexec@2.9.0
-> paketo-buildpacks/java-native-image@9.1.0
-> paketo-buildpacks/bellsoft-liberica@10.5.5
-> paketo-buildpacks/ca-certificates@3.6.8
-> paketo-buildpacks/datadog@5.7.0
-> paketo-buildpacks/environment-variables@4.5.7
-> paketo-buildpacks/executable-jar@6.8.5
-> paketo-buildpacks/gradle@7.9.0
-> paketo-buildpacks/image-labels@4.5.6
-> paketo-buildpacks/leiningen@4.7.1
-> paketo-buildpacks/maven@6.15.14
-> paketo-buildpacks/native-image@5.12.9
-> paketo-buildpacks/procfile@5.6.9
-> paketo-buildpacks/quarkus@0.2.5
-> paketo-buildpacks/sbt@6.12.13
-> paketo-buildpacks/spring-boot@5.27.11
-> paketo-buildpacks/syft@1.45.0
-> paketo-buildpacks/upx@3.4.8
-> paketo-buildpacks/java@12.1.0
-> paketo-buildpacks/apache-tomcat@7.15.3
-> paketo-buildpacks/apache-tomee@1.8.2
-> paketo-buildpacks/azure-application-insights@5.18.3
-> paketo-buildpacks/bellsoft-liberica@10.5.5
-> paketo-buildpacks/ca-certificates@3.6.8
-> paketo-buildpacks/clojure-tools@2.8.17
-> paketo-buildpacks/datadog@5.7.0
-> paketo-buildpacks/dist-zip@5.6.10
-> paketo-buildpacks/encrypt-at-rest@4.5.18
-> paketo-buildpacks/environment-variables@4.5.7
-> paketo-buildpacks/executable-jar@6.8.5
-> paketo-buildpacks/google-stackdriver@9.0.1
-> paketo-buildpacks/gradle@7.9.0
-> paketo-buildpacks/image-labels@4.5.6
-> paketo-buildpacks/jattach@1.6.1
-> paketo-buildpacks/java-memory-assistant@1.4.11
-> paketo-buildpacks/leiningen@4.7.1
-> paketo-buildpacks/liberty@4.0.4
-> paketo-buildpacks/maven@6.15.14
-> paketo-buildpacks/node-engine@3.2.2
-> paketo-buildpacks/procfile@5.6.9
-> paketo-buildpacks/quarkus@0.2.5
-> paketo-buildpacks/sbt@6.12.13
-> paketo-buildpacks/spring-boot@5.27.11
-> paketo-buildpacks/syft@1.45.0
-> paketo-buildpacks/watchexec@2.9.0
-> paketo-buildpacks/yarn@1.3.2
-> paketo-buildpacks/procfile@5.7.0
Using build cache volume pack-cache-tigerteam_knative-func_latest-87f1fbc5c86d.build
===> ANALYZING
Running the analyzer on OS linux from image pack.local/lifecycle/707870746e6b6c6d7271:latest with:
Container Settings:
  Args: /cnb/lifecycle/analyzer -gid 0 -uid 0 -log-level debug -daemon -run /layers/run.toml -run-image index.docker.io/paketobuildpacks/run-jammy-tiny:latest -launch-cache /launch-cache index.docker.io/tigerteam/knative-func:latest
  System Envs: CNB_USER_ID=1001 CNB_GROUP_ID=1000 CNB_PLATFORM_API=0.13
  Image: pack.local/lifecycle/707870746e6b6c6d7271:latest
  User: root
  Labels: map[author:pack]
Host Settings:
  Binds: /var/run/docker.sock:/var/run/docker.sock pack-cache-tigerteam_knative-func_latest-87f1fbc5c86d.launch:/launch-cache pack-layers-acmbyzlhkj:/layers pack-app-mzcxvpshoy:/workspace
  Network Mode:
[analyzer] Starting analyzer...
[analyzer] Parsing inputs...
[analyzer] Ensuring privileges...
[analyzer] Executing command...
[analyzer] Timer: Analyzer started at 2024-09-24T09:41:56Z
[analyzer] Found image with identifier "f829c1c66b55b4cc96c91183ea7902e17a55c1a9ba90fbe1051d521bd4e93514"
[analyzer] Restoring data for SBOM from previous image
[analyzer] Retrieving previous image SBOM layer for "sha256:fd1dcfdd1afb7dd174c6631f68c0efef895b19a51946b4fc349b1fcdfef8b878"
[analyzer] Found image with identifier "14e5b5794559c7e301229f2e51ac9ced13aff43206e019d0cd1548f5c7e84552"
[analyzer] Timer: Analyzer ran for 4.048334ms and ended at 2024-09-24T09:41:56Z
[analyzer] Run image info in analyzed metadata is:
[analyzer] {"Reference":"14e5b5794559c7e301229f2e51ac9ced13aff43206e019d0cd1548f5c7e84552","Image":"index.docker.io/paketobuildpacks/run-jammy-tiny:latest","Extend":false,"target":{"os":"linux","arch":"amd64"}}
===> DETECTING
Running the detector on OS linux from image pack.local/builder/676e6767636669706568:latest with:
Container Settings:
  Args: /cnb/lifecycle/detector -app /workspace -log-level debug
  System Envs: CNB_PLATFORM_API=0.13
  Image: pack.local/builder/676e6767636669706568:latest
  User:
  Labels: map[author:pack]
Host Settings:
  Binds: pack-layers-acmbyzlhkj:/layers pack-app-mzcxvpshoy:/workspace
  Network Mode:
[detector] Starting detector...
[detector] Parsing inputs...
[detector] Ensuring privileges...
[detector] Executing command...
[detector] Timer: Detector started at 2024-09-24T09:41:56Z
[detector] Checking for match against descriptor: {linux amd64  []}
[detector] Checking for match against descriptor: {linux amd64  []}
[detector] Checking for match against descriptor: {linux amd64  []}
[detector] Checking for match against descriptor: {linux amd64  []}
[detector] Checking for match against descriptor: {linux amd64  []}
[detector] Checking for match against descriptor: {linux amd64  [{ubuntu 18.04}]}
[detector] ======== Output: paketo-buildpacks/procfile@5.7.0 ========
[detector] SKIPPED: No procfile found from either source path or binding.
[detector] ======== Results ========
[detector] pass: paketo-community/rustup@1.11.0
[detector] pass: paketo-community/rust-dist@1.27.1
[detector] pass: paketo-buildpacks/syft@1.46.0
[detector] fail: paketo-community/cargo@0.11.1
[detector] skip: paketo-buildpacks/procfile@5.7.0
[detector] ======== Results ========
[detector] pass: paketo-buildpacks/go-dist@2.5.0
[detector] pass: dev.knative-extensions.go@0.0.6
[detector] Resolving plan... (try #1)
[detector] paketo-buildpacks/go-dist 2.5.0
[detector] dev.knative-extensions.go 0.0.6
[detector] Timer: Detector ran for 168.826167ms and ended at 2024-09-24T09:41:56Z
[detector] ERROR: failed to write group file: open /layers/group.toml: permission denied


Error: failed to build the function: executing lifecycle: failed with status code: 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yozel