Jenkins agent podman pull + run permission denied errors
When attempting either a podman pull or podman run, I'm getting a "permission denied" error after the image is successfully pulled, but when manifest is being written. There are also several cgroup warnings displayed after most podman commands.
My podman usages are being executed from within a Jenkins build agent.
Are there any recommended pod configurations for using podman as a container within a Jenkins agent?
Pull command and output:
podman pull registry.navfac.navy.mil/library/busybox
time="2021-05-08T01:44:36Z" level=warning msg="Failed to detect the owner for the current cgroup: stat /sys/fs/cgroup/systemd/kubepods/burstable/pod3a29ac27-ee51-45a0-a3bd-94758c6e3bee/96c5191502abaedfae7ae598cabde19b989523cf30fb29441b52e3a2bdb7bc9c: no such file or directory"
Trying to pull registry.navfac.navy.mil/library/busybox:latest...
Getting image source signatures
Copying blob sha256:aa2a8d90b84cb2a9c422e7005cd166a008ccf22ef5d7d4f07128478585ce35ea
Copying config sha256:c55b0f125dc65ee6a9a78307d9a2dfc446e96af7477ca29ddd4945fd398cc698
Writing manifest to image destination
Storing signatures
time="2021-05-08T01:44:39Z" level=error msg="Error while applying layer: ApplyLayer exit status 1 stdout: stderr: remount /, flags: 0x44000: permission denied"
ApplyLayer exit status 1 stdout: stderr: remount /, flags: 0x44000: permission denied
Error: Error committing the finished image: error adding layer with blob "sha256:aa2a8d90b84cb2a9c422e7005cd166a008ccf22ef5d7d4f07128478585ce35ea": ApplyLayer exit status 1 stdout: stderr: remount /, flags: 0x44000: permission denied
Podman detail:
podman info --debug
time="2021-05-08T01:44:34Z" level=warning msg="Failed to detect the owner for the current cgroup: stat /sys/fs/cgroup/systemd/kubepods/burstable/pod3a29ac27-ee51-45a0-a3bd-94758c6e3bee/96c5191502abaedfae7ae598cabde19b989523cf30fb29441b52e3a2bdb7bc9c: no such file or directory"
host:
arch: amd64
buildahVersion: 1.19.8
cgroupManager: cgroupfs
cgroupVersion: v1
conmon:
package: conmon-2.0.27-1.module_el8.5.0+733+9bb5dffa.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.27, commit: dc08a6edf03cc2dadfe803eac14b896b44cc4721'
cpus: 4
distribution:
distribution: '"rhel"'
version: "8.3"
eventLogger: file
hostname: sandbox-kerzon-custom-59-gfkcr-7lpgn-4sx3p
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 5.4.0-1043-azure
linkmode: dynamic
memFree: 356122624
memTotal: 16791171072
ociRuntime:
name: runc
package: runc-1.0.0-70.rc92.module_el8.5.0+736+58cc1a5a.x86_64
path: /usr/bin/runc
version: 'runc version spec: 1.0.2-dev'
os: linux
remoteSocket:
path: /tmp/podman-run-1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
selinuxEnabled: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.1.8-1.module_el8.5.0+736+58cc1a5a.x86_64
version: |-
slirp4netns version 1.1.8
commit: d361001f495417b880f20329121e3aa431a8f90f
libslirp: 4.3.1
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.4.3
swapFree: 0
swapTotal: 0
uptime: 440h 22m 41.14s (Approximately 18.33 days)
registries:
search:
- registry.access.redhat.com
- registry.redhat.io
- docker.io
store:
configFile: /home/rootless-podman/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: vfs
graphOptions: {}
graphRoot: /home/rootless-podman/.local/share/containers/storage
graphStatus: {}
imageStore:
number: 0
runRoot: /tmp/podman-run-1000/containers
volumePath: /home/rootless-podman/.local/share/containers/storage/volumes
version:
APIVersion: 3.1.0-dev
Built: 1616783523
BuiltTime: Fri Mar 26 18:32:03 2021
GitCommit: ""
GoVersion: go1.16.1
OsArch: linux/amd64
Version: 3.1.0-dev