Entitlements not passing to build process when running podman build

Latest response

Hi,

I am building a container image using podman

Host is itself a container, using registry.redhat.io/rhscl/python-38-rhel7

Host gets subscribed and attached using

subscription-manager register --username $REDHAT_USERNAME --password $REDHAT_PASSWORD --auto-attach
subscription-manager repos --enable=rhel-7-server-extras-rpms
subscription-manager repos --enable=rhel-7-server-optional-rpms

This works fine, returns

Registering to: subscription.rhsm.redhat.com:443/subscription
The system has been registered with ID: e19f2452-d2f2-4d96-9be0-379316bec03a
The registered system name is: 01dd81d0c0be
Installed Product Current Status:
Product Name: Red Hat Software Collections (for RHEL Server)
Status:       Subscribed

Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed

I then run

yum install -y podman skopeo buildah

All install fine

I then run the build

podman build --creds=$REDHAT_USERNAME:$REDHAT_PASSWORD --cgroup-manager=cgroupfs --build-arg src_dir=${CODEBUILD_SRC_DIR} -t $IMAGE_REPO_NAME:$IMAGE_TAG .

First line in my Dockerfile is FROM registry.redhat.io/rhscl/python-38-rhel7

This pulls down the image fine
steps 2 and 3 complete, but step 4 (yum install) fails

STEP 2: USER root
a7a75067e754598721d56e855ddcd32a38b9b5b5065796fd0ec45dfd514a7903
STEP 3: WORKDIR /app
a6988865ea71738e4402c29892b757c48612154de56f128c23ba19f9cc325d91
STEP 4: RUN yum install --enablerepo=rhel-7-server-optional-rpms --enablerepo=rhel-7-server-extras-rpms -y podman skopeo buildah
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

My understanding was that entitlements should be passed from the host into the build process, so the subscription which suceeded earlier, and the enablerepo for extras and optional should mean that yum will work during the build?

I am certain this used to build, my earlier build environment using rhscl/python-36-rhel7 worked fine, and entitlements from the host could be used during the build process fine. I note that I can no longer find the rhscl-python36-rhel7 image in the container catalog, maybe it is no longer supported, so I cannot confirm what is in it's Dockerfile. Maybe python-36-rhel7 ran as root, but python-38-rhel7 has USER 1001 in the Dockerfile, does that break passing in entitlements?

I know that running an explicit RUN subscription-manager register in my Dockerfile makes it work, but this is counter to what the documentation states and I would prefer to avoid it, seems wrong to burn 2 subscriptions during each build, even if they are unregistered at the end.

I did some limited debugging but my understanding of how the entitlements are supposed to be made available to the build process is weak

RUN ls -l /run/secrets in the dockerfile returns

/run/secrets:
total 0

RUN ls -l /etc/pki/entitlement-host in the Dockerfile returns

ls: cannot access /etc/pki/entitlement-host/: No such file or directory

Not really sure if that is normal of indicative of a problem?

Any pointers on where to look next would be greatly appreciated, or if I am barking up the wrong tree here and should simply accept running subscription-manager register in my Dockerfile please shout!

Regards,

Barry

Responses

Also encountering the exact same issue. Have you found a solution yet?

Hi,

Yes, turns out this is a podman bug. I received RHBA-2021:0379 on Wednesday which exactly described my symptoms (empty secrets folder, yum not working inside container). I updated podman and the host subscription is now available again inside the container, and yum works as expected.

Regards,

Barry