Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19439

cpio: cap_set_file failed - Inappropriate ioctl for device error: shadow-utils-2:4.6-17.el8.x86_64: install failed using (micro)dnf and ubi8 image

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Can't Do
    • Icon: Normal Normal
    • None
    • 4.12
    • Containers
    • None
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      When we execute the command: (micro)dnf install shadow-utils, part of bash script, running as an ocp4's container, we got the following error error: Error -1 running transaction and error: unpacking of archive failed on file /usr/bin/newgidmap;64f6043e: cpio: cap_set_file failed - Inappropriate ioctl for device
error: shadow-utils-2:4.6-17.el8.x86_64: install failed. The problem is still there even if we set the SCC to the container to "privileged"

       

       

      Version-Release number of selected component (if applicable):

      ocp-4.12

      How reproducible:

       

      Steps to Reproduce:

      cat <<'EOF' | kubectl apply -f -
---
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: my-custom-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
  - SETFCAP
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups:
  - system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
  - MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-serviceaccount
  annotations:
    serviceaccounts.openshift.io/scc: my-custom-scc
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dummy
  labels:
    app: dummy
spec:
  selector:
    matchLabels:
      app: dummy
  replicas: 1
  template:
    metadata:
      labels:
        app: dummy
    spec:
      serviceAccountName: my-serviceaccount
      containers:
        - name: install-shadow-utils
          image: registry.access.redhat.com/ubi8/ubi
          command:
            - sh
          args:
            - '-c'
            - >
              id;
              dnf install -y shadow-utils
          
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          
          volumeMounts:
            - name: var-vol
              mountPath: /var/
            - name: usr-vol
              mountPath: /usr/share/info
            - name: var-lib
              mountPath: /var/lib/containers

      volumes:
        - name: var-vol
          emptyDir: {}
        - name: usr-vol
          emptyDir: {}
        - name: var-lib
          emptyDir: {}
EOF
  
kubectl rollout status deployment/dummy
kubectl logs -lapp=dummy --follow=true

      Actual results:

       

      Expected results:

       

      Additional info:

       

              tsweeney@redhat.com Tom Sweeney
              cmoullia Charles Moulliard
              David Darrah David Darrah (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: