Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-8597

Mirror Registry cannot be installed in rootless mode

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • omr-v1.3.9, omr-v1.3.10, omr-v1.3.11
    • OMR
    • False
    • None
    • False
    • Hide
      • Install a RHEL 8 or 9
      • Download the quay mirror registry archive version 1.3.9, 1.3.10, or 1.3.11
      • Make the following directories /opt/quay/database, /opt/quay/quayroot, /opt/quay/storage
      • Install the mirror registry as a non-root user with the following command:
        ```
        ./mirror-registry install --pgStorage /opt/quay/database --quayRoot /opt/quay/quayroot --quayStorage /opt/quay/storage/
        ```
      • The following error is produced

      ```

      TASK [mirror_appliance : Set permissions on local storage directory] ******************************************************************************************************************************************
      fatal: [ec2-user@ip-10-0-207-135.ec2.internal]: FAILED! => {"changed": false, "cmd": "/usr/bin/setfacl -m user:26:wx /opt/quay/database", "msg": "setfacl: /opt/quay/database: Operation not permitted", "rc": 1, "stderr": "setfacl: /opt/quay/database: Operation not permitted\n", "stderr_lines": ["setfacl: /opt/quay/database: Operation not permitted"], "stdout": "", "stdout_lines": []}

      ```

      Show
      Install a RHEL 8 or 9 Download the quay mirror registry archive version 1.3.9, 1.3.10, or 1.3.11 Make the following directories /opt/quay/database, /opt/quay/quayroot, /opt/quay/storage Install the mirror registry as a non-root user with the following command: ``` ./mirror-registry install --pgStorage /opt/quay/database --quayRoot /opt/quay/quayroot --quayStorage /opt/quay/storage/ ``` The following error is produced ``` TASK [mirror_appliance : Set permissions on local storage directory] ****************************************************************************************************************************************** fatal: [ec2-user@ip-10-0-207-135.ec2.internal] : FAILED! => {"changed": false, "cmd": "/usr/bin/setfacl -m user:26:wx /opt/quay/database", "msg": "setfacl: /opt/quay/database: Operation not permitted", "rc": 1, "stderr": "setfacl: /opt/quay/database: Operation not permitted\n", "stderr_lines": ["setfacl: /opt/quay/database: Operation not permitted"] , "stdout": "", "stdout_lines": []} ```

      The quay mirror registry cannot be installed in rootless mode on RHEL 8 or RHEL 9. This is because it uses a command which cannot be run as a non-root user. The task is here:

      https://github.com/quay/mirror-registry/blob/main/ansible-runner/context/app/project/roles/mirror_appliance/tasks/install-quay-service.yaml#L9

      setfacl wouldn't be the correct command even if it could be run as a non-root user. To properly set the UID/GID of the storage directory for use with podman rootless mode, the command is:

      ```

      podman unshare chown 26:26 /opt/quay/database/

      ```

      This is because the postgres container uses UID 26 but the proper UID/GID mapping of 26 into the container space is a function of the non-root user's base UID/GID as shown here in this command
      ```

      podman unshare cat /proc/self/uid_map
               0       1000          1
               1     100000      65536

      ```

      In this case, podman unshare will change the directories permissions to 100026:100026. If however, my non-root user's subuid/gid mapping started at a different value, podman unshare will handle all of that for me.

      setfacl 26 won't work because the UID/GIDs are relative.

              Unassigned Unassigned
              dan5179 Dan Clark
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: