BuildKit: denied { write } (`scontext=system_u:system_r:container_t:s0:c23,c164 tcontext=unconfined_u:object_r:container_ro_file_t:s0`)
AkihiroSuda opened this issue ยท 0 comments
AkihiroSuda commented
RUN ls
works, butRUN apk add neofetch
does not ๐# buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. [+] Building 3.3s (5/5) FINISHED => [internal] load .dockerignore 0.1s => => transferring context: 2B 0.0s => [internal] load build definition from Dockerfile 0.1s => => transferring dockerfile: 130B 0.0s => [internal] load metadata for docker.io/library/alpine:latest 2.7s => CACHED [1/2] FROM docker.io/library/alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad 0.1s => => resolve docker.io/library/alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad 0.1s => ERROR [2/2] RUN apk add neofetch 0.3s ------ > [2/2] RUN apk add neofetch: #0 0.260 ERROR: Unable to lock database: Permission denied #0 0.263 ERROR: Failed to open apk database: Permission denied ------ Dockerfile:2 -------------------- 1 | FROM alpine 2 | >>> RUN apk add neofetch 3 | -------------------- error: failed to solve: process "/bin/sh -c apk add neofetch" did not complete successfully: exit code: 99# ausearch -m avc time->Wed Oct 19 15:31:03 2022 type=AVC msg=audit(1666193463.724:567): avc: denied { write } for pid=2031 comm="apk" name="lock" dev="overlay" ino=94946 scontext=system_u:system_r:container_t:s0:c23,c164 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
Originally posted by @AkihiroSuda in #189 (comment)