Error processing tar file(exit status 1): Container ID XXXXXX cannot be mapped to a host ID


#1

Hi,

I am running into “userns remapping failure” issue. CircleCI 2.0 is failing to run my docker image.

I have already seen https://circleci.com/docs/2.0/high-uid-error/ and Failed to register layer: Error processing tar file(exit status 1): Container ID 249512 cannot be mapped to a host ID

But its not helping. I find no files with the UID mentioned in the error, or even any other excessively high UIDs beyond 500.

See my docker image with the problem : zimbra/zm-base-os:devcore-centos-6-idprob

Excerpt:

#See full build log : https://circleci.com/gh/shri314/zm-build/297

Starting container zimbra/zm-base-os:devcore-centos-6-idprob
  image cache not found on this host, downloading zimbra/zm-base-os:devcore-centos-6-idprob
devcore-centos-6-idprob: Pulling from zimbra/zm-base-os
b26de5a391ad: Pulling fs layer
f10e033f8a48: Pulling fs layer
29fa83428f27: Pulling fs layer
6982ff70d7cb: Pulling fs layer
...
8afcce2c9d54: Pull complete
cfb53c960c67: Pull complete
...
Original error: failed to register layer: Error processing tar file(exit status 1): Container ID 110493 cannot be mapped to a host ID

Checking for high UID inside my docker:

sudo docker run -u root -it zimbra/zm-base-os:devcore-centos-6-idprob /bin/bash

# find / -uid 110493 2>&-
...yields nothing

# find / 2>&- | xargs -- ls -n -d -Z 2>&- | awk '// { P=0; } $2 != 0 { P=1;  } $3 != 0 { P=1; } // { if(P==1) print; }'
crw--w----   0   5 ?                                /dev/console
crw--w----   0   5 ?                                /dev/pts/0
drwx------ 500 500 ?                                /home/build
-rw-r--r-- 500 500 ?                                /home/build/.bash_logout
-rw-r--r-- 500 500 ?                                /home/build/.bash_profile
-rw-r--r-- 500 500 ?                                /home/build/.bashrc
-rw-------   0  22 ?                                /var/log/btmp
-rw-rw-r--   0  22 ?                                /var/log/wtmp
-rw-rw-r--   0  22 ?                                /var/run/utmp
drwxrwxr-x   0  12 ?                                /var/spool/mail
-rw-rw---- 500  12 ?                                /var/spool/mail/build
-rwxr-sr-x 0 99 ?                                /usr/bin/ssh-agent
-r-xr-sr-x 0  5 ?                                /usr/bin/wall
-rwxr-sr-x 0  5 ?                                /usr/bin/write
drwxrwxr-x 0 54 ?                                /var/lock
drwxr-xr-x 0 35 ?                                /usr/libexec/utempter
-rwx--s--x 0 22 ?                                /usr/libexec/utempter/utempter

Here is my Dockerfile:

FROM centos:6

# SYSTEM
RUN yum clean all
RUN yum upgrade -y
RUN yum install -y curl wget which

# ENVIRONMENT
RUN yum install -y git perl ruby
RUN yum install -y perl-Data-Dumper perl-IPC-Cmd
RUN yum install -y gcc gcc-c++ make
RUN yum install -y java-1.8.0-openjdk-devel
RUN yum install -y rpm-build createrepo

# Use a newer git
RUN yum install -y zlib-devel gettext
RUN wget "https://www.kernel.org/pub/software/scm/git/git-2.9.5.tar.gz" -O - | tar --owner=root --group=root -xzf - -C /root
RUN cd /root/git-2.9.5 && ./configure --without-tcltk
RUN make -C /root/git-2.9.5
RUN make -C /root/git-2.9.5 install
RUN yum erase -y zlib-devel gettext
RUN yum erase -y git
RUN rm -rf /root/git-2.9.5

# Install missing java dependencies
RUN useradd -ms /bin/bash build
RUN mkdir -p /home/build/.zm-dev-tools/
RUN wget "http://mirror.metrocast.net/apache/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.tar.gz" -O - | tar --owner=root --group=root -xzf - -C /home/build/.zm-dev-tools/
RUN wget "https://www.apache.org/dist/ant/binaries/apache-ant-1.9.9-bin.tar.gz"                          -O - | tar --owner=root --group=root -xzf - -C /home/build/.zm-dev-tools/

# REDUCE PRIVILEGE
USER build
WORKDIR /home/build

# vi:ft=dockerfile

#2

I traced the problem to a file inside the tarball https://www.kernel.org/pub/software/scm/git/git-2.9.5.tar.gz, that had ID 110493. The funny thing is that the final docker image did not contain any file with this ID because I eventually removed the offending files from the image.

So, apparently, if there were any files created with a big user ID in the history of creating the docker image, you are screwed. The thing that helped me debug was to create docker image in stages enabling one RUN at a time, until you discover the problematic statement. I hope there is a better way to debug this.

I finally fixed the issue by using “tar --no-same-owner” for untar tarballs. But this may not be possible solution for everyone.

So this WORKS:

RUN wget "https://www.kernel.org/pub/software/scm/git/git-2.9.5.tar.gz" -O - | tar --no-same-owner -xzf - -C /root
...
RUN rm -rf /root/git-2.9.5

Whereas this FAILS:

RUN wget "https://www.kernel.org/pub/software/scm/git/git-2.9.5.tar.gz" -O - | tar --owner=root --group=root -xzf - -C /root
...
RUN rm -rf /root/git-2.9.5

#3

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.