GSC Build Image Couldn't Create Temporary File #193
Description
Description of the problem
We have been trying to use gramine and gsc to build our custom graminized image. However, when we use Debian:12 as the base image, it gives me this error. It is the similar error if we use Ubuntu. The build process failed at step 12.
The image works fine if I directly use Docker run on it.
---> Using cache
---> b2e95142dae6
Step 12/29 : RUN apt-get update && env DEBIAN_FRONTEND=noninteractive apt-get install -y binutils libprotobuf-c-dev locales openssl python3 python3-cryptography python3-protobuf python3-pyelftools python3-click python3-jinja2 python3-tomli python3-tomli-w && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*
---> Running in 091f3aaa244e
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Err:1 http://deb.debian.org/debian bookworm InRelease
Couldn't create temporary file /tmp/apt.conf.CfqgCs for passing config to apt-key
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Err:2 http://deb.debian.org/debian bookworm-updates InRelease
Couldn't create temporary file /tmp/apt.conf.nNjBHj for passing config to apt-key
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Err:3 http://deb.debian.org/debian-security bookworm-security InRelease
Couldn't create temporary file /tmp/apt.conf.0mPqVF for passing config to apt-key
Reading package lists...
W: GPG error: http://deb.debian.org/debian bookworm InRelease: Couldn't create temporary file /tmp/apt.conf.CfqgCs for passing config to apt-key
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: Couldn't create temporary file /tmp/apt.conf.nNjBHj for passing config to apt-key
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: Couldn't create temporary file /tmp/apt.conf.0mPqVF for passing config to apt-key
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.
Steps to reproduce
Here is our Dockerfile. We use Debian:12 right before we build the SPIRE-agent.
# syntax = docker/dockerfile:1.6.0@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021
# Build stage
ARG goversion
# Use alpine3.18 until go-sqlite works in 3.19
FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine3.18 as base
WORKDIR /spire
RUN apk --no-cache --update add file bash clang lld pkgconfig git make
COPY go.* ./
# https://go.dev/ref/mod#module-cache
RUN --mount=type=cache,target=/go/pkg/mod go mod download
COPY . .
# xx is a helper for cross-compilation
# when bumping to a new version analyze the new version for security issues
# then use crane to lookup the digest of that version so we are immutable
# crane digest tonistiigi/xx:1.3.0
FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:904fe94f236d36d65aeb5a2462f88f2c537b8360475f6342e7599194f291fb7e AS xx
FROM --platform=${BUILDPLATFORM} base as builder
ARG TAG
ARG TARGETPLATFORM
ARG TARGETARCH
COPY --link --from=xx / /
# For users that wish to run SPIRE containers as a non-root user,
# provide a default unprivileged user such that the default paths
# that SPIRE will try to read from, write to, and create at runtime
# can be given the correct file ownership/permissions at build time.
ARG spireuid=1000
ARG spiregid=1000
# Set up directories that SPIRE expects by default
# Set up base directories
RUN install -d -o root -g root -m 777 /spireroot
RUN install -d -o root -g root -m 755 /spireroot/etc/ssl/certs
RUN install -d -o root -g root -m 755 /spireroot/run
RUN install -d -o root -g root -m 755 /spireroot/var/lib
RUN install -d -o root -g root -m 1777 /spireroot/tmp
# Set up directories used by SPIRE
RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireroot/etc/spire
RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireroot/run/spire
RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireroot/var/lib/spire
# Set up spire-server directories
RUN cp -r /spireroot /spireserverroot
RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireserverroot/etc/spire/server
RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireserverroot/run/spire/server/private
RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireserverroot/var/lib/spire/server
# Set up spire-agent directories
RUN cp -r /spireroot /spireagentroot
RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireagentroot/etc/spire/agent
RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireagentroot/run/spire/agent/public
RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireagentroot/var/lib/spire/agent
RUN xx-go --wrap
RUN set -e ; xx-apk --no-cache --update add build-base musl-dev libseccomp-dev
ENV CGO_ENABLED=1
RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \
if [ "$TARGETARCH" = "arm64" ]; then CC=aarch64-alpine-linux-musl; elif [ "$TARGETARCH" = "s390x" ]; then CC=s390x-alpine-linux-musl; fi && \
make build-static git_tag=$TAG git_dirty="" && \
for f in $(find bin -executable -type f); do xx-verify --static $f; done
FROM debian:12 AS spire-base
WORKDIR /opt/spire
CMD []
COPY --link --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# SPIRE Agent
FROM spire-base AS spire-agent
RUN chmod 1777 /tmp
USER ${spireuid}:${spiregid}
ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
COPY --link --from=builder /spireagentroot /
COPY --link --from=builder /spire/bin/static/spire-agent bin/
COPY sgx_agent_plugin bin/
This is my config.yaml for GSC:
# Specify the OS distro that is used to build Gramine, i.e., the distro from where the Gramine build
# gets all tools and dependencies from. This distro should match the distro underlying the
# application's Docker image; otherwise the results may be unpredictable (if you specify `"auto"`,
# which is recommended, you don't need to worry about the mismatch).
#
# Currently supported distros are:
# - ubuntu:20.04, ubuntu:21.04, ubuntu:22.04, ubuntu:23.04
# - debian:10, debian:11, debian:12
# - centos:8
# - redhat/ubi8:8.8
# - redhat/ubi8-minimal:8.8
# If Distro is set to "auto", GSC detects the distro automatically by examining the supplied
# Docker image. Alternatively, Distro can be set to one of the supported distros mentioned above.
Distro: "auto"
# If the image has a specific registry, define it here.
# Empty by default; example value: "registry.access.redhat.com/ubi8".
Registry: ""
# If you're using your own fork and branch of Gramine, specify the GitHub link and the branch name
# below; typically, you want to keep the default values though.
#
# It is also possible to specify the prebuilt Gramine Docker image (that was built previously via
# the `gsc build-gramine` command). For this, remove Repository and Branch and instead write:
# Image: "<prebuilt Gramine Docker image>"
#
# GSC releases are guaranteed to work with corresponding Gramine releases (and GSC `master`
# branch is guaranteed to work with current Gramine `master` branch).
Gramine:
Repository: "https://github.com/gramineproject/gramine.git"
Branch: "master"
# Specify the Intel SGX driver installed on your machine (more specifically, on the machine where
# the graminized Docker container will run); there are several variants of the SGX driver:
#
# - upstream (in-kernel) driver: use empty values like below
# Repository: ""
# Branch: ""
#
# - DCAP out-of-tree driver: same as above, use empty values
# Repository: ""
# Branch: ""
#
# - legacy out-of-tree driver: use something like the below values, but adjust the branch name
# Repository: "https://github.com/01org/linux-sgx-driver.git"
# Branch: "sgx_driver_1.9"
#
SGXDriver:
Repository: ""
Branch: ""