Cannot start function container when container user does not exist within crossplane-xfn container #30
Description
What happened?
Working on crossplane/crossplane#4261 required creating a custom, but simple function image that labels all managed resources with a given label. My first idea was to use yq for that and the initial Dockerfile was just:
FROM mikefarah/yq:4.34.1
COPY labelizer.sh /bin
ENTRYPOINT ["/bin/labelizer.sh"]with /bin/labelizer.sh being just:
#!/usr/bin/env sh
yq '(.desired.resources[] | .resource.metadata.labels) |= {"labelizer.xfn.crossplane.io/processed": "true"} + .'Unfortunately, adding this function to a composition resulted with the following error in crossplane-xfn logs:
cannot compose resources: cannot run Composition Function pipeline: cannot run function "labelizer":
cannot run container: rpc error: code = Unknown desc = exit status 1: xfn: error: spark.Command.Run():
cannot create OCI runtime bundle: cannot write OCI runtime spec: cannot create new spec:
cannot apply spec option: cannot resolve user specified by OCI image config:
cannot resolve UID of user "yq" that doesn't exist in container's /etc/passwd
Modifying the image to use root to run the script resolved the issue.
How can we reproduce it?
- deploy crossplane with enabled composition functions
- build and publish the function image using files stated above
- create a composition referring that function
What environment did it happen in?
The issue is spotted on the latest master, but I am pretty sure that versions containing composition function feature suffer from the same issue.
Expectations
Function containers should be successfully invoked independently if container user exists within crossplane-xfn container/image. We should even encourage function authors to use some arbitrary high/random UID for function.