DellEMC

Podman build fails with /etc/passwd: permission denied

By on ( Leave a comment )

A short post today to share an issue that troubled me for a while. Hopefully it can help you too.

Basically I was trying to build a new container image using Podman in Ubuntu. These are my versions:

  • Ubuntu 24.04.2 LTS
  • podman version 4.9.3

My Dockerfile is straight forward

FROM python:3.10.5
WORKDIR /app
COPY . /app
RUN pip install --no-cache-dir -r requirements.txt
CMD ["python", "app.py"]

When I tried to create the container image I get the following output

(env) user1@mytpl:~/Desktop/myapp$ podman build -t myapp:v1 .
STEP 1/6: FROM python:3.10.5
Resolved "python" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/python:3.10.5...
Getting image source signatures
Copying blob 588423e31bcf done   |
Copying blob 001c52e26ad5 done   |
Copying blob 2068746827ec done   |
Copying blob d9d4b9b6e964 done   |
Copying blob 8a335986117b done   |
Copying blob 9daef329d350 done   |
Copying blob ecb6a3f01c0d done   |
Copying blob 00d40f20f0cf done   |
Copying blob 5d588b4f3b55 done   |
Error: creating build container: copying system image from manifest list: writing blob: adding layer with blob "sha256:001c52e26ad57e3b25b439ee0052f66           92e5c0f2d5d982a00a8819ace5e521452": processing tar file(open /etc/passwd: permission denied): exit status 1

In the end I tracked it down to a service called “mfetpd.service” which appears to be some Trellix endpoint security software. 

(env) user1@mytpl:~/Desktop/myapp$ sudo systemctl status mfetpd.service
● mfetpd.service - Trellix Endpoint Security for Linux Threat Prevention
     Loaded: loaded (/usr/lib/systemd/system/mfetpd.service; enabled; preset: enabled)
     Active: active (running) since Mon 2025-03-24 14:35:44 +08; 5min ago
       Docs: man:mfetpd(8)
    Process: 30546 ExecStartPre=/opt/McAfee/ens/tp/scripts/aac-control-wrapper.sh systemd (code=exited, status=0/SUCCESS

The solution was to temporarily stop this service to build the container image

sudo systemctl stop mfetpd.service
podman build ...
sudo systemctl start mfetpd.service

Once the image “python:3.10.5” layer is downloaded I am able to build more containers using the same version of Python without having to pause the “mfetpd” service which makes my security team happy.

I hope this helps you same some of your precious time!

Categories: DellEMC

Tagged as: , , ,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.