Closed cevich closed 6 years ago
@nalind This is the thing we talked about the other day, that "should work". All details above, because I'm sure you remember perfectly :smile: NP if this is not possible / will never work / don't bother, I was just playing with an idea, so nothing critical.
@cevich I believe you would still need SYS_ADMIN to do this. @giuseppe has played the most with this situation.
yes that won't work. You will still need CAP_SYS_ADMIN (or an user namespace) to run the containers created by buildah run
.
I got it to work with bwrap-oci and bubblewrap (it requires this PR: https://github.com/projectatomic/bubblewrap/pull/256) running as non-root user in the host. I wrote about the current status here: https://www.scrivano.org/2018/02/25/current-status-problems-running-buildah-non-root/
With the correct config.json
you could run it directly with runc as non privileged user. As soon as the change in bubblewrap gets into a release, it will be quite easy to run the container with atomic run --user
@giuseppe 'cept I dunnawanna RUN the image, I just want to create it (then I'd just push it up to a registry). Still need CAP_SYS_ADMIN just for building?
Sounds like something might be in the pipeline but I'd like to voice my desire for a root-free OCI builder(ah). I was attracted to buildah because of a presentation at a recent OpenShift Commons meeting. The ability to avoid the "big fat Docker daemon" was compelling but I've just swapped one problem for another.
Ideally I'd like to build from within a Docker container in an OpenShift CI/CD workflow (such as a slave-agent
in a Jenkins pipeline). And, no, BuildConfigs don't solve the problem.
Like @cevich I'm not running the image at this stage - I will run some unit/functional testing (outside of the container) in a Jenkins slave-agent
and then push the image. Surely that can/could be done as any user?
I've built a buildah-agent
slave agent [https://github.com/alanbchristie/openshift-jenkins-buildah-slave] but I just run into the "can't run agent as root" problem. So (in another conversation) I've asked a question in the OpenShift discussion about running slave-agents as privileged users.
We are continuing to work on this problem. We hope to have buildah fully integrated into OpenShift and as we role out UserNS we should be able to get buildah to run in a "non-privilged" container.
Another attempt to have pure unprivileged builds: https://github.com/GoogleCloudPlatform/kaniko
FWIW: The use-case I was attempting is similar to @alanbchristie just substitute Jenkins for Travis. Being able to build images inside unprivileged container, then push elsewhere is much faster b/c Travis gives priority to jobs that run inside containers (as opposed to on a full, bloated, host). There are other CI/CD systems that are even less flexible, only allowing testing in containers. So for me it was a performance workaround of sorts.
Another version of the same issue. @nalind remove the issues as dups if you want.
Yes please. I'd do it if I knew what it was a dupe of :smile:
Ok we have people doing this now, closing this issue, open new issues for newer features.
Darn it @rhatdan! You beat me to the punch. I thought this was fixed now and was in the midst of testing it when you closed this. I can verify that this now works with the latest and greatest bits of Buildah from GitHub.
W00T! Nice work guys!
Description I was thinking, it'd be handy to not need a bloated-host in order to build and push container images. This would enable deploying new images directly from inside a container-based CI environment (like travis), once testing passed.
Steps to reproduce the issue:
$ sudo podman run -it --rm fedora bash
# dnf install -y podman buildah
# sed -i -r 's/"overlay"/"vfs"/g' /etc/containers/storage.conf
# buildah commit $containerid buildah
Describe the results you received:
Describe the results you expected: Success, so that I may follow with
# podman push buildah <wherever>
Output of
rpm -q buildah
orapt list buildah
:Output of
buildah version
:*Output of `cat /etc/release`:**
Output of
uname -a
:Output of
cat /etc/containers/storage.conf
: