Closed a-shirshov closed 2 days ago
Maybe it would be helpful - my project structure
On the outer podman try --security-opt unmask=/proc
Okay. I tried
podman run --rm -it --security-opt unmask=/proc $(podman build -q .)
and
podman run --rm -it --security-opt unmask=/proc/* $(podman build -q .)
Still the same problem:
INFO[0000] Preparing rootless build environment...
INFO[0000] Prepared config...
INFO[0000] Prepared capabilities...
INFO[0000] Prepared buildStoreOptions...
INFO[0000] Prepared build store...
INFO[0000] Starting image build...
panic: copying system image from manifest list: writing blob: adding layer with blob "sha256:ba83bbfca9443648a883d1404b33faa0f5e096a99a2b683e3bbaee8912bca845"/""/"sha256:886960d374e8650394e753ad35fbc38498e4b58a204d8d2243006512033f0ba7": creating read-only layer with ID "886960d374e8650394e753ad35fbc38498e4b58a204d8d2243006512033f0ba7": chown /var/lib/containers/storage/vfs/dir/886960d374e8650394e753ad35fbc38498e4b58a204d8d2243006512033f0ba7: operation not permitted
The InitReexec()
call, or an equivalent, is still required - it's used for doing work in subprocesses.
If the application isn't running as UID 0 in the namespace in which it's started, it needs to create a new namespace in which it can be "UID 0" order to be able to use mount()
, which is required for handling RUN instructions.
The "ignore_chown_errors" option is used when pulling base images, and is only consulted when writing an item from a layer blob into storage. The error you're seeing is being hit on a directory that is part of how the storage library manages things, likely because the application isn't UID 0 in its user namespace.
So as I understand - if the operating system has max_user_namespaces set to 0 - it is not possible to run rootless Buildah? When unshare and InitReexec were not commented - my program worked fine. But one day I got error like - user namespaces not enabled so now I am trying to run it without unshare. I am afraid about security - UID 0 sounds not nice, but I am not an expert. Are user namespaces safe?
Container tools need to mount, the only way for a rootless user to mount is to create a user namespace. So setting no user namespaces means you can not run rootless containers.
Got it. Thanks for help. If there are any new questions/problems - I'll create a new issue or write another comment here. This one can be closed.
Description I am trying to write some go code to run rootless buildah. I was trying to make it work by myself, but it wasn't successful. I read the docs and also did some fmt.Println in source buildah code to understand what is happening. I would really appreciate any advice, because currently i am losing hope, if it is possible. Right now I am stuck at getting chown errors even though I have set ignore_chown_errors=true. In the code down below I have commented out unshare because my goal to run program without using it. In dockerfile I am also trying to give permissions to everything buildah need to make it work. And I copy my own created conf files to container.
Steps to reproduce the issue:
Describe the results you received: panic: copying system image from manifest list: writing blob: adding layer with blob "sha256:ba83bbfca9443648a883d1404b33faa0f5e096a99a2b683e3bbaee8912bca845"/""/"sha256:886960d374e8650394e753ad35fbc38498e4b58a204d8d2243006512033f0ba7": creating read-only layer with ID "886960d374e8650394e753ad35fbc38498e4b58a204d8d2243006512033f0ba7": chown /var/lib/containers/storage/vfs/dir/886960d374e8650394e753ad35fbc38498e4b58a204d8d2243006512033f0ba7: operation not permitted
Describe the results you expected: Builded image, program is working correctly
main.go:
Dockerfile:
go.mod
Storage.conf
Program logs: