busybox image does not work with rootless buildah

[r10r]

Hi there,

I'm playing around with rootless buildah to build images. Buildah is running itself in a rootless container with a limited set of uids/gids (65536) available. While building alpine images works fine I got an error when trying to build a simple container based on docker.io/library/busybox:latest.

[build@buildah-deployment-fb449b4cf-xn4th foo]$ buildah bud
STEP 1: FROM docker.io/library/busybox:latest
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob b71f96345d44 done  
Copying config 69593048aa done  
Writing manifest to image destination
Storing signatures
error creating build container: Error committing the finished image: error adding layer with blob "sha256:b71f96345d44b237decc0c2d6c2f9ad0d17fde83dad7579608f1f0764d9686f2": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 65534:65534 for /home): Check /etc/subuid and /etc/subgid: lchown /home: invalid argument
ERRO[0003] exit status 125                              

Running tar --numeric-owner -tvf busybox.tar.xz on https://github.com/docker-library/busybox/raw/2bcc4bf56c2a4594aa31feb8b42d5eab76d168bb/stable/uclibc/busybox.tar.xz reveals that /home has indeed owner/group set to 65534/65534

...
drwxr-xr-x 0/0               0 2021-06-07 19:34 ./etc/network/if-post-down.d/
drwxr-xr-x 0/0               0 2021-06-07 19:34 ./etc/network/if-down.d/
-rw-r--r-- 0/0             340 2021-06-06 23:21 ./etc/passwd
-rw-r--r-- 0/0             127 2021-01-27 20:21 ./etc/localtime
drwxr-xr-x 65534/65534       0 2021-06-07 19:34 ./home/
drwxr-xr-x 0/0               0 2021-06-07 19:34 ./usr/
drwxr-xr-x 1/1               0 2021-06-07 19:34 ./usr/sbin/
drwxr-xr-x 0/0               0 2021-06-07 19:34 ./var/
drwxr-xr-x 0/0               0 2021-06-07 19:34 ./var/www/
...

Is there a reason for that ?

[r10r]

There is a nice writeup for podman explaining the UID/GID limit https://www.redhat.com/sysadmin/rootless-podman

[yosifkit]

We just use etc/passwd provided by busybox buildroot upstream. Here is the commit where they chose 65534: https://git.busybox.net/buildroot/commit/?id=9c67af2c524ad2b6585af2f5e43f76dacd7cc109.

Running containers via a rootless daemon is still very new and rough, so I don't think it is something we should use to patch upstream source.

[tianon]

Agreed -- this was definitely an intentional choice by busybox/buildroot upstream. I'd suggest the best fix is probably modifying your host's configuration to provide a larger range for your rootless containers.

[r10r]

@yosifkit Thanks for the pointer.

I'd suggest the best fix is probably modifying your host's configuration to provide a larger range for your rootless containers.

@tianon You're right - I tried - but until now I didn't succeed :(

But maybe it's interesting that other images just work fine, because they either use / or a non-existing directory as home for nobody.

docker.io/library/archlinux:latest: nobody:x:65534:65534:Nobody:/:/usr/bin/nologin

docker.io/library/alpine:latest: nobody:x:65534:65534:nobody:/:/sbin/nologin

docker.io/library/ubuntu:latest: nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

[yosifkit]

So it seems that the issue will come up in all those images if the nobody user or group ever has ownership of a file or folder.

[r10r]

Right. But I really wonder why an image should contain any files with nobody as owner at all ?

I'm quite new to rootless containers, so maybe someone more experienced should take a look at this.

[r10r]

@thisguy726 Why did you reference this issue ?