can't build image if root filesystem is read only

[laversa]

I am not able to build images when enable security best practices to run the container with read-only root file system.

Using --read-only option to make root file system read-only get the following error

$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ docker run  --rm -it \
    --name img \
    --volume $(PWD):/home/user/src:ro \
    --workdir /home/user/src \
    --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
    --read-only \
    r.j3ss.co/img build -t user/myimage .
Error: error creating dir for embedded binaries: mkdir /home/user/.local: read-only file system

Using temporary file system --tmpfs /home/user/.local

$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ docker run  --rm -it \
    --name img \
    --volume ${PWD}:/home/user/src:ro \
    --workdir /home/user/src \
    --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
    --read-only \
    --tmpfs /home/user/.local \
    r.j3ss.co/img build -t user/myimage .
Error: unable to check runc version

Using volume --volume ${PWD}/.local:/home/user/.local

$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ mkdir .local
$ docker run  --rm -it \
    --name img \
    --volume ${PWD}:/home/user/src:ro \
    --workdir /home/user/src \
    --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
    --read-only \
    --volume ${PWD}/.local:/home/user/.local \
    r.j3ss.co/img build -t user/myimage .
Building docker.io/user/myimage:latest
Setting up the rootfs... this may take a bit.
WARN[0000] Process sandbox is not available, consider unmasking procfs: mount: permission denied (are you root?) 
WARN[0000] using host network as the default            
[+] Building 0.2s (2/2) FINISHED                                                                                                                              
 => [internal] load .dockerignore                                                                                                                        0.1s
 => => transferring context: 2B                                                                                                                          0.0s
 => [internal] load build definition from Dockerfile                                                                                                     0.2s
 => => transferring dockerfile: 62B                                                                                                                      0.0s
Error: failed to solve: failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to create temp dir: mkdir /tmp/buildkit-mount103012371: read-only file system

Using volume --volume ${PWD}/.local:/home/user/.local and --tmpfs /tmp

$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ mkdir .local
$ docker run  --rm -it \
    --name img \
    --volume ${PWD}:/home/user/src:ro \
    --workdir /home/user/src \
    --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
    --read-only \
    --volume ${PWD}/.local:/home/user/.local \
    --tmpfs /tmp \
    r.j3ss.co/img build -t user/myimage .
Building docker.io/user/myimage:latest
Setting up the rootfs... this may take a bit.
WARN[0000] Process sandbox is not available, consider unmasking procfs: mount: permission denied (are you root?) 
WARN[0000] using host network as the default            
[+] Building 0.1s (2/2) FINISHED                                                                                                                              
 => [internal] load build definition from Dockerfile                                                                                                     0.1s
 => => transferring dockerfile: 31B                                                                                                                      0.0s
 => [internal] load .dockerignore                                                                                                                        0.1s
 => => transferring context: 2B                                                                                                                          0.0s
Error: failed to solve: failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to mount /tmp/buildkit-mount663287699: [{Type:bind Source:/home/user/.local/share/img/runc/native/snapshots/snapshots/2 Options:[rbind ro]}]: operation not permitted

is it posible to use img build with read-only root file system restriction ?

[gabrywu]

Yes, I want this feature

[MrNocTV]

I have the same problem. Please help to fix this issue. I install img inside a container in Kubernetes

WARN[0000] Process sandbox is not available, consider unmasking procfs:
WARN[0000] using host network as the default
[+] Building 0.0s (2/2) FINISHED
 => [internal] load .dockerignore                                                                                                                                                                                                                        0.0s
 => => transferring context: 2B                                                                                                                                                                                                                          0.0s
 => [internal] load build definition from Dockerfile                                                                                                                                                                                                     0.0s
 => => transferring dockerfile: 32B                                                                                                                                                                                                                      0.0s
Error: failed to solve: failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to mount /tmp/buildkit-mount4015711986: [{Type:bind Source:/root/.local/share/img/runc/native/snapshots/snapshots/2 Options:[rbind ro]}]: operation not permitted

UPDATED: It is mentioned here, https://github.com/genuinetools/img/issues/115