In container, sops exec-env --user... yields: [EXEC] FATA[0000] operation not supported

[AndydeCleyre]

Here's a reproduction with buildah 1.20.1 and ubuntu:21.04, run on an Arch Linux host:

sops.sh:

#!/bin/sh -ex

# Create container from ubuntu:21.04
buildah rm ctnr || true
buildah from --name ctnr docker.io/library/ubuntu:21.04

# Install age
buildah run ctnr apt update
buildah run ctnr env DEBIAN_FRONTEND=noninteractive apt -yqq --no-install-recommends install age

# Install sops
buildah add ctnr \
  'https://github.com/mozilla/sops/releases/download/v3.7.1/sops_3.7.1_amd64.deb' \
  /tmp/sops_3.7.1_amd64.deb
buildah run ctnr dpkg -i /tmp/sops_3.7.1_amd64.deb

# Generate key pair
buildah run ctnr mkdir -p /root/.config/sops/age
pub=$(buildah run ctnr age-keygen -o /root/.config/sops/age/keys.txt 2>&1 | cut -d' ' -f 3)

# Create encrypted data
buildah run ctnr sh -c "printf '%s\n' 'key: val' >/root/enc.yml"
buildah run ctnr sops -a "$pub" -e -i /root/enc.yml

# Test decryption
buildah run ctnr sops -d /root/enc.yml

# Test sops exec-env
buildah run ctnr sops exec-env /root/enc.yml env

# Try sops exec-env --user...
buildah run ctnr useradd -m dev
buildah run ctnr sops exec-env --user dev /root/enc.yml whoami

Log tail:

+ buildah run ctnr useradd -m dev
+ buildah run ctnr sops exec-env --user dev /root/enc.yml whoami
[EXEC]   time="2021-05-23T16:12:56Z" level=fatal msg="operation not supported"
error while running runtime: exit status 1
level=error msg="exit status 1"

Full Log

```bash + buildah rm ctnr 7ab60cfbd01bf0afde838f50bb737b8e515667dad819932ae575caf8692f46f4 + buildah from --name ctnr docker.io/library/ubuntu:21.04 ctnr + buildah run ctnr apt update WARNING: apt does not have a stable CLI interface. Use with caution in scripts. Get:1 http://security.ubuntu.com/ubuntu hirsute-security InRelease [101 kB] Get:2 http://archive.ubuntu.com/ubuntu hirsute InRelease [269 kB] Get:3 http://archive.ubuntu.com/ubuntu hirsute-updates InRelease [109 kB] Get:4 http://security.ubuntu.com/ubuntu hirsute-security/restricted amd64 Packages [114 kB] Get:5 http://security.ubuntu.com/ubuntu hirsute-security/multiverse amd64 Packages [1725 B] Get:6 http://security.ubuntu.com/ubuntu hirsute-security/universe amd64 Packages [213 kB] Get:7 http://security.ubuntu.com/ubuntu hirsute-security/main amd64 Packages [105 kB] Get:8 http://archive.ubuntu.com/ubuntu hirsute-backports InRelease [90.7 kB] Get:9 http://archive.ubuntu.com/ubuntu hirsute/multiverse amd64 Packages [252 kB] Get:10 http://archive.ubuntu.com/ubuntu hirsute/restricted amd64 Packages [111 kB] Get:11 http://archive.ubuntu.com/ubuntu hirsute/universe amd64 Packages [16.8 MB] Get:12 http://archive.ubuntu.com/ubuntu hirsute/main amd64 Packages [1791 kB] Get:13 http://archive.ubuntu.com/ubuntu hirsute-updates/main amd64 Packages [174 kB] Get:14 http://archive.ubuntu.com/ubuntu hirsute-updates/restricted amd64 Packages [114 kB] Get:15 http://archive.ubuntu.com/ubuntu hirsute-updates/universe amd64 Packages [241 kB] Get:16 http://archive.ubuntu.com/ubuntu hirsute-updates/multiverse amd64 Packages [1725 B] Fetched 20.5 MB in 2s (8213 kB/s) Reading package lists... Building dependency tree... Reading state information... All packages are up to date. + buildah run ctnr env DEBIAN_FRONTEND=noninteractive apt -yqq --no-install-recommends install age WARNING: apt does not have a stable CLI interface. Use with caution in scripts. The following NEW packages will be installed: age debconf: delaying package configuration, since apt-utils is not installed 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 1291 kB of archives. After this operation, 5988 kB of additional disk space will be used. Selecting previously unselected package age. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 4273 files and directories currently installed.) Preparing to unpack .../age_1.0.0~beta5-1_amd64.deb ... Unpacking age (1.0.0~beta5-1) ... Setting up age (1.0.0~beta5-1) ... + buildah add ctnr https://github.com/mozilla/sops/releases/download/v3.7.1/sops_3.7.1_amd64.deb /tmp/sops_3.7.1_amd64.deb 0126402dfd874699292e007bac2f8d43ac7424ffb5b61639ad37be95f13e6398 + buildah run ctnr dpkg -i /tmp/sops_3.7.1_amd64.deb Selecting previously unselected package sops. (Reading database ... 4280 files and directories currently installed.) Preparing to unpack /tmp/sops_3.7.1_amd64.deb ... Unpacking sops (3.7.1) ... Setting up sops (3.7.1) ... + buildah run ctnr mkdir -p /root/.config/sops/age ++ buildah run ctnr age-keygen -o /root/.config/sops/age/keys.txt ++ cut '-d ' -f 3 + pub=age1n4ugyah7qysdz647p4x3lmt6uync6x2cjeyu7cf9uve4c9y6w9lqs5m75n + buildah run ctnr sh -c 'printf '\''%s\n'\'' '\''key: val'\'' >/root/enc.yml' + buildah run ctnr sops -a age1n4ugyah7qysdz647p4x3lmt6uync6x2cjeyu7cf9uve4c9y6w9lqs5m75n -e -i /root/enc.yml + buildah run ctnr sops -d /root/enc.yml key: val + buildah run ctnr sops exec-env /root/enc.yml env HOSTNAME=565f0970b7ae HOME=/root key=val PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ + buildah run ctnr useradd -m dev + buildah run ctnr sops exec-env --user dev /root/enc.yml whoami [EXEC] time="2021-05-23T16:12:56Z" level=fatal msg="operation not supported" error while running runtime: exit status 1 level=error msg="exit status 1" ```

[AndydeCleyre]

FWIW:

• the above script was run as a regular user on the (Arch Linux) host
• I have now also reproduced the problem on an Ubuntu 21.04 host, running the script as root