No /sys mount during image build

[csweichel]

When I try to build images using buildkit in a rootless environment (Gitpod workspace), buildkit does not mount /sys. In our use-case this causes udevadm trigger to fail, which subsequently breaks an apt-get install operation.

Also, this represents a difference to a Docker build where a /sys mount is available, and the image build succeeds. Looking at the OCI runtime config produced by buildkit for the build container I don't see any mount for /sys.

Opening this repo in Gitpod, illustrates the issue. You'll see both builds running with the docker build succeeding and the buildkit one failing: https://gitpod.io/#github.com/csweichel/buildkit-udisks

Is this behaviour intentional? If so, is there a known workaround?

[csweichel]

This behaviour seems to be intentional: https://github.com/moby/buildkit/blob/4e69662758446c7dc0e6de2bc1f7973d03bacbed/util/rootless/specconv/specconv_linux.go#L14-L16

Considering that it introduces an incompatibility to existing Dockerfiles, is there a way to disable it specifically?

[AkihiroSuda]

I guess we can safely enable /sys mount when the builtkitd process is running a dedicated network namespace. Probably needs to call RootlessKit API.

https://github.com/rootless-containers/rootlesskit/blob/37262453b3f6d9cc7e4726f506c002b6fd98ab82/pkg/api/openapi.yaml#L136-L139

[csweichel]

How would the dedicated network namespace detection work; would it require rootlesskit?

[AkihiroSuda]

ioctl_ns(NS_GET_USERNS) may work, without RootlessKit

https://man7.org/linux/man-pages/man2/ioctl_ns.2.html