Open csweichel opened 2 years ago
This behaviour seems to be intentional: https://github.com/moby/buildkit/blob/4e69662758446c7dc0e6de2bc1f7973d03bacbed/util/rootless/specconv/specconv_linux.go#L14-L16
Considering that it introduces an incompatibility to existing Dockerfiles, is there a way to disable it specifically?
I guess we can safely enable /sys
mount when the builtkitd
process is running a dedicated network namespace.
Probably needs to call RootlessKit API.
How would the dedicated network namespace detection work; would it require rootlesskit?
ioctl_ns(NS_GET_USERNS)
may work, without RootlessKit
When I try to build images using buildkit in a rootless environment (Gitpod workspace), buildkit does not mount
/sys
. In our use-case this causesudevadm trigger
to fail, which subsequently breaks anapt-get install
operation.Also, this represents a difference to a Docker build where a
/sys
mount is available, and the image build succeeds. Looking at the OCI runtime config produced by buildkit for the build container I don't see any mount for/sys
.Opening this repo in Gitpod, illustrates the issue. You'll see both builds running with the docker build succeeding and the buildkit one failing: https://gitpod.io/#github.com/csweichel/buildkit-udisks
Is this behaviour intentional? If so, is there a known workaround?