Open mbarbero opened 2 years ago
Could you try setting securityContext.seLinuxOptions.type
to spc_t
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#selinuxoptions-v1-core
Potentially related: https://github.com/moby/buildkit/issues/1634
Thanks for your reply and suggestion. Unfortunately, I get the same error with securityContext.seLinuxOptions.type
set to spc_t
.
It seems that a "recent" change to runc added some more validation of the mount destination. The way proc
is mounted seems to break here.
FYI, here is the output of runc --version
on my hosts.
$ runc -version
runc version 1.0.0-rc95
commit: 4c62ef789fd7a2963bf61ffbf421ce9646063648
spec: 1.0.2-dev
go: go1.16.3
libseccomp: 2.5.0
Does moby/buildkit:master-rootless
work?
Does
moby/buildkit:master-rootless
work?
Both moby/buildkit:master-rootless
and moby/buildkit:rootless
fail with the same error
I did not try again master-rootless
since I reported the issue though. Are there changes that could have fixed the issue and you want me to try?
Did anyone solve this? This has been nearly 9 months.
Did anyone solve this? This has been nearly 9 months.
No, this is still an issue for us.
Does https://github.com/moby/buildkit/pull/3203 work?
I run buildkitd on a Kubernetes cluster (OKD 4.7, the "upstream" FLOSS of Openshift). The daemon starts and stays up. But every time I try to run a build, I get an error:
Dockerfile is very simple:
As I'm on OKD, I created a dedicated Security Context Constraint in order to not drop the
SETGID
andSETUID
capabilities as it does by default and also to allow theunconfined
seccomp profile. This SCC can be read here.The deployment definition is largely based on the example provided by buildkit. Note that I dropped the option
--oci-worker-no-process-sandbox
and addedprocMount: "Unmasked"
to the pod security context in my deployment. I also tried the other way around, it does not change anything regarding the error mentioned above.I also tried running a privileged buildkitd (using the
moby/buildkit:master
image,privileged: true
for the security context, and added the privileged SCC to the service account running the pod. Everything works as expected: I can build my container image from the Dockerfile without any issue.The last attempt I made is to run the rootless image with the privileged SCC, but it does not work either. I get the same build error. My guess is that something is missing on the deployment configuration, but I'm running out of idea.
Am I missing anything for running rootless buildkitd on OKD/Openshift?
Thanks.
Software versions: Server Version: 4.7.0-0.okd-2021-07-03-190901 Kubernetes Version: v1.20.0-1085+01c9f3f43ffcf0-dirty