search

uraimo / run-on-arch-action

A Github Action that executes jobs/commands on non-x86 cpu architectures (ARMv6, ARMv7, aarch64, s390x, ppc64le, riscv64) via QEMU
BSD 3-Clause "New" or "Revised" License
665 stars 146 forks source link

Using distrobuilder in ubuntu_latest on aarch64 will give an error( Failed to unshare namespaces: Operation not permitted ) #140

Open spiritLHLS opened 6 months ago

spiritLHLS commented 6 months ago

Very nice program. But I'm having some minor problems with it.

https://github.com/oneclickvirt/incus_images/blob/main/.github/workflows/build_kali_arm64.yml

I tried to compile and install https://github.com/lxc/distrobuilder for use using the ubuntu_latest image on the aarch64 architecture, but it reported an error during use $HOME/goprojects/bin/distrobuilder --version:

Failed to unshare namespaces: Operation not permitted

Full logs: https://github.com/oneclickvirt/incus_images/actions/runs/7526849891/job/20485804861#step:3:1503

        sudo apt-get install build-essential -y
        export CGO_ENABLED=1
        export CC=gcc
        wget https://go.dev/dl/go1.21.6.linux-arm64.tar.gz
        chmod 777 go1.21.6.linux-arm64.tar.gz
        rm -rf /usr/local/go && tar -C /usr/local -xzf go1.21.6.linux-arm64.tar.gz
        export GOROOT=/usr/local/go
        export PATH=$GOROOT/bin:$PATH
        export GOPATH=$HOME/goprojects/
        go version
        apt-get install -q -y debootstrap rsync gpg squashfs-tools git make
        git config --global user.name "daily-update"
        git config --global user.email "tg@***.top"
        mkdir -p $HOME/go/src/github.com/lxc/
        cd $HOME/go/src/github.com/lxc/
        git clone https://github.com/lxc/distrobuilder
        cd ./distrobuilder
        make
        export PATH=$HOME/goprojects/bin/distrobuilder:$PATH
        echo $PATH
        find $HOME -name distrobuilder -type f 2>/dev/null
        distrobuilder --version
        $HOME/goprojects/bin/distrobuilder --version

So far I've only done the above, Is there any way to perform the repair?

martin-g commented 6 months ago

According to https://unix.stackexchange.com/questions/669523/why-non-root-user-cannot-unshare-pid-namespace the unshare (pid) namespace operation needs CAP_SYS_ADMIN capability, i.e. root access to the host. You may try to add --cap-add SYS_ADMIN to the action's dockerRunArgs but I barely remember that Github Actions forbids this.

spiritLHLS commented 6 months ago

According to https://unix.stackexchange.com/questions/669523/why-non-root-user-cannot-unshare-pid-namespace the unshare (pid) namespace operation needs CAP_SYS_ADMIN capability, i.e. root access to the host. You may try to add --cap-add SYS_ADMIN to the action's dockerRunArgs but I barely remember that Github Actions forbids this.

I add --cap-add SYS_ADMIN and got another error Failed to mark / private: Permission denied. There seems to be no solution to this problem.