buildah: Build image : operation not permitted

Description

With this Dockerfile :

FROM docker.io/nginx:1.23.3-alpine

RUN apk add --update --no-cache nodejs npm libc6-compat

I get the following error:

STEP 2/14: RUN apk add --update --no-cache nodejs npm libc6-compat
error running subprocess: creating new mount namespace for [/bin/sh -c apk add --update --no-cache nodejs npm libc6-compat]: operation not permitted
Error: building at STEP "RUN apk add --update --no-cache nodejs npm libc6-compat": exit status 1

Steps to reproduce the issue:

  1. Get the above Dockerfile
  2. Use buildah build command

Describe the results you received:

I get the following error:

STEP 2/14: RUN apk add --update --no-cache nodejs npm libc6-compat
error running subprocess: creating new mount namespace for [/bin/sh -c apk add --update --no-cache nodejs npm libc6-compat]: operation not permitted
Error: building at STEP "RUN apk add --update --no-cache nodejs npm libc6-compat": exit status 1

Describe the results you expected:

I am waiting for the image to build

Output of rpm -q buildah or apt list buildah:

I can’t, I use Gitlab CI / CD for this

Output of buildah version:

I use Gitlab CI / CD with buildah image

v1.28

My Gitlab CI / CD configuration :

docker_build:
  stage: docker_build
  image: quay.io/buildah/stable:v1.28
  variables:
    # Use vfs with buildah. Docker offers overlayfs as a default, but buildah
    # cannot stack overlayfs on top of another overlayfs filesystem.
    STORAGE_DRIVER: vfs
    # Write all image metadata in the docker format, not the standard OCI format.
    # Newer versions of docker can handle the OCI format, but older versions, like
    # the one shipped with Fedora 30, cannot handle the format.
    BUILDAH_FORMAT: docker
    # You may need this workaround for some errors: https://stackoverflow.com/a/70438141/1233435
    BUILDAH_ISOLATION: chroot
  before_script:
    - buildah login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - buildah build -t frontend:$CI_COMMIT_SHA -f Dockerfile.dashboard
    - buildah push frontend:$CI_COMMIT_TAG

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 1
  • Comments: 37 (25 by maintainers)

Most upvoted comments

A friendly reminder that this issue had no activity for 30 days.

+2
github-actions[bot] on Mar 11, 2023

Okay, let’s return to the original issue. Is CAP_SYS_ADMIN or unshare(CLONE_NEWUSER) by design a hard requirement for buildah in order to be able to RUN things from Dockerfile, even with --isolation=chroot? And this means that buildah cannot RUN things with default Docker settings in unprivileged container?

+1
slonopotamus on Feb 7, 2023
Read more comments on GitHub
← buildah: Build cache is not reused when overriding ARG with ENV in Dockerfile
buildah: Buildah bud : --layers option doesn't work on multistage Dockerfile →