buildah: buildah run: error opening "/etc/cni/net.d/cni.lock": creating locker directory: mkdir /etc/cni: permission denied

Description

I’ve built containers with buildah <= 1.23.1 (in a systemd container, if that matters). The containers were built with --cap-add=CAP_SYS_PTRACE and they are root-less containers. With buildah <= 1.23.1 I have been able to buildah run these containers just fine. However since upgrading to 1.24.1 I cannot run these containers. I get errors like:

$ buildah run testing-root python --version
error reading build container "testing-root": error opening "/etc/cni/net.d/cni.lock": creating locker directory: mkdir /etc/cni: permission denied

Is this a bug or something extra I need to do now that I’ve upgraded to 1.24?

Steps to reproduce the issue: With buildah 1.24.1:

  1. As non-root. Create a container with CAP_SYS_PTRACE: c=$(buildah from <image> --cap-add=CAP_SYS_PTRACE ...)
  2. Attempt to run the container: buildah run $c -- <command>

Describe the results you received:

Error message as describe above and buildah exists with status 125.

Describe the results you expected:

buildah runs the given command in the given container

Output of rpm -q buildah or apt list buildah:

This is Gentoo Linux (should I report the issue there?) but

$ equery l buildah
 * Searching for buildah ...
[IP-] [  ] app-containers/buildah-1.24.1:0

Output of buildah version:

$ buildah version
Version:         1.24.1
Go Version:      go1.17.7
Image Spec:      1.0.2-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        1.0.0
libcni Version:  v1.0.1
image Version:   5.19.1
Git Commit:      28f7884b
Built:           Tue Feb 15 13:32:48 2022
OS/Arch:         linux/amd64
BuildPlatform:   linux/amd64

Output of podman version if reporting a podman build issue:

N/A

Output of cat /etc/*release:

Gentoo Base System release 2.7
NAME=Gentoo
ID=gentoo
PRETTY_NAME="Gentoo/Linux"
ANSI_COLOR="1;32"
HOME_URL="https://www.gentoo.org/"
SUPPORT_URL="https://www.gentoo.org/support/"
BUG_REPORT_URL="https://bugs.gentoo.org/"

Output of uname -a:

Linux jenkins 5.16.9-gentoo #1 SMP Fri Feb 11 18:28:15 UTC 2022 x86_64 Intel(R) Xeon(R) CPU E5-2630 0 @ 2.30GHz GenuineIntel GNU/Linux

Output of cat /etc/containers/storage.conf:

cat: /etc/containers/storage.conf: No such file or directory

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 22 (8 by maintainers)

Most upvoted comments

To clarify my comment (https://github.com/containers/buildah/issues/3783#issuecomment-1162724171):

I hit the error with rootless buildah rm on Fedora 36 when trying to remove buildah containers which were created before operating system upgrade, on Fedora 35. After i performed the mentioned workaround to remove all buildah containers which persisted from F35, i can now create and remove buildah containers without problems (the workaround is no longer necessary).

+1
jistr on Jun 22, 2022

@guystreeter if you have podman on board too, you could use the big hammer podman system reset --force. Or the other big hammers: rm -rf /var/lib/containers/* # for rootful rm -rf $HOME/.local/share/containers/* # for rootless

+1
TomSweeneyRedHat on May 16, 2022
Read more comments on GitHub
← buildah: Buildah RPM spec missing Requires for ostree
buildah: Buildah version 1.29.1 broken fuse-overlayfs in gitlab runner →