buildah: [regression] Almost all buildah commands started to require either `CAP_SYS_ADMIN` or `unshare(CLONE_NEWUSER)` syscomp policy

Steps to reproduce the issue:

  1. Default Docker 20.10.x (in my case, 20.10.22) seccomp policy
  2. docker run --rm -it quay.io/buildah/upstream:latest buildah --storage-driver=vfs info or docker run --rm -it quay.io/buildah/upstream:latest buildah --storage-driver=vfs images

Describe the results you received:

Error during unshare(CLONE_NEWUSER): Operation not permitted
ERRO[0000] parsing PID "": strconv.Atoi: parsing "": invalid syntax 
ERRO[0000] (Unable to determine exit status)

Describe the results you expected:

I’d expect that CAP_SYS_ADMIN or unshare(CLONE_NEWUSER) are only required in case buildah runs nested containers. I should even be able to buildah build a Dockerfile that doesn’t contain RUN instructions.

This all worked for buildah v1.28.0:

$ docker run --rm -it quay.io/buildah/stable:v1.28.0 buildah --storage-driver=vfs info
{
    "host": {
        "CgroupVersion": "v1",
        "Distribution": {
            "distribution": "fedora",
            "version": "37"
        },
< snip>
}

$ docker run --rm -it quay.io/buildah/stable:v1.28.0 buildah --storage-driver=vfs images
REPOSITORY   TAG   IMAGE ID   CREATED   SIZE

Output of buildah version:

$ docker run --rm -it quay.io/buildah/upstream:latest buildah --storage-driver=vfs version
Version:         1.30.0-dev
Go Version:      go1.19.5
Image Spec:      1.0.2-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        1.0.0
libcni Version:  v1.1.2
image Version:   5.24.0
Git Commit:      
Built:           Thu Feb  2 14:10:01 2023
OS/Arch:         linux/amd64
BuildPlatform:   linux/amd64

Output of uname -a:

$ uname -a
Linux noblesse 5.15.80-gentoo-x86_64 #1 SMP Sat Dec 10 21:45:12 MSK 2022 x86_64 AMD Ryzen 7 3700X 8-Core Processor AuthenticAMD GNU/Linux

Additional info:

The issue comes from the fact that buildah calls unshare.MaybeReexecUsingUserNamespace, which, starting with https://github.com/containers/storage/pull/1415 attempts to unshare(CLONE_NEWUSER) when run as a root without CAP_SYS_ADMIN.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 2
  • Comments: 20 (10 by maintainers)

Most upvoted comments

A thousand apologies… I just forgot to use the --security-opt label=disable and --security-opt seccomp=unconfined options. If I run my container with them, it works as it should. I’ll just leave this here for those who have a bad memory like me.

+1
ivanov17 on Jun 5, 2023

FROM and COPY also need to be able to store UIDs that are not the same as the UID of the user running BUILDAH, which means that we need to create a user namespace for rootless users at least.

+1
rhatdan on May 8, 2023
Read more comments on GitHub
← buildah: podman build with secret meet permission error, while podman run with secrets is ok.
buildah: Report: Error during unshare(CLONE_NEWUSER): Operation not permitted in the non-privileged container of k8s →