img: Operation not permitted issue when building on Fedora 28

Dockerfile:

FROM docker.io/library/alpine:latest
RUN echo hi

Using compiled runc binary from @AkihiroSuda 's demo-rootless branch

sub uid/gid file:

test (aws:rean-gov-sd)(kc)$ cat /etc/subuid
frezbo:100000:65536
test (aws:rean-gov-sd)(kc)$ cat /etc/subgid
frezbo:100000:65536
test (aws:rean-gov-sd)(kc)$

img build o/p:

test (aws:rean-gov-sd)(kc)$ img build -backend native -d -t hello -f  Dockerfile  .
Building docker.io/library/hello:latest
Setting up the rootfs... this may take a bit.
DEBU[0000] serving grpc connection                      
DEBU[0000] new ref for local: bt8npmb4ra0fufx6jmf84es2t 
DEBU[0000] new ref for local: r8q0jj3mqduet41nfj42u1g1f 
DEBU[0000] diffcopy took: 826.419Āµs                     
DEBU[0000] saved bt8npmb4ra0fufx6jmf84es2t as local.sharedKey:context:.dockerignore: 
DEBU[0000] diffcopy took: 1.040244ms                    
DEBU[0000] saved r8q0jj3mqduet41nfj42u1g1f as local.sharedKey:dockerfile:Dockerfile: 
solving failed: operation not permitted

This is what I saw in strace:

test (aws:rean-gov-sd)(kc)$ strace img build -d -t hello -f  Dockerfile  . 2>&1 | grep -i operation
epoll_ctl(4, EPOLL_CTL_ADD, 5, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=156319752, u64=140016090169352}}) = -1 EPERM (Operation not permitted)
epoll_ctl(4, EPOLL_CTL_DEL, 5, 0xc4201cbba4) = -1 EPERM (Operation not permitted)
wait4(-2937, solving failed: operation not permitted
test (aws:rean-gov-sd)(kc)$

OS info:

test (aws:rean-gov-sd)(kc)$ cat /etc/*-release
Fedora release 28 (Twenty Eight)
NAME=Fedora
VERSION="28 (Workstation Edition)"
ID=fedora
VERSION_ID=28
PLATFORM_ID="platform:f28"
PRETTY_NAME="Fedora 28 (Workstation Edition)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:28"
HOME_URL="https://fedoraproject.org/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=28
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=28
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Workstation Edition"
VARIANT_ID=workstation
Fedora release 28 (Twenty Eight)
Fedora release 28 (Twenty Eight)
test (aws:rean-gov-sd)(kc)$

Kernel info:

test (aws:rean-gov-sd)(kc)$ uname -a
Linux localhost.localdomain 4.16.8-300.fc28.x86_64 #1 SMP Wed May 9 20:23:40 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
test (aws:rean-gov-sd)(kc)$

Will be happy to provide any more extra info

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 1
  • Comments: 42 (22 by maintainers)

Most upvoted comments

Or simply img build -state /anywhere/outside/of/slash-tmp

+2
AkihiroSuda on Jun 2, 2018

How could I have missed that šŸ˜¢ , I knew that /tmp was tmpfs mount. Thanks @AkihiroSuda For the fixes.

+1
frezbo on Jun 2, 2018

Seems tmpfs issue. (/tmp is mounted as tmpfs with nosuid,nodev on Fedora by default but not on Ubuntu)

The following worked for me. (Mount unprivileged tmpfs over the initial tmpfs)

$ rootlesskit bash
rlk$ export IMG_RUNNING_TESTS=1
rlk$ mount -t tmpfs none /tmp
rlk$ img build -t foo .

But apt still shows a warning

...
Fetched 25.3 MB in 11s (2377 kB/s)
Reading package lists...
Building dependency tree...
Reading state information...
W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/archive.ubuntu.com_u
buntu_dists_bionic_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission 
denied)
+1
AkihiroSuda on Jun 2, 2018

Having root in userns is still rootless because it is not root in the initial ns, but either way my subid configuration seems wrong on second thought, sorry for causing confusionā€¦

+1
AkihiroSuda on Jun 1, 2018
Read more comments on GitHub
← img: img build: newuidmap: write to uid_map failed: Invalid argument
reg: malformed auth challenge header error →