Build image : operation not permitted

[Mathie01]

Description

With this Dockerfile :

FROM docker.io/nginx:1.23.3-alpine

RUN apk add --update --no-cache nodejs npm libc6-compat

I get the following error:

STEP 2/14: RUN apk add --update --no-cache nodejs npm libc6-compat
error running subprocess: creating new mount namespace for [/bin/sh -c apk add --update --no-cache nodejs npm libc6-compat]: operation not permitted
Error: building at STEP "RUN apk add --update --no-cache nodejs npm libc6-compat": exit status 1

Steps to reproduce the issue:

1. Get the above Dockerfile
2. Use buildah build command

Describe the results you received:

I get the following error:

STEP 2/14: RUN apk add --update --no-cache nodejs npm libc6-compat
error running subprocess: creating new mount namespace for [/bin/sh -c apk add --update --no-cache nodejs npm libc6-compat]: operation not permitted
Error: building at STEP "RUN apk add --update --no-cache nodejs npm libc6-compat": exit status 1

Describe the results you expected:

I am waiting for the image to build

Output of rpm -q buildah or apt list buildah:

I can't, I use Gitlab CI / CD for this

Output of buildah version:

I use Gitlab CI / CD with buildah image

v1.28

My Gitlab CI / CD configuration :

docker_build:
  stage: docker_build
  image: quay.io/buildah/stable:v1.28
  variables:
    # Use vfs with buildah. Docker offers overlayfs as a default, but buildah
    # cannot stack overlayfs on top of another overlayfs filesystem.
    STORAGE_DRIVER: vfs
    # Write all image metadata in the docker format, not the standard OCI format.
    # Newer versions of docker can handle the OCI format, but older versions, like
    # the one shipped with Fedora 30, cannot handle the format.
    BUILDAH_FORMAT: docker
    # You may need this workaround for some errors: https://stackoverflow.com/a/70438141/1233435
    BUILDAH_ISOLATION: chroot
  before_script:
    - buildah login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - buildah build -t frontend:$CI_COMMIT_SHA -f Dockerfile.dashboard
    - buildah push frontend:$CI_COMMIT_TAG

[rhatdan]

Could you try with --isolation=chroot?

[Mathie01]

Hello !

Same thing :

[rhatdan]

It looks like you are running buildah within a confined environment, while docker is probably leaking the docker.sock into the container and using it.

[Mathie01]

I can't find any information on the Internet: it seems that nobody builds his image with Gitlab and Buildah

[MartinX3]

I've got the same problem.
We use buildah as build agent in jenkins in kubernetes and since 1.28 I can't use anymore RUN addgroup -g 1001 -S appuser in the dockerfile to build the image
error running subprocess: creating new mount namespace for [/bin/sh -c addgroup -g 1001 -S appuser]: operation not permitted

[rhatdan]

@flouthoc PTAL

[slonopotamus]

Experiencing the same issue. Unable to RUN anything when running buildah v1.28.0 inside Docker container:

error running subprocess: creating new mount namespace for [/bin/sh -c dotnet tool install -g dotnet-trace]: operation not permitted
Error: building at STEP "RUN dotnet tool install -g dotnet-trace": exit status 1

Note that neither 1.28.3 nor 1.29.0 are available via https://quay.io/repository/buildah/stable so I am not sure how to test them.

[flouthoc]

I think issue is more with the version v1.28.0, I'd request to bump buildah version please see comment here: #4553 (comment)

[flouthoc]

@slonopotamus Please try with quay.io/buildah/upstream:latest

[slonopotamus]

quay.io/buildah/upstream:latest fails in a much worse way:

Error during unshare(CLONE_NEWUSER): Operation not permitted
ERRO[0000] parsing PID "": strconv.Atoi: parsing "": invalid syntax 
ERRO[0000] (Unable to determine exit status)

Note that this happens even with --isolation=chroot. I'm using Docker 20.10.22.

More tests

quay.io/buildah/stable:v1.28

$ docker run --rm -it quay.io/buildah/stable:v1.28 buildah unshare echo hi
hi

quay.io/buildah/upstream:latest

$ docker run --rm -it quay.io/buildah/upstream:latest buildah unshare echo hi
Error during unshare(CLONE_NEWUSER): Operation not permitted
ERRO[0000] parsing PID "": strconv.Atoi: parsing "": invalid syntax 
ERRO[0000] (Unable to determine exit status)

[flouthoc]

@slonopotamus Could you try

[fl@fedora ~]$ sudo docker run --privileged --user 1000 --rm -it quay.io/buildah/upstream:latest buildah unshare echo hi

[slonopotamus]

It works both with and without sudo.

$ docker run --privileged --user 1000 --rm -it quay.io/buildah/upstream:latest buildah unshare echo hi
hi

$ su -c "docker run --privileged --user 1000 --rm -it quay.io/buildah/upstream:latest buildah unshare echo hi"
Password: 
hi

Obviously, this is not a way to go due because of security reasons.

[slonopotamus]

So, I'm not sure we're talking about a single issue here. I see that 1.28.0 works better than 1.27.0 or 1.29.0 in some aspect (only 1.28.0 passes buildah unshare echo hi inside unprivileged Docker container). But even 1.28.0 fails to RUN anything in Dockerfile.

[slonopotamus]

Okay, I know why buildah unshare echo hi works in 1.28.0 and doesn't work on 1.29.0 (and main branch). It was broken by containers/storage#1415.

[giuseppe]

how were you able to run nested containers without CAP_SYS_ADMIN and without the possibility to create a new user namespace? Were you using buildah run?

[slonopotamus]

To my understanding, CAP_SYS_ADMIN is much less secure than unshare(CLONE_NEWUSER) and gives container lots of control over host machine. And even unshare(CLONE_NEWUSER) is the source of various CVEs, that's why it is disabled in Docker by default.

[slonopotamus]

I think we don't need it for buildah info and we could list the commands that do not need a new user namespace, as we do for Podman

I've created a separate issue for this, since we're talking about something that worked before and now doesn't: #4563

[mick1627]

Here my Kubernetes configuration that works on anthos gke in AWS, if it can help. Build is done in gitlab ci with a kubernetes executor.
I run buildah with user 1000 (BUILDAH_ISOLATION: chroot). What was not really clear for me is that even if it run in rootless mode, allowPrivilegeEscalation must be set to true to allow the usage of SETGID/SETUID. Adding capabilities have no effect if allowPrivilegeEscalation is set to false.

Here the securityContext needed for the pod where buildah is running:

     securityContext:
        capabilities:
          add:
            - SETGID
            - SETUID
          drop:
            - ALL
        privileged: false
        runAsUser: 1000
        allowPrivilegeEscalation: true

I drop all capabilities to only allow SETGID and SETUID

I also need to set this annotation otherwise apparmor blocks the usage of setgid

  annotations:
    container.apparmor.security.beta.kubernetes.io/build: unconfined

and last my .gitlab-ci.yml

image: 
  name: quay.io/buildah/stable:v1.28
  #name: quay.io/buildah/upstream:latest

variables:
  HTTP_PROXY: $HTTP_PROXY
  HTTPS_PROXY: $HTTPS_PROXY
  NO_PROXY: $NO_PROXY
  # Use vfs with buildah. Docker offers overlayfs as a default, but buildah
  # cannot stack overlayfs on top of another overlayfs filesystem.
  #STORAGE_DRIVER: vfs
  # Write all image metadata in the docker format, not the standard OCI format.
  # Newer versions of docker can handle the OCI format, but older versions, like
  # the one shipped with Fedora 30, cannot handle the format.
  BUILDAH_FORMAT: docker
  # You may need this workaround for some errors: https://stackoverflow.com/a/70438141/1233435
  BUILDAH_ISOLATION: chroot


master:
  stage: build
  only:
    - master
  script:
    - id
    - buildah login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - buildah build --build-arg http_proxy=${HTTP_PROXY} --build-arg https_proxy=${HTTPS_PROXY} --build-arg no_proxy=${NO_PROXY} -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA -f $CI_PROJECT_DIR/Dockerfile
    - buildah push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
  tags:
    - k8s

[slonopotamus]

@mick1627 is it true that in your case container runs under containerd/CRI-O or something that is not Docker? As I understand, it might have a different seccomp profile that allows unshare(CLONE_NEWUSER) syscall.

[giuseppe]

To my understanding, CAP_SYS_ADMIN is much less secure than unshare(CLONE_NEWUSER) and gives container lots of control over host machine. And even unshare(CLONE_NEWUSER) is the source of various CVEs, that's why it is disabled in Docker by default.

but we need a way to create mounts, isolate the run command, and mount images. Without CAP_SYS_ADMIN (either from the host or from a user namespace) we cannot do that unless we support something like Kaniko that doesn't create a new environment to run the commands and uses only the VFS driver.

Also, keep in mind that VFS is much slower than overlay, creating a new layer requires scanning the entire tree every time

[mick1627]

@mick1627 is it true that in your case container runs under containerd/CRI-O or something that is not Docker? As I understand, it might have a different seccomp profile that allows unshare(CLONE_NEWUSER) syscall.

yes, it's runs under containerd

[rhatdan]

containerd is running with a tigher seccomp filter that prevents unshare.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[alucryd]

Experiencing the same running GitLab CI on a GKE autopilot. Autopilot prevents the use of privileged containers altogether, which is why I've been using kaniko until now. That thing can't do multi-stage builds at all, and even craps itself on simple builds with no error whatsoever, so here I am pushing all my hopes on buildah. Did anyone get buildah to run in unprivileged containers?

[giuseppe]

@alucryd could you try running buildah with --isolation=chroot? Is unshare blocked in your environment too?

[alucryd]

@giuseppe Already did, same result:

Preparing the "kubernetes" executor
Using Kubernetes namespace: gitlab
Using Kubernetes executor with image quay.io/buildah/stable ...
Using attach strategy to execute scripts...
Preparing environment
Waiting for pod gitlab/runner-xtk6xwdz-project-52-concurrent-0l8bgn to be running, status is Pending
Waiting for pod gitlab/runner-xtk6xwdz-project-52-concurrent-0l8bgn to be running, status is Pending
	ContainersNotInitialized: "containers with incomplete status: [init-permissions]"
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod gitlab/runner-xtk6xwdz-project-52-concurrent-0l8bgn to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Running on runner-xtk6xwdz-project-52-concurrent-0l8bgn via gitlab-runner-5886f454c8-wtp5p...
Getting source from Git repository
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/nodejs/customers-api/.git/
Created fresh repository.
Checking out 1bb1d727 as develop...
Skipping Git submodules setup
Executing "step_script" stage of the job script
$ buildah login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
Error during unshare(CLONE_NEWUSER): Operation not permitted

GKE autopilot applies a default seccomp profile you can't modify at all: https://cloud.google.com/kubernetes-engine/docs/concepts/seccomp-in-gke

EDIT: didn't pass --isolation=chroot, but I had BUILDAH_ISOLATION set to chroot.

[slonopotamus]

As was already discussed above, buildah either needs a privileged container or unshare(CLONE_NEWUSER) capability. Neither of those are given by default policies, at least in Docker (and in GKE Autopilot, according to your page). Privileged is a huge security hole. unshare could be safer, but had several CVEs in the past, so is not considered safe also.

[alucryd]

So the only real choice out there is, sadly, kaniko :/ The devs don't seem too interested to fix anything though and didn't even respond to my issues so that's a bummer.
Isn't there any way that buildah could do away with any of these requirements? I don't know how kaniko works but it doesn't require anything special on GKE autopilot.

[slonopotamus]

Kanino knows that it is already inside a confined environment, so there isn't much value creating a separate namespace to run processes. Buildah though is primarily designed to be run on host machine where it would be insecure to run Dockerfile things as-is without any layer of isolation.

If your Dockerfile doesn't need RUN, you can use quay.io/buildah/stable:v1.28.0 image and it will work. But that has regressed (see #4563), so newer Buildah versions require mentioned capabilities even for innocent operations like listing local images.

I personally moved to Kaniko, though it has its own issues (for example, total and unexplainable madness with FROM image caching).

[rhatdan]

Buildah requires multiple UIDs and the ability to mount file systems like /proc and /sys. This means either CAP_SYS_ADMIN or creating a user namespace which requires CAP_SETUID and CAP_SETGID, along with the unshare syscall
I think calling unshare unsafe at this point is an exageration, since all the major linux distributions allow unshare for non root users for several years.