-
Notifications
You must be signed in to change notification settings - Fork 788
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error during unshare(CLONE_NEWUSER): Invalid argument using Buildah in rootless mode #5822
Comments
Are you running within a container? If yes then the container is running without the UNSHARE syscall do to seccomp. Potential other reason would be you are on a system which is blocking the creation of user namespace from rootless users. Try |
Hello @rhatdan - Thanks for the prompt response. Yes, i'm running this in a container - A ubuntu container built locally and running via docker. I've added the SYS_ADMIN capability to buildah and my user has the permission to call it. I've also tried using the following command 'docker run --privileged --cap-add=SYS_ADMIN --net=host --security-opt label=disable --security-opt seccomp=unconfined' and still the same unshare issue. I can run unshare, which spins up a new shell but unshare -u gives not permitted error. My ultimate aim is to run buildah within a k8s pod running jupyterhub, essentially allowing users to be able to build and push OCI images within jupyterhub itself. I'm open to other approaches, if testing locally won't work due to docker restrictions. |
Bottom line Buildah inside of a container needs CAP_SYS_ADMIN or CAP_SETUID and CAP_SETGID to unshare user namespace and mount file systems. From a SECCOMP point of view it needs the UNSHARE and MOUNT syscalls, which Docker does not give by default. Podman and CRI-O do. Not sure what containerd does. |
A friendly reminder that this issue had no activity for 30 days. |
Hi, i'm trying to setup buildah to be used by a non-root user and i'm running into the following issues :
buildah info --log-level=debug
I'm also running the docker container with --cap-add=SYS_ADMIN
I see this is similar to issue #4087 but i'm running this locally and don't have dynatrace setup.
The text was updated successfully, but these errors were encountered: