Rootless buildah/stable image not working

[tetchel]

Description
I cannot run buildah as the non-root user in a podman container locally. It fails to run setuid/setgid.

The issue does not happen if I use the default root user.

Sorry for this issue I see you get a lot; however I have gone through a number of issues and documentation over the last couple days and had no luck.

Rolling back to version 1.16.2 fixes the warnings printed at the top error running new{g,u}idmap. That warning is introduced in version 1.17.0 and later. But the final error is the same.

I tried version 1.14.8 since I noticed it is used in this rootless tutorial. It seemed to go through the whole Containerfile before failing (rather than failing after failing to write the first layer) but failed in the end the same.

I also tried podman with --runtime crun from here but that didn't fix it either.

Describe the results you received:

[ /src/redhat-actions/openshift-actions-runner-chart ] 03 (main) $ podman run --user build --entrypoint=/bin/bash -it quay.io/buildah/stable:v1.19.6
[build@ee048e1df20d /]$ cd /home/build
[build@ee048e1df20d ~]$ cat > Containerfile.test <<EOF
> FROM fedora:33
> RUN ls -l /test-script.sh
> RUN /test-script.sh "Hello world"
> RUN dnf update -y | tee /output/update-output.txt
> RUN dnf install -y gcc
> EOF
[build@ee048e1df20d ~]$ buildah bud ./Containerfile.test 
WARN error running newgidmap: exit status 1: newgidmap: write to gid_map failed: Operation not permitted 
WARN falling back to single mapping               
WARN error running newuidmap: exit status 1: newuidmap: write to uid_map failed: Operation not permitted 
WARN falling back to single mapping               
STEP 1: FROM fedora:33
Resolved "fedora" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Getting image source signatures
Copying blob 157ab8011454 done  
Copying config 9f2a560376 done  
Writing manifest to image destination
Storing signatures
error creating build container: Error committing the finished image: error adding layer with blob "sha256:157ab801145489f145f258148bd135102a3294e420f1859a39e824e7cda56b2f": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 0:35 for /usr/libexec/utempter): Check /etc/subuid and /etc/subgid: lchown /usr/libexec/utempter: invalid argument
ERRO exit status 125                              
[build@ee048e1df20d ~]$

Describe the results you expected:
A successful build

Output of rpm -q buildah or apt list buildah:

(inside container)

buildah-1.19.6-2.fc33.x86_64

Output of buildah version:
(inside container)

Version:         1.19.6
Go Version:      go1.15.8
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        0.4.0
libcni Version:  
image Version:   5.10.2
Git Commit:      
Built:           Thu Jan  1 00:00:00 1970
OS/Arch:         linux/amd64

Output of podman version if reporting a podman build issue:
(outside container, because I used podman to run it. No podman inside container)

[ /src/redhat-actions/openshift-actions-runner-chart ] 11 (main) $ podman version
Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.15.8
Built:        Fri Feb 19 11:56:17 2021
OS/Arch:      linux/amd64

Output of cat /etc/*release:
(inside container)

Fedora release 33 (Thirty Three)
NAME=Fedora
VERSION="33 (Container Image)"
ID=fedora
VERSION_ID=33
VERSION_CODENAME=""
PLATFORM_ID="platform:f33"
PRETTY_NAME="Fedora 33 (Container Image)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:33"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f33/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=33
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=33
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Container Image"
VARIANT_ID=container
Fedora release 33 (Thirty Three)
Fedora release 33 (Thirty Three)

Output of uname -a:
(inside container)

Linux 5f0791d24923 5.10.15-200.fc33.x86_64 #1 SMP Wed Feb 10 17:46:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:
(inside container)

# This file is is the configuration file for all tools
# that use the containers/storage library.
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver, Must be set for proper operation.
driver = "overlay"

# Temporary storage location
runroot = "/run/containers/storage"

# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"

# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"

[storage.options]
# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
"/var/lib/shared",
]

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
# listed and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = 0:1668442479:65536
# remap-gids = 0:1668442479:65536

# Remap-User/Group is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
# with an in-container ID of 0 and then a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps.
#
# remap-user = "containers"
# remap-group = "containers"

# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
# to containers configured to create automatically a user namespace.  Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
# auto-userns-max-size=65536

[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids.  Note multiple UIDs will be
# squashed down to the default uid in the container.  These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
#ignore_chown_errors = "false"

# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
mount_program = "/usr/bin/fuse-overlayfs"

# mountopt specifies comma separated list of extra mount options
mountopt = "nodev,fsync=0"

# Set to skip a PRIVATE bind mount on the storage home directory.
# skip_mount_home = "false"

# Size is used to set a maximum size of the container image.
# size = ""

# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
#  "": No value specified.
#     All files/directories, get set with the permissions identified within the
#     image.
#  "private": it is equivalent to 0700.
#     All files/directories get set with 0700 permissions.  The owner has rwx
#     access to the files. No other users on the system can access the files.
#     This setting could be used with networked based homedirs.
#  "shared": it is equivalent to 0755.
#     The owner has rwx access to the files and everyone else can read, access
#     and execute them. This setting is useful for sharing containers storage
#     with other users.  For instance have a storage owned by root but shared
#     to rootless users as an additional store.
#     NOTE:  All files within the image are made readable and executable by any
#     user on the system. Even /etc/shadow within your image is now readable by
#     any user.
#
#   OCTAL: Users can experiment with other OCTAL Permissions.
#
#  Note: The force_mask Flag is an experimental feature, it could change in the
#  future.  When "force_mask" is set the original permission mask is stored in
#  the "user.containers.override_stat" xattr and the "mount_program" option must
#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
#  extended attribute permissions to processes within containers rather then the
#  "force_mask"  permissions.
#
# force_mask = ""

[storage.options.thinpool]
# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be
# grown. This is specified in terms of % of pool size. So a value of 20 means
# that when threshold is hit, pool will be grown by 20% of existing
# pool size.
# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms
# of percentage of pool size. For example, if threshold is 60, that means when
# pool is 60% full, threshold has been hit.
# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which
# limits the size of images and containers.
# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.
# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the
# thin pool. Required if you setup devicemapper.
# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem.
# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.
# fs="xfs"

# log_level sets the log level of devicemapper.
# 0: LogLevelSuppress 0 (Default)
# 2: LogLevelFatal
# 3: LogLevelErr
# 4: LogLevelWarn
# 5: LogLevelNotice
# 6: LogLevelInfo
# 7: LogLevelDebug
# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for
# new device creation to succeed. Valid values are from 0% - 99%.
# Value 0% disables
# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""

# metadata_size is used to set the `pvcreate --metadatasize` options when
# creating thin devices. Default is 128k
# metadata_size = ""

# Size is used to set a maximum size of the container image.
# size = ""

# use_deferred_removal marks devicemapper block device for deferred removal.
# If the thinpool is in use when the driver attempts to remove it, the driver
# tells the kernel to remove it as soon as possible. Note this does not free
# up the disk space, use deferred deletion to fully remove the thinpool.
# use_deferred_removal = "True"

# use_deferred_deletion marks thinpool device for deferred deletion.
# If the device is busy when the driver attempts to delete it, the driver
# will attempt to delete device every 30 seconds until successful.
# If the program using the driver exits, the driver will continue attempting
# to cleanup the next time the driver is used. Deferred deletion permanently
# deletes the device and all data stored in device will be lost.
# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should
# attempt to complete IO when ENOSPC (no space) error is returned by
# underlying storage device.
# xfs_nospace_max_retries = "0"

Other debug output

[build@5f0791d24923 /]$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=1000(build) euid=1000(build)
gid=1000(build)
groups=
Guessed mode: UNCERTAIN (0)
[build@5f0791d24923 /]$ cat /etc/sub{u,g}id
build:100000:65536
build:100000:65536
[build@5f0791d24923 /]$ dnf list shadow-utils
Fedora 33 openh264 (From Cisco) - x86_64                                                                                       6.1 kB/s | 2.5 kB     00:00    
Fedora Modular 33 - x86_64                                                                                                     3.2 MB/s | 3.3 MB     00:01    
Fedora Modular 33 - x86_64 - Updates                                                                                           5.9 MB/s | 3.1 MB     00:00    
Fedora 33 - x86_64 - Updates                                                                                                   1.9 MB/s |  24 MB     00:12    
Fedora 33 - x86_64                                                                                                             4.9 MB/s |  72 MB     00:14    
Installed Packages
shadow-utils.x86_64                                                           2:4.8.1-5.fc33                                                           @updates
[build@5f0791d24923 /]$

[rhatdan]

This means the host User Namespace is not large enough to include buildah inside of the container

While in the container you have only 65000 UIDs, but the container wants to start with UID 100000.
If you modify the /etc/subuid inside of the container to say start at 2000 for 50000 UIDs, it should work.

[rhatdan]

Ok I got it to work, but it is not pretty.

$  mkdir containers

We are going to need a containers file that is not mounted on fuse-overlay, since fuse-overlay will not work on a fuse-overlay. We mount the volume into the podman container, add add the /dev/fuse device so that we can use fuse-overlay inside of the container. Otherwise we could use storage driver vfs.

$ podman run -v ./containers:/home/build/.local/share/containers:Z --device /dev/fuse --entrypoint=/bin/bash -it quay.io/buildah/stable:v1.19.6
[root@f522e92ed4d5 /]# 

Notice how logged in as root, this is because I need to modify the /etc/subuid and /etc/subgid files to use a smaller range, since my container has only 65k uids to use. I pick UID 2000 and then the next 50000 uids.

[root@f522e92ed4d5 /]# echo build:2000:50000 > /etc/subuid
[root@f522e92ed4d5 /]# echo build:2000:50000 > /etc/subgid

I also want to chown the homedir including the volume I mounted in, to be owned by the buildah user.

[root@f522e92ed4d5 /]# chown -R build:build /home/build

Now I switch to the buildah user and create the Containerfile.

[root@f522e92ed4d5 /]# su - build
[build@f522e92ed4d5 ~]$ cat > Containerfile << _EOF
from fedora:33
run dnf -y update; dnf -y install gcc; dnf -y clean all
_EOF

Now I want to run buildah bud, but I have to use --isolation=chroot, otherwise buildah will try to create devices, which I am not allowed to do in a rootless environment.

[build@f522e92ed4d5 ~]$ buildah bud --isolation=chroot ./Containerfile 
STEP 1: FROM fedora:33
Resolved "fedora" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Getting image source signatures
Copying blob 157ab8011454 [--------------------------------------] 0.0b / 0.0b
Copying config 9f2a560376 done  
Writing manifest to image destination
Storing signatures
STEP 2: run dnf -y update; dnf -y install gcc; dnf -y clean all
Fedora 33 openh264 (From Cisco) - x86_64        1.3 kB/s | 2.5 kB     00:01    
Fedora Modular 33 - x86_64                      451 kB/s | 3.3 MB     00:07    
Fedora Modular 33 - x86_64 - Updates            203 kB/s | 3.1 MB     00:15    
Fedora 33 - x86_64 - Updates                    424 kB/s |  24 MB     00:58    
Fedora 33 - x86_64                              1.5 MB/s |  72 MB     00:46    
Dependencies resolved.
================================================================================
 Package                       Arch     Version                 Repo       Size
================================================================================
Upgrading:
 audit-libs                    x86_64   3.0.1-2.fc33            updates   115 k
...

Installed:
  binutils-2.35-18.fc33.x86_64          binutils-gold-2.35-18.fc33.x86_64      
  cpp-10.2.1-9.fc33.x86_64              gc-8.0.4-4.fc33.x86_64                 
  gcc-10.2.1-9.fc33.x86_64              glibc-devel-2.32-4.fc33.x86_64         
  glibc-headers-x86-2.32-4.fc33.noarch  guile22-2.2.7-1.fc33.x86_64            
  isl-0.16.1-12.fc33.x86_64             kernel-headers-5.10.13-200.fc33.x86_64 
  libmpc-1.1.0-9.fc33.x86_64            libpkgconf-1.7.3-5.fc33.x86_64         
  libtool-ltdl-2.4.6-36.fc33.x86_64     libxcrypt-devel-4.4.18-1.fc33.x86_64   
  make-1:4.3-2.fc33.x86_64              pkgconf-1.7.3-5.fc33.x86_64            
  pkgconf-m4-1.7.3-5.fc33.noarch        pkgconf-pkg-config-1.7.3-5.fc33.x86_64 

Complete!
42 files removed
STEP 3: COMMIT
Getting image source signatures
Copying blob d9e1d1e08de2 skipped: already exists  
Copying blob 0a925791ef20 done  
Copying config c6672ce7a7 done  
Writing manifest to image destination
Storing signatures
--> c6672ce7a79
c6672ce7a793bd2840011380e58502a5128ac5aeb45347ad5593f416ce9a5e86

There it works. We could make this much easier if we modified the default range of UIDs inside of the buildah stable container and defaulted for rootless users to isolation=chroot.

[tetchel]

I did the following and it appeared to work:

FROM quay.io/buildah/stable:v1.19.6

RUN echo "build:2000:50000" > /etc/subuid
RUN echo "build:2000:50000" > /etc/subgid

Should the buildah/stable image be updated to have these values?

[rhatdan]

Seems reasonable to me.

[tetchel]

ENV BUILDAH_ISOLATION=chroot has the same effect as --isolation=chroot, right?

[rhatdan]

Yes, although this should be exposed in containers.conf.

[tetchel]

okay, let me test this on openshift since that's my "real" use-case.

[tetchel]

My custom image is still not working. I am not sure what is different from buildah/stable here. My image is not built FROM buildah/stable because I have my own base image.

I am still running it with podman: podman run -it --entrypoint=/bin/bash quay.io/redhat-github-actions/buildah-runner:latest

You can pull it from there if you like. The dockerfile is here and the base image's dockerfile is here

• The content of /etc/containers/storage.conf is the same (unadjusted from buildah/stable)
• The content of /etc/containers/containers.conf is the same:

[engine]
cgroup_manager = "cgroupfs"

• The content of ~/.config/containers/storage.conf is the same (adjusted for vfs)

[storage]
driver = "vfs"

• The content of /etc/sub{g,u}id is the same (same as our working example above)

[build@eedd8e931b84 ~]$ cat /etc/sub{g,u}id
build:2000:50000
build:2000:50000

Environment dump doesn't show any obvious problem
(output below is from my custom image):

[build@eedd8e931b84 ~]$ buildah --log-level debug
DEBU running [buildah-in-a-user-namespace --log-level debug] with environment [HOSTNAME=eedd8e931b84 RUNNER_WORKDIR=/home/build/_work DISTTAG=f33container PWD=/home/build FBR=f33 container=podman HOME=/home/build USERNAME=build LANG=C.UTF-8 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36: FGC=f33 GITHUB_OWNER= BUILDAH_ISOLATION=chroot TERM=xterm LESSOPEN=||/usr/bin/lesspipe.sh %s SHLVL=1 GITHUB_REPOSITORY= PATH=/home/build/.local/bin:/home/build/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin RUNNER_LABELS= UID=1000 GITHUB_PAT= _=/usr/bin/buildah TMPDIR=/var/tmp _CONTAINERS_USERNS_CONFIGURED=1], UID map [{ContainerID:0 HostID:1000 Size:1} {ContainerID:1 HostID:2000 Size:50000}], and GID map [{ContainerID:0 HostID:1000 Size:1} {ContainerID:1 HostID:2000 Size:50000}] 
WARN error running newgidmap: exit status 1: newgidmap: write to gid_map failed: Operation not permitted 
WARN falling back to single mapping               
WARN error running newuidmap: exit status 1: newuidmap: write to uid_map failed: Operation not permitted 
WARN falling back to single mapping               
A tool that facilitates building OCI images

Usage:
  buildah [flags]
  buildah [command]

Available Commands:
  add         Add content to the container
  bud         Build an image using instructions in a Dockerfile
  commit      Create an image from a working container
  config      Update image configuration settings
  containers  List working containers and their base images
  copy        Copy content into the container
  from        Create a working container based on an image
  help        Help about any command
  images      List images in local storage
  info        Display Buildah system information
  inspect     Inspect the configuration of a container or image
  login       Login to a container registry
  logout      Logout of a container registry
  manifest    Manipulate manifest lists and image indexes
  mount       Mount a working container's root filesystem
  pull        Pull an image from the specified location
  push        Push an image to a specified destination
  rename      Rename a container
  rm          Remove one or more working containers
  rmi         Remove one or more images from local storage
  run         Run a command inside of the container
  tag         Add an additional name to a local image
  umount      Unmount the root file system of the specified working containers
  unshare     Run a command in a modified user namespace
  version     Display the Buildah version information

Flags:
  -h, --help                                 help for buildah
      --log-level string                     The log level to be used. Either "debug", "info", "warn" or "error". (default "warn")
      --registries-conf string               path to registries.conf file (not usually used)
      --registries-conf-dir string           path to registries.conf.d directory (not usually used)
      --root string                          storage root dir (default "/var/lib/containers/storage")
      --runroot string                       storage state dir (default "/run/containers/storage")
      --storage-driver string                storage-driver (default "overlay")
      --storage-opt strings                  storage driver option (default [overlay.imagestore=/var/lib/shared,overlay.mount_program=/usr/bin/fuse-overlayfs,"overlay.mountopt=nodev,fsync=0"])
      --userns-gid-map ctrID:hostID:length   default ctrID:hostID:length GID mapping to use
      --userns-uid-map ctrID:hostID:length   default ctrID:hostID:length UID mapping to use
  -v, --version                              version for buildah

Use "buildah [command] --help" for more information about a command.

You can see the uidmap warnings are printed, and indeed when I run buildah bud I get the same error as the original issue.

id output:

[build@05f3f7716794 ~]$ id
uid=1000(build) gid=1000(build) groups=1000(build)

Could it be because my user is part of group 0? I added this because it's OpenShift behaviour.
I removed myself from group 0 and it did not change anything (I have updated the id output).

[build@2b25ef011a50 ~]$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap
Ambient set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=1000(build)
gid=1000(build)
groups=

What else could I check?

[rhatdan]

Check to see if newuidmap and newgidmap have the setfcap flags set inside of your container. Sometimes you have to reinstall the shadow-utils package.

Here is the Containerfile we use to build buildah/stable. https://github.com/containers/buildah/blob/master/contrib/buildahimage/stable/Dockerfile

[tetchel]

Wow, I already had dnf install shadow-utils but I changed it to dnf reinstall shadow-utils at your prompting and that appears to have fixed it.

I'm glad I opened an issue instead of continuing to bang my head against this. Thank you so much.

[tetchel]

Should I leave this open for the change proposed above #3053 (comment) ?

[rhatdan]

Better yet open a PR to fix it.

[tetchel]

my pleasure!

[tetchel]

#3056

[aaabdallah]

Thank you for this document; I have struggled with the same issue for days on my own image in which I wanted to use buildah. I only got it to work by picking apart the buildah image on quay.io ... and finding the odd uid range of 2000:50000. When I did this, it worked for me in my own image. Then I googled that (2000:50000) to see if there is any information why this is important... and it led immediately to this issue. Kind suggestion: update the documentation for this please. There are many articles out there talking about buildah within a container... and none of them mention this absolutely critical bit of information.

[TomSweeneyRedHat]

@aaabdallah Thanks for the digging and discovery. I've created #3119 so we can clean this up.

[itewk]

welll.....I only waisted 3 hours of my life trying to figure out why my rootlest buildah bud builds inside a container stopped working between buildah 1.15 and 1.19 when i finally found this issue. Doing the dnf reinstall shadow-utils did the trick for me. though I still don't understand why.

[anthr76]

I'm trying to initiate CI builds from Gitlab with my Kubernetes runner. I'm facing similar issues described above and not really sure where to turn yet..

Firstly, my cluster is backed by CRI-O on OpenSUSE Kubic.

The first error I observe is:

$ buildah bud --format docker -f $CI_PROJECT_DIR/$CONTAINER_ROOT/Containerfile -t $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG $CONTAINER_ROOT
Error: error writing "0 0 4294967295\n" to /proc/25/uid_map: write /proc/25/uid_map: operation not permitted
level=error msg="error writing \"0 0 4294967295\\n\" to /proc/25/uid_map: write /proc/25/uid_map: operation not permitted"
level=error msg="(unable to determine exit status)"
Cleaning up file based variables
00:00
ERROR: Job failed: command terminated with exit code 1

This somewhat makes sense as our buildah stable Containerfile doesn't have a USER directive. So this process is running as "root" inside the pod since I can't set a runAsUser directive on CI job. Is there a good reason we can't use USER in the containerfile?

So to further debug this I drop into a temporary pod on Kubernetes

kubectl run buildah-bud --rm -i --tty --image quay.io/buildah/stable:v1.21.0 -- /bin/bash

I'm greeted with as build user:

If you don't see a command prompt, try pressing enter.
[root@buildah-bud /]# su build
[build@buildah-bud /]$ buildah pull docker.io/busybox
WARN[0000] Error loading container config when searching for local runtime: no such file or directory 
ERRO[0000] failed to setup From and Bud flags: failed to get container config: no such file or directory 
ERRO[0000] exit status 1

and as expected (I think) with root user:

[root@buildah-bud /]# buildah pull busybox
ERRO[0000] error writing "0 0 4294967295\n" to /proc/67/uid_map: write /proc/67/uid_map: operation not permitted 
Error: error writing "0 0 4294967295\n" to /proc/67/uid_map: write /proc/67/uid_map: operation not permitted
ERRO[0000] (unable to determine exit status

Am I missing something?

crio-status info **(Kubernetes Nodes)
cgroup driver: systemd
storage driver: overlay
storage root: /var/lib/containers/storage
default GID mappings (format <container>:<host>:<size>):
  0:0:4294967295
default UID mappings (format <container>:<host>:<size>):
  0:0:4294967295

Kubernetes runs as root.. FWIW the above hack dnf reinstall shadow-utils fails to re-install.

buildah --log-level debug                                                            
DEBU[0000] running [buildah-in-a-user-namespace --log-level debug] with environment [SHELL=/bin/bash KUBERNETES_SERVICE_PORT_HTTPS=443 WHOAMI_SERVICE_
PORT_HTTP=80 KUBERNETES_SERVICE_PORT=443 HOSTNAME=buildah-bud WHOAMI_SERVICE_HOST=10.42.39.229 DISTTAG=f34container PWD=/ LOGNAME=build container=oci 
HOME=/home/build LANG=C.UTF-8 KUBERNETES_PORT_443_TCP=tcp://10.42.0.1:443 WHOAMI_PORT_80_TCP=tcp://10.42.39.229:80 WH
OAMI_SERVICE_PORT=80 BUILDAH_ISOLATION=chroot TERM=xterm WHOAMI_PORT_80_TCP_PROTO=tcp USER=build SHLVL=2 WHOAMI_PORT_80_TCP_PORT=80 KUBERNETES_PORT_44
3_TCP_PROTO=tcp KUBERNETES_PORT_443_TCP_ADDR=10.42.0.1 KUBERNETES_SERVICE_HOST=10.42.0.1 KUBERNETES_PORT=tcp://10.42.0.1:443 KUBERNETES_PORT_443_TCP_P
ORT=443 WHOAMI_PORT=tcp://10.42.39.229:80 PATH=/home/build/.local/bin:/home/build/bin:/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/s
bin:/usr/bin:/sbin:/bin WHOAMI_PORT_80_TCP_ADDR=10.42.39.229 _=/usr/bin/buildah TMPDIR=/var/tmp _CONTAINERS_USERNS_CONFIGURED=1], UID map [{ContainerI
D:0 HostID:1000 Size:1} {ContainerID:1 HostID:2000 Size:50000}], and GID map [{ContainerID:0 HostID:1000 Size:1} {ContainerID:1 HostID:2000 Size:50000
}] 

[TomSweeneyRedHat]

@rhatdan I know you and @umohnani8 have been digging around a lot in this space as of late, any tips?

[koceg]

As @anthr76 already pointed out in #3053 (comment) I got the same issue when testing buildah on OKD 4.7 cluster. Solution was to add USER build as the last line of Dockerfile.
Question is why call useradd build here https://github.com/containers/buildah/blob/main/contrib/buildahimage/stable/Dockerfile#L14 if it's not used to set the environment for container execution ?

[rhatdan]

Because we want the image to be used by both root and the buildah user. Certain uses want to run the buildah container as root and others want to run it in rootless mode with the buildah user.

[tetchel]

FWIW @koceg you can always use runAsUser in your podsecuritypolicy spec to work around this in k8s/openshift so you don't have to edit the image.

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritypolicy-v1beta1-policy

Some other helpful doc:
https://github.com/redhat-actions/openshift-actions-runners/tree/main/buildah#readme
https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-bud.md

[anthr76]

FWIW @koceg you can always use runAsUser in your podsecuritypolicy spec to work around this in k8s/openshift so you don't have to edit the image.

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritypolicy-v1beta1-policy

Some other helpful doc:

https://github.com/redhat-actions/openshift-actions-runners/tree/main/buildah#readme

https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-bud.md

runAsUser is useful in this scenario though limited in Gitlab CI since you're pinning all users of images to the UID of build. Likely making your own image is best..? In this scenario. I still have to circle back to this and research further on the K8s end. I've been experimenting with user namespaces on CRI-o

[nnachefski]

I'm hitting this as well using tekton on Openshift (Openshift Pipelines Operator on Openshift 4.7).

+ buildah --storage-driver=vfs bud --format=docker --tls-verify=true --no-cache -f Dockerfile -t ******* -t ******** .
Error: error writing "0 0 4294967295\n" to /proc/25/uid_map: write /proc/25/uid_map: operation not permitted
level=error msg="error writing \"0 0 4294967295\\n\" to /proc/25/uid_map: write /proc/25/uid_map: operation not permitted"
level=error msg="(unable to determine exit status)"

Is there a build image i can plug in to fix this?

[canit00]

@nnachefski The url @anthr76 shared is working for me on OCP 4.8 - have you given it a try?

Also as he commented, I need to learn more about it overall.

Client Version: 4.8.2
Server Version: 4.8.14
Kubernetes Version: v1.21.1+a620f50

Working slimmer image:

ARG BASE_IMG=registry.access.redhat.com/ubi8/ubi
FROM $BASE_IMG AS buildah-runner

RUN useradd buildah; echo buildah:10000:5000 > /etc/subuid; echo buildah:10000:5000 > /etc/subgid;

# https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md
# https://github.com/containers/buildah/blob/master/contrib/buildahimage/stable/Dockerfile
# https://github.com/containers/buildah/issues/1011
# https://github.com/containers/buildah/issues/3053

RUN dnf -y update && \
    dnf -y install xz slirp4netns buildah podman fuse-overlayfs shadow-utils --exclude container-selinux && \
    dnf -y reinstall shadow-utils && \
    dnf clean all

RUN chgrp -R 0 /etc/containers/ && \
    chmod -R a+r /etc/containers/ && \
    chmod -R g+w /etc/containers/

ENV BUILDAH_ISOLATION=chroot
ENV BUILDAH_LAYERS=true

ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahimage/stable/containers.conf /etc/containers/

RUN chgrp -R 0 /etc/containers/ && \
    chmod -R a+r /etc/containers/ && \
    chmod -R g+w /etc/containers/

# Use VFS since fuse does not work
# https://github.com/containers/buildah/blob/master/vendor/github.com/containers/storage/storage.conf
RUN mkdir -vp /home/buildah/.config/containers && \
    printf '[storage]\ndriver = "vfs"\n' > /home/buildah/.config/containers/storage.conf && \
    chown -Rv buildah /home/buildah/.config/

USER buildah
WORKDIR /home/buildah

[titou10titou10]

@nnachefski I have the same problem, with OKD v4.8.0-0.okd-2021-11-14-052418 (k8s v1.21.2+9e8f924-1555),, tekton installed via the "Red Hat OpenShift Pipelines" ( currently v15.21)
buildah``ClusterTask fails with

step-build
 + buildah --storage-driver=vfs bud --format=oci --tls-verify=false --no-cache -f ./Dockerfile -t <image> <path to Dockerfile dir>
 level=error msg="error writing \"0 0 4294967295\\n\" to /proc/24/uid_map: write /proc/24/uid_map: operation not permitted"
 level=error msg="(unable to determine exit status)"
 Error: error writing "0 0 4294967295\n" to /proc/24/uid_map: write /proc/24/uid_map: operation not permitted

Did you find a solution to the problem?
The failingPipelineRunis defined with"serviceAccountName: pipeline"
Maybe linking thispipelineServiceAccount to a priviledge SCC is the solution?

[UPDATE]
I changed the SA to"serviceAccountName: builder"in thePipelineRunand i have a different error:

step-build
 + buildah --storage-driver=vfs bud --format=oci --tls-verify=false --no-cache -f ./Dockerfile -t <image> <path to Dockerfile dir>
 level=warning msg="error reading allowed ID mappings: error reading subuid mappings for user \"1000670000\" and subgid mappings for group \"1000670000\": No subuid ranges found for user \"1000670000\" in /etc/subuid"
 level=warning msg="Found no UID ranges set aside for user \"1000670000\" in /etc/subuid."
 level=warning msg="Found no GID ranges set aside for user \"1000670000\" in /etc/subgid."
 level=warning msg="error running newgidmap: fork/exec /usr/bin/newgidmap: operation not permitted: "
 level=warning msg="falling back to single mapping"
 level=warning msg="error running newuidmap: fork/exec /usr/bin/newuidmap: operation not permitted: "
 level=warning msg="falling back to single mapping"
 STEP 1: FROM <base image>
 Getting image source signatures
 Copying blob sha256:1831e571c997bd295bd5ae59bfafd69ba942bfe9e63f334cfdc35a8c86886d47
 {...}
 Writing manifest to image destination
 Storing signatures
 level=error msg="Error while applying layer: ApplyLayer exit status 1 stdout:  stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:12 for /var/spool/mail): Check /etc/subuid and /etc/subgid: lchown /var/spool/mail: invalid argument"
 error creating build container: Error committing the finished image: error adding layer with blob "sha256:262268b65bd5f33784d6a61514964887bc18bc00c60c588bc62bfae7edca46f1": ApplyLayer exit status 1 stdout:  stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:12 for /var/spool/mail): Check /etc/subuid and /etc/subgid: lchown /var/spool/mail: invalid argument
 level=error msg="exit status 125"

[UPDATE 2]
Got it to work in OKD v4.8 and tekton OCP Pipelines !

Gave"anyuid"SCC to ServiceAccount "builder" <- can probably use a custom SCC with less privileges

oc adm policy add-scc-to-user anyuid -z builder -n <namespace>

Added to thePipelineRun:

spec:
  taskRunSpecs:
    - pipelineTaskName: buildah # <- name of the "buildah" ClusterTask in the Pipeline
      taskServiceAccountName: builder
      taskPodTemplate:
        securityContext:
          runAsUser: 1000