Error during unshare(CLONE_NEWUSER): Invalid argument using Buildah in rootless mode

[vedanshpx]

Hi, i'm trying to setup buildah to be used by a non-root user and i'm running into the following issues :

buildah info --log-level=debug

DEBU[0000] effective capabilities: [audit_control=false audit_read=false audit_write=false block_suspend=false bpf=false checkpoint_restore=false chown=false dac_override=false dac_read_search=false fowner=false fsetid=false ipc_lock=false ipc_owner=false kill=false lease=false linux_immutable=false mac_admin=false mac_override=false mknod=false net_admin=false net_bind_service=false net_broadcast=false net_raw=false perfmon=false setfcap=false setgid=false setpcap=false setuid=false sys_admin=false sys_boot=false sys_chroot=false sys_module=false sys_nice=false sys_pacct=false sys_ptrace=false sys_rawio=false sys_resource=false sys_time=false sys_tty_config=false syslog=false wake_alarm=false] 
DEBU[0000] Running [buildah-in-a-user-namespace info --log-level=debug] with environment [CONDA_PROMPT_MODIFIER=(python3)  LANGUAGE=C.UTF-8 HOSTNAME=a5bb62c46433 SHLVL=0 HOME=/home/jovyan BUILDAH_ISOLATION=chroot CONDA_SHLVL=1 OLDPWD=/home/jovyan/work _CE_M= NB_USER=jovyan CONDA_ENVS_PATH=/home/jovyan/.conda-envs:/opt/conda TERM=xterm _CE_CONDA= PATH=/opt/conda/envs/python3/bin:/opt/conda/condabin:/opt/conda/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin _BUILDAH_STARTED_IN_USERNS= NB_GID=100 JUPYTER_PORT=8888 LANG=C.UTF-8 CONDA_PYTHON_EXE=/opt/conda/bin/python DEBIAN_FRONTEND=noninteractive SHELL=/bin/bash CONDA_DEFAULT_ENV=python3 CONDA_DIR=/opt/conda _START_SH_EXECUTED=1 PWD=/home/jovyan LC_ALL=C.UTF-8 CONDA_EXE=/opt/conda/bin/conda NB_UID=1000 CONDA_PREFIX=/opt/conda/envs/python3 TMPDIR=/var/tmp _CONTAINERS_USERNS_CONFIGURED=1], UID map [{ContainerID:0 HostID:1000 Size:1} {ContainerID:1 HostID:100000 Size:65536}], and GID map [{ContainerID:0 HostID:100 Size:1} {ContainerID:1 HostID:100000 Size:65536}] 
Error during unshare(CLONE_NEWUSER): Invalid argument
ERRO[0000] parsing PID "": strconv.Atoi: parsing "": invalid syntax 
ERRO[0000] (Unable to determine exit status

I'm also running the docker container with --cap-add=SYS_ADMIN

I see this is similar to issue #4087 but i'm running this locally and don't have dynatrace setup.

[vedanshpx]

@rhatdan @giuseppe - Can you guys please help? 🙏

[rhatdan]

Are you running within a container? If yes then the container is running without the UNSHARE syscall do to seccomp.

Potential other reason would be you are on a system which is blocking the creation of user namespace from rootless users.

Try
unshare -U -m

[vedanshpx]

Hello @rhatdan - Thanks for the prompt response.

Yes, i'm running this in a container - A ubuntu container built locally and running via docker. I've added the SYS_ADMIN capability to buildah and my user has the permission to call it. I've also tried using the following command 'docker run --privileged --cap-add=SYS_ADMIN --net=host --security-opt label=disable --security-opt seccomp=unconfined' and still the same unshare issue.

I can run unshare, which spins up a new shell but unshare -u gives not permitted error.

My ultimate aim is to run buildah within a k8s pod running jupyterhub, essentially allowing users to be able to build and push OCI images within jupyterhub itself. I'm open to other approaches, if testing locally won't work due to docker restrictions.

[rhatdan]

Bottom line Buildah inside of a container needs CAP_SYS_ADMIN or CAP_SETUID and CAP_SETGID to unshare user namespace and mount file systems.

From a SECCOMP point of view it needs the UNSHARE and MOUNT syscalls, which Docker does not give by default.

Podman and CRI-O do. Not sure what containerd does.