Permission denied while running buildah image with docker

[danifv]

Description

I can't get the buildah images working with the docker runtime without --privileged.
Unfortunately I can't change the container runtime but nevertheless I would prefer to use an unprivileged container for building instead of dind containers with a mounted socket.

Steps to reproduce the issue:

1. Ensure that "unshare" is allowed in your seccomp profile
2. Start a container with docker run --rm -it --security-opt seccomp=/usr/share/containers/seccomp.json -v quay.io/buildah/stable:v.1.12.0 sh
3. Start a buildah command e.g. buildah from alpine

Describe the results you received:

permission denied  
ERRO exit status 1

Describe the results you expected:
The image being pulled

Output of uname -a:

5.0.0-38-generic

[rhatdan]

We really can do nothing to fix Docker daemon or the seccomp.json packaged for it.

[danifv]

That's clear, I was just thinking if there's a configuration option for buildah which allows it to work with whatever constraints docker applies.

[vrothberg]

@danifv you can try setting BUILDAH_ISOLATION=chroot in the container's environment. This way, Buildah will use chroot instead of setting up a user namespace.

[danifv]

@danifv you can try setting BUILDAH_ISOLATION=chroot in the container's environment. This way, Buildah will use chroot instead of setting up a user namespace.

Unfortunately nothing changed - the error is the same.
Is there a way to get a more verbose error description?

[vrothberg]

@danifv, can you try without manually changing the seccomp profile?

I am running Docker 18.09.8 on Fedora 31 and docker run --rm -it quay.io/buildah/stable:v1.12.0 sh does not error out.

[rhatdan]

I believe buildah package attempts to create a user namespace so that it can mount the file systems. If Docker is blocking the unshare syscall,it will block buildah,

[danifv]

As @rhatdan pointed out unshare is needed, I get a

Error during unshare(CLONE_NEWUSER): Operation not permitted
ERRO error parsing PID "": strconv.Atoi: parsing "": invalid syntax 
ERRO (unable to determine exit status)    

when I start a buildah command if I don't enable it.
Starting the container works properly, it's using buildah inside of it that I'm struggling with.

As the buildah image works properly with the podman runtime and I can get it working properly with docker if I add --privileged (and unshare to the seccomp profile), I wonder what other permissions it needs which are unneeded when using podman but are to be explicitly set with docker.

[rhatdan]

You should be able to get this work by disabling seccomp rules.

--security-opt seccomp=unconfined
Don't need to disable all protections.

[danifv]

@rhatdan unfortunately this wan't enough, but in the end through some laborious yet rewarding debugging I found that restrictions for mount have to be relaxed in both seccomp and apparmor.
Thank you for your help though!
For reference, unshare was enabled from the beginning as mentioned in the original issue.

I realize that this issue board is for buildah, but if this doesn't violate any guidelines, I'd highly appreciate if any of you can share why these are enabled by default in podman and what it uses in place of apparmor.
I'm quite new to these topics and would really like to understand better the design of these components.

[TomSweeneyRedHat]

@rhatdan can you reply to danifv and close this out please?

[rhatdan]

Buildah right now uses SELinux depending if it is available, we could support apparmor, if someone in the community wanted to add it.

[kvaps]

Fixed to me by updating docker version:

Unpacking docker-ce (5:20.10.17~3-0~ubuntu-bionic) over (5:20.10.8~3-0~ubuntu-bionic) ...

see:

• Docker seccomp policy incompatible with glibc 2.34 actions/runner-images#3812
• seccomp filter breaks latest glibc (in fedora rawhide) by blocking clone3 with EPERM moby/moby#42680
• seccomp: add support for "clone3" syscall in default policy moby/moby#42681