ubuntu-24.04 Error during unshare(...): Operation not permitted

[Raboo]

Description

I have a problem with this new ubuntu runner.

This is something that worked on 22.04.

    - name: Build Image
      id: build-image
      uses: redhat-actions/buildah-build@v2
      with:
        image: redir
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        oci: true
        containerfiles: |
          ./Containerfile
        platforms: ${{ matrix.platform }}

    - run: skopeo copy containers-storage:ghcr.io/${{ env.OWNER_LC }}/redir:build-${{ env.PODMAN_ARCH }} oci-archive:/tmp/${{ env.PODMAN_ARCH }}-oci.tar

Now instead it produces an error.

skopeo copy containers-storage:ghcr.io/raboo/redir:build-amd64 oci-archive:/tmp/amd64-oci.tar
Error during unshare(...): Operation not permitted

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 20.04
• Ubuntu 22.04
• Ubuntu 24.04
• macOS 12
• macOS 13
• macOS 13 Arm64
• macOS 14
• macOS 14 Arm64
• Windows Server 2019
• Windows Server 2022

Image version and build link

I can't find this "Set up job" button anywhere.
I used yaml to create the action.
https://github.com/Raboo/redir/actions

Is it regression?

don't know

Expected behavior

skopeo copy should not produce an error.

Actual behavior

Getting an unshare error.

skopeo copy containers-storage:ghcr.io/raboo/redir:build-amd64 oci-archive:/tmp/amd64-oci.tar
Error during unshare(...): Operation not permitted

Repro steps

1. Build an image with redhat-actions/buildah-build.

2. try to copy the image to a tar archive like so skopeo copy containers-storage:ghcr.io/${{ env.OWNER_LC }}/redir:build-${{ env.PODMAN_ARCH }} oci-archive:/tmp/${{ env.PODMAN_ARCH }}-oci.tar

[ijunaidm]

@Raboo - Thank you for bringing this issue to our attention. We will look into this issue and will update you on this issue after investigating.

[Prabhatkumar59]

Hi @Raboo - The error you're encountering with skopeo copy on Ubuntu 24.04 is related to the unprivileged user namespace (unshare) being restricted in the latest Ubuntu versions. This restriction is likely causing the "Operation not permitted" error when skopeo tries to use unshare.

I am providing workaround for you below:

Workarounds and Solutions

A. Enable User Namespace Remapping
On Ubuntu 24.04, the user namespace is disabled by default for security reasons. You can enable it by modifying the system's kernel parameters or the /etc/sysctl.conf file.

Add the following line to /etc/sysctl.conf:
kernel.unprivileged_userns_clone=1

Then apply changes as:-
sudo sysctl -p

This might not be an option if you're using a CI runner where you don't have root access.

B. Run skopeo in a Privileged Container
Another option is to run skopeo in a privileged container where the unshare operation is permitted. You can modify your GitHub Actions workflow to execute this within a Docker container that has the necessary privileges.

Here’s how you could modify your workflow:

- name: Run skopeo in a privileged container
  run: |
    docker run --privileged -v /tmp:/tmp -v /var/run/docker.sock:/var/run/docker.sock \
    quay.io/skopeo/stable copy containers-storage:ghcr.io/${{ env.OWNER_LC }}/redir:build-${{ env.PODMAN_ARCH }} oci-archive:/tmp/${{ env.PODMAN_ARCH }}-oci.tar

C. Switch to Podman
If enabling user namespaces or running in a privileged container isn't possible, consider switching from skopeo to podman for managing your containers. podman is designed to work without root privileges and might offer a more seamless experience on Ubuntu 24.04.

You can install and use podman like so:

- name: Install Podman
  run: sudo apt-get install -y podman

- name: Use Podman for copying the image
  run: podman save -o /tmp/${{ env.PODMAN_ARCH }}-oci.tar ghcr.io/${{ env.OWNER_LC }}/redir:build-${{ env.PODMAN_ARCH }}

D. Revert to Ubuntu 22.04
If the above options aren't viable, you could temporarily revert to using an Ubuntu 22.04 runner where this operation is known to work. This might be a quick fix while you explore more permanent solutions.

So, overall the "Operation not permitted" error with skopeo on Ubuntu 24.04 is due to restrictions on user namespaces. You can enable the necessary kernel parameter, run skopeo in a privileged container, switch to podman, or revert to Ubuntu 22.04 as potential workarounds.
Hence, by using above steps, you should get proper resolution.

[Raboo]

@Prabhatkumar59 I opted for the podman save.

- run: podman save -o /tmp/${{ env.PODMAN_ARCH }}-oci.tar --format oci-archive ghcr.io/${{ env.OWNER_LC }}/redir:build-${{ env.PODMAN_ARCH }}

Thanks!