Error during unshare(CLONE_NEWUSER): Operation not permitted

[nmiculinic]

Description

I cannot run buildah bud

Steps to reproduce the issue:

docker run --rm -it ubuntu

Within the docker container I run the following:

https://github.com/containers/buildah/blob/master/install.md#ubuntu

root@dbdb5cd66273:/rootfs/ci/dockerfiles/test# buildah bud -f Dockerfile  .
Error during unshare(CLONE_NEWUSER): Operation not permitted
ERRO[0000] error parsing PID "": strconv.Atoi: parsing "": invalid syntax 
ERRO[0000] (unable to determine exit status)            
root@dbdb5cd66273:/rootfs/ci/dockerfiles/test# buildah --version
buildah version 1.10.1 (image-spec 1.0.1, runtime-spec 1.0.1-dev)
root@dbdb5cd66273:/rootfs/ci/dockerfiles/test# cat /proc/sys/user/max_user_names
paces
62901
root@dbdb5cd66273:/rootfs/ci/dockerfiles/test# cat "/proc/sys/kernel/unprivileged_userns_clone"
1
root@dbdb5cd66273:/rootfs/ci/dockerfiles/test# 

Describe the results you expected:

I expected everything to work our and build the OCI image.

Output of rpm -q buildah or apt list buildah:

root@dbdb5cd66273:/rootfs/ci/dockerfiles/test# apt list buildah
Listing... Done
buildah/bionic,now 1.10.1-1~ubuntu18.04~ppa1 amd64 [installed]

Output of buildah version:

buildah version 1.10.1 (image-spec 1.0.1, runtime-spec 1.0.1-dev)

Output of podman version if reporting a podman build issue:
not installed

Output of cat /etc/*release:

root@dbdb5cd66273:/rootfs/ci/dockerfiles/test# cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"

Output of uname -a:

root@dbdb5cd66273:/rootfs/ci/dockerfiles/test# uname -a
Linux dbdb5cd66273 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

(( default one ))

root@dbdb5cd66273:/rootfs/ci/dockerfiles/test# cat /etc/containers/storage.conf
# storage.conf is the configuration file for all tools
# that share the containers/storage libraries
# See man 5 containers-storage.conf for more information

# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver
driver = "overlay"

# Temporary storage location
runroot = "/var/run/containers/storage"

# Primary read-write location of container storage
graphroot = "/var/lib/containers/storage"

[storage.options]
# AdditionalImageStores is used to pass paths to additional read-only image stores
# Must be comma separated list.
additionalimagestores = [
]

# Size is used to set a maximum size of the container image.  Only supported by
# certain container storage drivers (currently overlay, zfs, vfs, btrfs)
size = ""

# OverrideKernelCheck tells the driver to ignore kernel checks based on kernel version
override_kernel_check = "true"

[rhatdan]

We recommend that people running buildah within a locked down container use images from quay.io.
https://quay.io/repository/buildah/stable
Basically running straight buildah within a locked down container will fail, because the unshare command is blocked. We recommend using the --isolation=chroot, which eliminates the unshare call.

[nmiculinic]

It doesn't seem to help at all:

docker run --rm -it -v $(pwd):/rootfs quay.io/buildah/stable
[root@664c4f767a70 test]# buildah bud --isolation=chroot  -f Dockerfile  .  
Error during unshare(CLONE_NEWUSER): Operation not permitted
ERRO error parsing PID "": strconv.Atoi: parsing "": invalid syntax 
ERRO (unable to determine exit status)            

Also it appears to be default isolation as well in the container.

[rhatdan]

Could you try this with podman?
Also could you try
docker run --security-opt seccomp=/usr/share/containers/seccomp.json --rm -it -v $(pwd):/rootfs quay.io/buildah/stable

I think Docker might be blocking the unshare syscall.

[JamesWrigley]

Not sure if this is the case on Ubuntu, but on Debian the kernel itself disables the unsharing: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808915.

I had to manually allow unprivileged users to unshare, get Docker to use Podman's seccomp profile, and then Buildah ran in the container. Using --isolation=chroot had no effect, unfortunately.

[rhatdan]

Don't fully understand what you are saying, Did Buildah work or not work within the container?

[JamesWrigley]

Yes it did (on a Debian host), once I ran:

echo 1 > /proc/sys/kernel/unprivileged_userns_clone

I'm not sure why this is necessary if --isolation=chroot eliminates the unshare call.

Then when using Podman's seccomp profile, Buildah worked in the container:

docker run --security-opt seccomp=/usr/share/containers/seccomp.json --rm -it quay.io/buildah/stable

[rhatdan]

@nalind @giuseppe Are we still unsharing the namespace if we are doing --isolation=chroot

[giuseppe]

@nalind @giuseppe Are we still unsharing the namespace if we are doing --isolation=chroot

yes, a new user namespace is still necessary when the user has no CAP_SYS_ADMIN in the container.

[rhatdan]

@giuseppe Why, what do we need this for? I guess we are still bind mounting the /proc and /sys into the chroot.

[giuseppe]

@giuseppe Why, what do we need this for? I guess we are still bind mounting the /proc and /sys into the chroot.

yes, we still need to be able to create bind mounts to create the environment used by the chroot

[rhatdan]

Thanks, I had figured that out.

[rhatdan]

So docker seccomp.json file blocking unshare is the issue, and should be changed, or as I reccoment use podman/CRI-O for running these containers. You can run docker with Podman /usr/share/containers/seccomp.json file.