CAP_SYS_CHROOT capability not set by default as described in manual page

[mlegenovic]

Description

Since version 1.29.0, you can no longer build images by calling the dnf with option --installroot:

FROM registry.access.redhat.com/ubi8/ubi AS ubi-micro-build

RUN mkdir -p /mnt/rootfs
RUN yum install --installroot /mnt/rootfs coreutils-single glibc-minimal-langpack --releasever 8 --setopt install_weak_deps=false --nodocs -y; yum --installroot /mnt/rootfs clean all
RUN rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.*

FROM scratch AS ubi8-micro

COPY --from=ubi-micro-build /mnt/rootfs/ /
COPY --from=ubi-micro-build /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo

CMD /bin/sh

Manual page (man buildah-build) says that the capability CAP_SYS_CHROOT should be set by default:

--cap-drop=CAP_xxx

       When executing RUN instructions, run the command specified in the instruction with the specified capability removed from its  capability  set.   The  CAP_AU‐
       DIT_WRITE,  CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_MKNOD, CAP_NET_BIND_SERVICE, CAP_SETFCAP, CAP_SETGID, CAP_SETPCAP, CAP_SETUID,
       and **CAP_SYS_CHROOT** capabilities are granted by default; this option can be used to remove them.

which is obviously not the case, because when i explicitly set this capability, the build works as in previous versions:

buildah build --cap-add=CAP_SYS_CHROOT -t ubi-micro:8 .

Steps to reproduce the issue:

1. Run buildah build -t ubi-micro . with the Containerfile listed above

Describe the results you received:

RPM: error: Unable to change root directory: Operation not permitted
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Transaction test error:
  Errors occurred during test transaction.

Describe the results you expected:

Build without errors

Output of rpm -q buildah or apt list buildah:

buildah-1.29.0-1.fc37.x86_64

Output of buildah version:

Version:         1.29.0
Go Version:      go1.19.5
Image Spec:      1.0.2-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        1.0.0
libcni Version:  v1.1.2
image Version:   5.24.0
Git Commit:      
Built:           Tue Jan 31 13:05:28 2023
OS/Arch:         linux/amd64
BuildPlatform:   linux/amd64

Output of cat /etc/*release:

Fedora release 37 (Thirty Seven)
NAME="Fedora Linux"
VERSION="37 (Server Edition)"
ID=fedora
VERSION_ID=37
VERSION_CODENAME=""
PLATFORM_ID="platform:f37"
PRETTY_NAME="Fedora Linux 37 (Server Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:37"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f37/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=37
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=37
SUPPORT_END=2023-11-14
VARIANT="Server Edition"
VARIANT_ID=server
Fedora release 37 (Thirty Seven)
Fedora release 37 (Thirty Seven)

Output of uname -a:

Linux spring.mylinux.ch 6.1.10-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Feb  6 23:56:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

[storage]
driver = "overlay"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"

[storage.options]
additionalimagestores = [
]

[storage.options.overlay]
mountopt = "nodev,metacopy=on"

[storage.options.thinpool]

[rhatdan]

The man page is wrong, the settings for this are managed in containers.conf.

[mlegenovic]

However, the release notes do not mention anywhere that CAP_SYS_CHROOT capability is no longer set by default. Whatever has been changed, the behavior has changed. What worked with previous versions without error, does not work now, or only after the configuration change or extra arguments. Such a change also belongs in the release notes so that people know what to do when they upgrade.