-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rootless Docker: Permission denied when creating work tree dir #124
Comments
Hi,
we need to look into this, but unfortunately I don't have a rootless docker environment. Many of our users are using podman in rootless mode (including myself) and that definitely works. It can indeed be, that the user id mappings (which are only added for podman) are missing. Please also have a look at the flags added to podman (just grep for podman in |
Hi @fmoessbauer, thanks for your reply.
Can confirm - we used Podman before and are still partially using it. But Docker seems to offer better package support, i.e. one gets the latest Docker versions properly packaged for the current stable Debian/Ubuntu version. That's why our admins decided to go back to Docker and introduce rootless mode. And they also don't want to maintain multiple container runtimes which is understandable. So at least for productive systems - which also covers the server I'd like to use for Yocto building - this means rootless Docker only.
I did, but besides
Detecting this is very easy:
I already stumbled upon that commit. The problem ist that Disable namespace remapping for a container (--userns)
Digging around:
Removing
Verifying the settings:
Some research revealed Docker rootless mode without userns-remap.
Out of curiosity, testing without
And running as I'm not an expert in namespace mapping, but to me it looks like using kas with rootless Docker is currently not possible? So this seems to sum it up perfectly:
|
Hi @schrammae, If I remember right, the time podman was discussing rootless, they introduced fuse-overlayfs to overcome those issues. Do you have it installed? It is anyway Debian recommended setup for rootless containers: https://docs.docker.com/engine/security/rootless/ |
Hi @Silvanoc, Thanks for your reply.
The Docker config looks like this:
Checking the storage driver on a running container:
Checking the docs: Docker storage drivers
So
The server is running Debian 6.1.94-1 (2024-06-21), so this should also be fine. As I can't do any experiments on the server, I installed rootless Docker on my local machine. This is using Ubuntu 22.04.4 LTS and the Ubuntu guide does not mention
This gives the same error as on Debian:
Creating a configuration file and testing with
But this results in the same error as with
Running it manually:
|
Hi @schrammae , I finally found some time to further analyze this and provide a workaround for Anyways, I was able to come up with a workaround that requires a distinct As this also requires changes to the container entrypoint, you need to build the container by yourself, or just wait until @jan-kiszka picks it up on next. |
Docker rootless mode is similar to podman rootless mode, except that it does not support to share the userid namespace. By that, the bind mounted directories (like /repo, /work, /build) which are owned by the calling user, are mapped with uid==gid==0 inside the container. While we could align this by running as root inside the container, this is not an option as bitbake does not allow this. This comes with the following limitations: - /repo must be mounted ro to not destroy the uid mappings on the host - /work, /build must be an exclusive dir on the host that is only written to by the tooling inside kas-container - a git safe.dirs exception is needed as git operates as builder on repos owned by root - only operations that do not strictly require /repo:rw are supported. - ISAR mode is not supported in rootless mode, fallback to system docker Closes: siemens#124 Signed-off-by: Felix Moessbauer <felix.moessbauer@gmail.com>
Docker rootless mode is similar to podman rootless mode, except that it does not support to share the userid namespace. By that, the bind mounted directories (like /repo, /work, /build) which are owned by the calling user, are mapped with uid==gid==0 inside the container. While we could align this by running as root inside the container, this is not an option as bitbake does not allow this. This comes with the following limitations: - /repo must be mounted ro to not destroy the uid mappings on the host - /work, /build must be an exclusive dir on the host that is only written to by the tooling inside kas-container - a git safe.dirs exception is needed as git operates as builder on repos owned by root - only operations that do not strictly require /repo:rw are supported. - ISAR mode is not supported in rootless mode, fallback to system docker Closes: siemens#124 Signed-off-by: Felix Moessbauer <felix.moessbauer@gmail.com>
Hi.
For security reasons, we're using Docker in rootless mode. As opposed to default Docker mode, kas fails to do builds due to permission problems when creating the work tree dirs.
Running it manually:
Just for testing, I tried running with
--docker-args "-e USER_ID=0 -e GROUP_ID=0"
:Testing further and silencing this error via
touch build/conf/sanity.conf
works to build the example. However, it fails on more complex builds withfatal: detected dubious ownership in repository
:So is it somehow possible to use kas with rootless Docker at all?
The text was updated successfully, but these errors were encountered: