Replies: 1 comment 2 replies
-
Mounting /proc and /sys inside of the user namespace for the chroot, I would guess. |
Beta Was this translation helpful? Give feedback.
2 replies
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
-
I'm trying to run Buildah inside a Gitlab job running as rootful container in an Azure-managed k8s cluster (AKS) with containerd. According to the Gitlab docs this should be possible as long as I choose vfs as storage driver.
However, both
buildah info
andimmediately fail with
Now, I should mention our containers run with AppArmor enabled,
and after a bit of research I found the very similar-sounding #2899 , which pointed me to https://github.com/containerd/containerd/blob/main/contrib/apparmor/template.go (= the
cri-containerd.apparmor.d
profile) which indeed contains a linedeny mount
, so I suspect this is the issue here. (Unfortunately, I have no way to truly verify this, because I don't have access to our k8s / containerd settings.)In any case, my question is: What does
buildah build --storage-driver=vfs --isolation=chroot
need mount permissions for in the first place? So far my understanding had been that that vfs does not involve any mounting(?) Also, why doesbuildah info
need to do any mounting?On a general note, given that running Buildah nested inside another container is such a common use case, I think it'd be great to have an overview in the docs outlining which buildah settings require what capabilities & permissions. Trying to understand what's possible when it comes to container nesting and what isn't has been a rather painful trial & error experience.
Beta Was this translation helpful? Give feedback.
All reactions