sudo inside dockerfile cause error "sudo: effective uid is not 0" for arm platform

[iav]

Behaviour

Trying to build container with command RUN sudo not from root user causes error

#12 [ 9/11] RUN sudo chown -R rust:rust /app
#12 0.119 sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
#12 ERROR: executor failed running [/bin/sh -c sudo chown -R rust:rust /app]: buildkit-runc did not terminate successfully

Steps to reproduce this issue

1. set action with crazy-max/ghaction-docker-buildx@v2
2. run buildx action for arm platform

docker buildx build \
            --platform linux/arm64 \
            --build-arg RUST_TARGET=aarch64-unknown-linux-musl \
            --progress plain \
            --load .

inside build script set user to non root with right do sudo, and run sudo:

USER rust
RUN sudo chown -R rust:rust /app

Expected behaviour

just work, as on my laptop

Actual behaviour

error

#12 [ 9/11] RUN sudo chown -R rust:rust /app
#12 0.119 sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
#12 ERROR: executor failed running [/bin/sh -c sudo chown -R rust:rust /app]: buildkit-runc did not terminate successfully

Configuration

• Repository URL (if public):
  https://github.com/iav/test3/
• Build URL (if public):
  https://github.com/iav/test3/runs/745735579?check_suite_focus=true#step:6:1401

paste your YAML workflow file here and remove sensitive data

https://github.com/iav/test3/blob/master/.github/workflows/main.yml

dockerfile: https://github.com/iav/test3/blob/master/Dockerfile

Logs

Download the log file of your build and attach it to this issue.

[crazy-max]

@iav I don't think it has something to do with this action but GitHub runner instead. See moby/moby#36730 (comment) for more info. Also have you tried with standard docker build? Have you take a look to gosu?

[iav]

How can I use standard docker build for another architecture on builder?
I newer hear about gosu, thank you, will read.
What do you think about multiarch/alpine#32?

About a "nosuid" — I try to workaroud it already, add section with special fs for /var/lib/docker. Without result.

  -
    name: create small fs for docker cache
    run: |
      
      sudo systemctl stop docker
      sudo rm -rf /var/lib/docker/*
      #apt list --installed
      #sudo dd if=/dev/zero of=/swapfile1 bs=1M count=24K
      sudo dd if=/dev/zero of=/swapfile1 bs=1M count=14K
      sudo chmod 600 /swapfile1
      
      sudo mkfs.ext4 /swapfile1
      #sudo mkswap /swapfile1
      #sudo swapon -a /swapfile1
      
      #sudo swapon --show
      sudo free -h

      #sudo mount -t tmpfs -o size=10G,suid tmpfs /var/lib/docker
      sudo mount -o suid /swapfile1 /var/lib/docker
      mount
      df -h
      
      sudo systemctl start docker

[crazy-max]

How can I use standard docker build for another architecture on builder?

See https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/

About a "nosuid" — I try to workaroud it already, add section with special fs for /var/lib/docker. Without result.

Don"t think that's the right way to do it. You should ask on https://github.com/actions/virtual-environments.

[iav]

As mentioned multiarch/alpine#32 (comment) problem was wrong flags in

cat /proc/sys/fs/binfmt_misc/qemu-aarch64
statis:register
enabled
interpreter /usr/bin/qemu-aarch64-static
flags: F
offset 0
magic 7f454c460201010000000000000000000200b700
mask ffffffffffffff00fffffffffffffffffeffffff

its's state after ghaction-docker-buildx init. But Flags OCF required to run sudo inside qemu containers.
Then I add line to buildx initialization: sudo docker run --rm --privileged multiarch/qemu-user-static --reset -p yes --credential yes
Note no :register in container name. I ise it first, but have to remove to make it work.
Maybe, --credential yes have to be in action code? Possible, as option, if non-privileged containers reqired too?

[crazy-max]

@iav Will check this out, thanks for your input!

[crazy-max]

@iav Can you try with crazy-max/ghaction-docker-buildx@master?

[iav]

This run https://github.com/iav/test3/runs/746356197?check_suite_focus=true
I remove my workaround, set @master, and — success! All flags on place, all my sudo inside buildx tests for armv7, aarch64 and amd64 passed.

[crazy-max]

@iav Nice! I have added a Dockerfile with sudo to test this behavior and it seems to work.
I will create a new release, keep you in touch.

[crazy-max]

@iav This is fixed through v3.1.0 / v3