You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is it possible to use buildah mount inside a buildah container? I'm getting:
Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted
For context, I'm within several nested rabbit holes. My goal is to see if I can get a public GitHub Actions runner to build a container image from a ubi-micro image (which does not have a package manager). The problem is that my workflow uses the ubuntu-latest GitHub actions image, which doesn't have DNF available. I'm trying to work around this by nesting containers:
The outer container will run the ubi image, Within this, I will use buildah to create an inner container from ubi-micro, mount the inner container within the outer container, and then I can use the outer container's dnf command with the --installroot= option to install stuff within the inner container.
I mention that in case there's a better way to approach this problem. 😄
BTW, so far I'm just running this on my local (Fedora) machine... I'd like to get it working there first.
Steps to reproduce the issue:
$ buildah from -v /tmp/ct1:/var/lib/containers:Z docker.io/library/fedora:rawhide
fedora-working-container
$ buildah run fedora-working-container -- dnf -y install buildah
[...]
$ buildah run fedora-working-container -- buildah from scratch
working-container-3
$ buildah run fedora-working-container -- buildah mount working-container-3
Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted
WARN[0000] failed to shutdown storage: "mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted"
Error: while running runtime: exit status 125
Additional troubleshooting
No AVC messages are written to the audit log so this doesn't appear to be because of SELinux.
I've added --security-opt=label=disable --security-opt=seccomp=unconfined to the outer and inner buildah from commands and they don't help.
buildah mount works when run from a privileged podman container:
$ podman run --privileged -v /tmp/ct1:/var/lib/containers:Z --rm -it docker.io/library/fedora:rawhide
[root@0731245902d9 /]# dnf -y install buildah
[...]
[root@fe9f2496b491 /]# buildah from scratch
working-container-5
[root@fe9f2496b491 /]# buildah mount working-container-5
/var/lib/containers/storage/overlay/6b7b5cf263448e70917fb34107b0b8f7af2fa0156e052b27e638ed90c538e868/merged
... but there's no --privileged flag for buildah or podman build, unless I'm missing something?
My goal is to see if I can get a public GitHub Actions runner to build a container image from a ubi-micro image (which does not have a package manager).
Turns out sudo install dnf works just fine. So I no longer need to use buildah mount inside a buildah container; however I'll leave this issue open because I think it should work.
Description
Is it possible to use
buildah mount
inside a buildah container? I'm getting:For context, I'm within several nested rabbit holes. My goal is to see if I can get a public GitHub Actions runner to build a container image from a
ubi-micro
image (which does not have a package manager). The problem is that my workflow uses theubuntu-latest
GitHub actions image, which doesn't have DNF available. I'm trying to work around this by nesting containers:The outer container will run the
ubi
image, Within this, I will usebuildah
to create an inner container fromubi-micro
, mount the inner container within the outer container, and then I can use the outer container'sdnf
command with the--installroot=
option to install stuff within the inner container.I mention that in case there's a better way to approach this problem. 😄
BTW, so far I'm just running this on my local (Fedora) machine... I'd like to get it working there first.
Steps to reproduce the issue:
Additional troubleshooting
No AVC messages are written to the audit log so this doesn't appear to be because of SELinux.
I've added
--security-opt=label=disable --security-opt=seccomp=unconfined
to the outer and innerbuildah from
commands and they don't help.buildah mount
works when run from a privileged podman container:... but there's no
--privileged
flag forbuildah
orpodman build
, unless I'm missing something?Output of
rpm -q buildah
orapt list buildah
:The above was ran on a host with:
Inside the rawhide container, this buildah was used:
Output of
buildah version
:On the host:
Inside the rawhide container:
Output of
cat /etc/*release
:Output of
uname -a
:Output of
cat /etc/containers/storage.conf
:File does not exist - no customizations applied
The text was updated successfully, but these errors were encountered: