[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted

[Masber]

Hi,

I am new to docker/container world and I am trying to build an image inside a container using buildkit as a non-root user.
I have downloaded rootlesskit and buildkit but for some reason I can't make buildkit to run as a non-root user
My distro is debian 9

jenkins@407b28127b28:/tmp$ cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
jenkins@407b28127b28:/tmp$ cat /proc/sys/kernel/unprivileged_userns_clone
1
jenkins@407b28127b28:/tmp$ id -u
1000
jenkins@407b28127b28:/tmp$ whoami
jenkins
jenkins@407b28127b28:/tmp$ grep "^$(whoami):" /etc/subuid
jenkins:100000:65536
jenkins@407b28127b28:/tmp$ grep "^$(whoami):" /etc/subgid
jenkins:100000:65536
jenkins@407b28127b28:/tmp$ newuidmap
usage: newuidmap <pid> <uid> <loweruid> <count> [ <uid> <loweruid> <count> ] ... 
jenkins@407b28127b28:/tmp$ newgidmap
usage: newgidmap <pid> <gid> <lowergid> <count> [ <gid> <lowergid> <count> ] ... 
jenkins@407b28127b28:/tmp$ ./rootlesskit bin/buildkitd 
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted
jenkins@407b28127b28:/tmp$ ./rootlesskit bash
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted

I hope I am doing things right, Any thoughts?

[AkihiroSuda]

If you are trying to run RootlessKit inside a Docker container, you need to run the container with docker run --security-opt seccomp=unconfined --security-opt apparmor=unconfined

https://github.com/moby/buildkit/blob/master/docs/rootless.md#docker

[Masber]

sorry, forgot to mention that the container engine is containerd managed by k8s, does it change your proposal?

[AkihiroSuda]

Should set Pod annotations like this

  annotations:
    container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined
    container.seccomp.security.alpha.kubernetes.io/buildkitd: unconfined

https://github.com/moby/buildkit/blob/477b1aab89dae85d31a48797f341d6bd7527fa5a/examples/kubernetes/deployment%2Bservice.rootless.yaml#L16-L18

[AkihiroSuda]

Is this issue closable?

[cyxinda]

run echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns then 'reboot` system.
ubuntu24.04's apparmor would forbid the rootless.

[munishchouhan]

I am using --privileged, but still getting error in mac

could not connect to unix:///run/user/1000/buildkit/buildkitd.sock after 10 trials
========== log ==========
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: invalid argument
sh: can't kill pid 14: No such process