Normal Description of problem:
When building images, items such as the /run/secrets/redhat.repo file from the build container are bind-mounted into the rootfs of the image being built for the benefit of RUN instructions. For a privileged build, the fact that the bind includes the nodev/noexec/nosuid flags doesn't cause any problems. When attempting the build without privileges, where the source file (itself mounted into the build container from the host) is not owned by the user the builder container is running as, this can fail because the kernel won't allow a bind mount that tries to remove any of these flags, and the logic which handled transient mounts when using chroot isolation wasn't taking enough care to avoid that possibility.
Version-Release number of selected component (if applicable):
buildah-1.32.0 and earlier
How reproducible:
Always
Steps to Reproduce:
1. On a single-node setup, `touch` /etc/yum.repos.d/redhat.repo, which is the target of a symbolic link in /usr/share/rhel/secrets, which /usr/share/containers/mounts.conf tells CRI-O should have its contents exposed in containers.
2. Attempt to build this spec:
{{
apiVersion: build.openshift.io/v1
kind: Build
metadata:
name: unprivileged
spec:
source:
type: Dockerfile
dockerfile: |
FROM registry.fedoraproject.org/fedora-minimal
RUN find /run/secrets -ls
RUN head /proc/self/uid_map /proc/self/gid_map /run/secrets/redhat.repo
strategy:
type: Docker
dockerStrategy:
env:
- name: BUILD_PRIVILEGED
value: "false"
}}
3.
Actual results:
error running subprocess: remounting "/tmp/buildahXXX/mnt/rootfs/run/secrets/redhat.repo" in mount namespace with expected flags: operation not permitted
Expected results:
No such mount error. Depending on the permissions on the file, the unprivileged build may still fail if it attempts to use the contents of that file, but that's not a bug in the builder so much as a consequence of access controls.
Additional info:
- is depended on by
-
RUN-1933 Finish debugging unprivileged builds in OpenShift
-
- Closed
-
- links to