Created
November 6, 2020 15:46
-
-
Save frafra/12a27ddbcaba5fea951e9af0d0037768 to your computer and use it in GitHub Desktop.
Build containers with GitLab CI without root nor daemons by using buildkit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| build-container: | |
| stage: build | |
| image: | |
| name: moby/buildkit:rootless | |
| entrypoint: [ "sh", "-c" ] | |
| variables: | |
| BUILDKITD_FLAGS: --oci-worker-no-process-sandbox | |
| before_script: | |
| - | | |
| mkdir ~/.docker | |
| auth=$(echo -n "$CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD" | base64) | |
| echo "{\"auths\": {\"$CI_REGISTRY\": {\"auth\": \"$auth\"}}}" > ~/.docker/config.json | |
| script: | |
| - | | |
| buildctl-daemonless.sh build \ | |
| --frontend=dockerfile.v0 \ | |
| --local context=. \ | |
| --local dockerfile=. \ | |
| --import-cache type=registry,ref=$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG \ | |
| --export-cache type=inline \ | |
| --output type=image,name=$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG,push=true |
The runner still needs to be privileged, otherwise I get
could not connect to unix:///run/user/1000/buildkit/buildkitd.sock after 42 trials
========== log ==========
[rootlesskit:child ] error: failed to share mount point: /: permission denied
[rootlesskit:parent] error: child exited: exit status 1
sh: can't kill pid 52: No such processDid anyone manage to run this without privileged?
The runner still needs to be privileged, otherwise I get
could not connect to unix:///run/user/1000/buildkit/buildkitd.sock after 42 trials ========== log ========== [rootlesskit:child ] error: failed to share mount point: /: permission denied [rootlesskit:parent] error: child exited: exit status 1 sh: can't kill pid 52: No such processDid anyone manage to run this without privileged?
I got into the same issue, and after two days of trying things, still can't get it to work
I've tested setting privileged = true and/or security_opt = ["seccomp:unconfined"], as well as adjusting the CI hosts kernel.apparmor_restrict_unprivileged_userns=0 kernel param, all without any success. I get the following error:
time="2025-06-06T04:50:09Z" level=warning msg="[rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1" error="fork/exec /proc/self/exe: permission denied"
time="2025-06-06T04:50:09Z" level=warning msg="[rootlesskit:parent] Hint: try running the following commands:\n\n\n########## BEGIN ##########\ncat <<EOT | sudo tee \"/etc/apparmor.d/usr.bin.rootlesskit\"\n# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces\nabi <abi/4.0>,\ninclude <tunables/global>\n\n/usr/bin/rootlesskit flags=(unconfined) {\n userns,\n\n # Site-specific additions and overrides. See local/README for details.\n include if exists <local/usr.bin.rootlesskit>\n}\nEOT\nsudo systemctl restart apparmor.service\n########## END ##########\n\n"
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied
I wonder if any other users have had success in migrating from Kaniko to Buildkit Rootless on self-hosted gitlab-runner? The docs indicate it should be straightforward...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See also: https://gitlab.com/txlab/ci-templates