docker - Run buildah within gitlab-ci

Question

I want to use buildah from gitlab-ci, in order to build an image, run a container from it and do some tests against it.

My current gitlab-ci is:

tests:
  tags:
    - docker
  image: quay.io/buildah/stable
  stage: test
  variables:
      STORAGE_DRIVER: "vfs"
      BUILDAH_FORMAT: "docker"
      BUILDAH_ISOLATION: "rootless"
  only:
    refs:
      - merge_requests
    changes:
      - **/*
  script:
    - buildah info --debug
    - buildah unshare docker/test/run.sh

My runner is private gitlab runner, I don't want to change its configuration (to not break other CI).

The content of run.sh is:

#!/usr/bin/env bash
set -euo pipefail
container=$(buildah --ulimit nofile=8192 --name my-container from phusion/baseimage:bionic-1.0.0-amd64)

The error is:

level=warning msg="error reading allowed ID mappings: error reading subuid mappings for user "root" and subgid mappings for group "root": No subuid ranges found for user "root" in /etc/subuid" level=warning msg="Found no UID ranges set aside for user "root" in /etc/subuid." level=warning msg="Found no GID ranges set aside for user "root" in /etc/subgid." No buildah sali-container already exists... Package Sali Creating sali-container Completed short name "phusion/baseimage" with unqualified-search registries (origin: /etc/containers/registries.conf) Getting image source signatures Copying blob 
sha256:36505266dcc64eeb1010bd2112e6f73981e1a8246e4f6d4e287763b57f101b0b Copying blob 
sha256:1907967438a7f3c5ff54c8002847fe52ed596a9cc250c0987f1e2205a7005ff9 Copying blob 
sha256:23884877105a7ff84a910895cd044061a4561385ff6c36480ee080b76ec0e771 Copying blob 
sha256:2910811b6c4227c2f42aaea9a3dd5f53b1d469f67e2cf7e601f631b119b61ff7 Copying blob 
sha256:bc38caa0f5b94141276220daaf428892096e4afd24b05668cd188311e00a635f Copying blob 
sha256:53c90fd859186b7b770d65adcb6ae577d4c61133f033e628530b1fd8dc0af643 Copying blob 
sha256:d039079bb3a9bf1acf69e7c00db0e6559a86148c906ba5dab06b67c694bbe87c Copying config 
sha256:32c929dd2961004079c1e35f8eb5ef25b9dd23f32bc58ac7eccd72b4aa19f262 Writing manifest to image destination Storing signatures level=error msg="Error while applying layer: ApplyLayer
 exit status 1 stdout:  stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument" 4 errors occurred while pulling:  
* Error initializing source docker://registry.fedoraproject.org/phusion/baseimage:bionic-1.0.0-amd64: Error reading manifest bionic-1.0.0-amd64 in registry.fedoraproject.org/phusion/baseimage: manifest unknown: manifest unknown  
* Error initializing source docker://registry.access.redhat.com/phusion/baseimage:bionic-1.0.0-amd64: Error reading manifest bionic-1.0.0-amd64 in registry.access.redhat.com/phusion/baseimage: name unknown: Repo not found  
* Error initializing source docker://registry.centos.org/phusion/baseimage:bionic-1.0.0-amd64: Error reading manifest bionic-1.0.0-amd64 in registry.centos.org/phusion/baseimage: manifest unknown: manifest unknown  
* Error committing the finished image: error adding layer with blob "sha256:23884877105a7ff84a910895cd044061a4561385ff6c36480ee080b76ec0e771": ApplyLayer exit status 1 stdout:  stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument level=error msg="exit status 125" level=error msg="exit status 125"

The result of buildah info --debug:

{
    "debug": {
        "buildah version": "1.18.0",
        "compiler": "gc",
        "git commit": "",
        "go version": "go1.15.2"
    },
    "host": {
        "CgroupVersion": "v1",
        "Distribution": {
            "distribution": "fedora",
            "version": "33"
        },
        "MemFree": 9021378560,
        "MemTotal": 15768850432,
        "OCIRuntime": "runc",
        "SwapFree": 0,
        "SwapTotal": 0,
        "arch": "amd64",
        "cpus": 4,
        "hostname": "runner-cvBUQadt-project-2197143-concurrent-0",
        "kernel": "4.14.83+",
        "os": "linux",
        "rootless": false,
        "uptime": "6391h 28m 15.45s (Approximately 266.29 days)"
    },
    "store": {
        "ContainerStore": {
            "number": 0
        },
        "GraphDriverName": "vfs",
        "GraphOptions": [
            "vfs.imagestore=/var/lib/shared"
        ],
        "GraphRoot": "/var/lib/containers/storage",
        "GraphStatus": {},
        "ImageStore": {
            "number": 0
        },
        "RunRoot": "/var/run/containers/storage"
    }
}

I read other posts about the errors I had and came to this configuration, which is not enough. I choose buildah by thinking it would be easy to use from a CI as it is supposed to run rootless, but this is a real nightmare... I am poor lonesome developer and not a sysadmin, I don't understand how to setup linux for buildah... Can somebody help me?

question from:https://stackoverflow.com/questions/65598939/run-buildah-within-gitlab-ci

Answer 1

Buildah is going to need to run as root or within a user namespace with sufficent UIDs to install files with different UID.

This looks like for some reason buildah thought it should run within a user namespace and then did not find root listed within the user namespace. This usually happens when you did not run with enough privileges.