buildah
buildah copied to clipboard
containers
Building images from scratch with dnf fails in rootless mode
Issue Description
As already discussed in #6119 it is no longer possible to build images from scratch using the package manager of the host system (dnf) without root privileges.
Steps to reproduce the issue
Steps to reproduce the issue
- Create the script
unshare.shwith the following content
_CONTAINER_REF=$(buildah from scratch)
_MOUNT_REF=$(buildah mount $_CONTAINER_REF)
dnf install \
--installroot ${_MOUNT_REF:?} \
--use-host-config \
--releasever 42 \
--assumeyes \
--noplugins \
--nodocs \
--setopt install_weak_deps=0 \
--setopt countme=false \
java-21-openjdk-headless curl ca-certificates
buildah commit --format oci $_CONTAINER_REF openjdk:21
buildah umount $_CONTAINER_REF &>/dev/null
buildah rm $_CONTAINER_REF
- Run
buildah unshare bash unshare.sh
Describe the results you received
The dnf command fails with the following errors:
>>> Running sysusers scriptlet: setup-0:2.15.0-13.fc42.noarch
>>> Error in sysusers scriptlet: setup-0:2.15.0-13.fc42.noarch
>>> [RPM] %sysusers(setup-2.15.0-13.fc42.noarch) scriptlet failed, exit status 127
[10/72] Installing filesystem-0:3.18-36.fc42.x86_64 100% | 1.7 MiB/s | 212.4 KiB | 00m00s
>>> [RPM] setup-2.15.0-13.fc42.noarch: install failed
>>> [RPM] failed to open /etc/group for id/name lookup: No such file or directory
>>> [RPM] group mail does not exist - using root
and at the very end:
Transaction failed: Rpm transaction failed.
Describe the results you expected
Scripts like that worked for years but since Fedora 42 (or 41?) they fail. I think that without that functionality one of the best argument for buildah is gone.
Running sudo bash unshare.sh still works. The sysusers scriptlet that fails with "unshare" produces the following output:
[ 8/85] Installing fedora-release-0:42-26.noarch 100% | 4.5 KiB/s | 124.0 B | 00m00s
>>> Running sysusers scriptlet: setup-0:2.15.0-13.fc42.noarch
>>> Finished sysusers scriptlet: setup-0:2.15.0-13.fc42.noarch
>>> Scriptlet output:
>>> Creating group 'adm' with GID 4.
>>> Creating group 'audio' with GID 63.
>>> Creating group 'bin' with GID 1.
>>> Creating group 'cdrom' with GID 11.
>>> Creating group 'clock' with GID 103.
>>> Creating group 'daemon' with GID 2.
>>> Creating group 'dialout' with GID 18.
>>> Creating group 'disk' with GID 6.
>>> Creating group 'floppy' with GID 19.
>>> Creating group 'ftp' with GID 50.
>>> Creating group 'games' with GID 20.
>>> Creating group 'input' with GID 104.
>>> Creating group 'kmem' with GID 9.
>>> Creating group 'kvm' with GID 36.
>>> Creating group 'lock' with GID 54.
>>> Creating group 'lp' with GID 7.
>>> Creating group 'mail' with GID 12.
>>> Creating group 'man' with GID 15.
>>> Creating group 'mem' with GID 8.
>>> Creating group 'nobody' with GID 65534.
>>> Creating group 'render' with GID 105.
>>> Creating group 'root' with GID 0.
>>> Creating group 'sgx' with GID 106.
>>> Creating group 'sys' with GID 3.
>>> Creating group 'tape' with GID 33.
>>> Creating group 'tty' with GID 5.
>>> Creating group 'users' with GID 100.
>>> Creating group 'utmp' with GID 22.
>>> Creating group 'video' with GID 39.
>>> Creating group 'wheel' with GID 10.
>>>
>>> Running sysusers scriptlet: setup-0:2.15.0-13.fc42.noarch
>>> Finished sysusers scriptlet: setup-0:2.15.0-13.fc42.noarch
>>> Scriptlet output:
>>> Creating user 'adm' (adm) with UID 3 and GID 4.
>>> Creating user 'bin' (bin) with UID 1 and GID 1.
>>> Creating user 'daemon' (daemon) with UID 2 and GID 2.
>>> Creating user 'ftp' (FTP User) with UID 14 and GID 50.
>>> Creating user 'games' (games) with UID 12 and GID 20.
>>> Creating user 'halt' (halt) with UID 7 and GID 0.
>>> Creating user 'lp' (lp) with UID 4 and GID 7.
>>> Creating user 'mail' (mail) with UID 8 and GID 12.
>>> Creating user 'nobody' (Kernel Overflow User) with UID 65534 and GID 65534.
>>> Creating user 'operator' (operator) with UID 11 and GID 0.
>>> Creating user 'root' (Super User) with UID 0 and GID 0.
>>> Creating user 'shutdown' (shutdown) with UID 6 and GID 0.
>>> Creating user 'sync' (sync) with UID 5 and GID 0.
buildah version output
Version: 1.40.0
Go Version: go1.24.2
Image Spec: 1.1.1
Runtime Spec: 1.2.1
CNI Spec: 1.1.0
libcni Version:
image Version: 5.35.0
Git Commit:
Built: Tue Apr 22 14:20:12 2025
OS/Arch: linux/amd64
BuildPlatform: linux/amd64
buildah info output
{
"host": {
"CgroupVersion": "v2",
"Distribution": {
"distribution": "fedora",
"version": "42"
},
"MemFree": 36742230016,
"MemTotal": 67183349760,
"OCIRuntime": "crun",
"SwapFree": 8589930496,
"SwapTotal": 8589930496,
"arch": "amd64",
"cpus": 16,
"hostname": "tanwald1",
"kernel": "6.14.9-300.fc42.x86_64",
"os": "linux",
"rootless": true,
"uptime": "1h 12m 11.15s (Approximately 0.04 days)",
"variant": ""
},
"store": {
"ContainerStore": {
"number": 1
},
"GraphDriverName": "overlay",
"GraphOptions": null,
"GraphRoot": "/home/tanwald/.local/share/containers/storage",
"GraphStatus": {
"Backing Filesystem": "btrfs",
"Native Overlay Diff": "true",
"Supports d_type": "true",
"Supports shifting": "false",
"Supports volatile": "true",
"Using metacopy": "false"
},
"ImageStore": {
"number": 32
},
"RunRoot": "/run/user/1000/containers"
}
}
Provide your storage.conf
# This file is the configuration file for all tools
# that use the containers/storage library. The storage.conf file
# overrides all other storage.conf files. Container engines using the
# container/storage library do not inherit fields from other storage.conf
# files.
#
# Note: The storage.conf file overrides other storage.conf files based on this precedence:
# /usr/containers/storage.conf
# /etc/containers/storage.conf
# $HOME/.config/containers/storage.conf
# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set)
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]
# Default Storage Driver, Must be set for proper operation.
driver = "overlay"
# Temporary storage location
runroot = "/run/containers/storage"
# Primary Read/Write location of container storage
# When changing the graphroot location on an SELINUX system, you must
# ensure the labeling matches the default locations labels with the
# following commands:
# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
# restorecon -R -v /NEWSTORAGEPATH
graphroot = "/var/lib/containers/storage"
# Optional alternate location of image store if a location separate from the
# container store is required. If set, it must be different than graphroot.
# imagestore = ""
# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"
# Transient store mode makes all container metadata be saved in temporary storage
# (i.e. runroot above). This is faster, but doesn't persist across reboots.
# Additional garbage collection must also be performed at boot-time, so this
# option should remain disabled in most configurations.
# transient_store = true
[storage.options]
# Storage options to be passed to underlying storage drivers
# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
"/usr/lib/containers/storage",
]
# Allows specification of how storage is populated when pulling images. This
# option can speed the pulling process of images compressed with format
# zstd:chunked. Containers/storage looks for files within images that are being
# pulled from a container registry that were previously pulled to the host. It
# can copy or create a hard link to the existing file when it finds them,
# eliminating the need to pull them from the container registry. These options
# can deduplicate pulling of content, disk storage of content and can allow the
# kernel to use less memory when running containers.
# containers/storage supports four keys
# * enable_partial_images="true" | "false"
# Tells containers/storage to look for files previously pulled in storage
# rather then always pulling them from the container registry.
# * use_hard_links = "false" | "true"
# Tells containers/storage to use hard links rather then create new files in
# the image, if an identical file already existed in storage.
# * ostree_repos = ""
# Tells containers/storage where an ostree repository exists that might have
# previously pulled content which can be used when attempting to avoid
# pulling content from the container registry
# * convert_images = "false" | "true"
# If set to true, containers/storage will convert images to a
# format compatible with partial pulls in order to take advantage
# of local deduplication and hard linking. It is an expensive
# operation so it is not enabled by default.
pull_options = {enable_partial_images = "true", use_hard_links = "false", ostree_repos=""}
# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs. Additional mapped sets can be
# listed and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = "0:1668442479:65536"
# remap-gids = "0:1668442479:65536"
# Remap-User/Group is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting
# with an in-container ID of 0 and then a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps. This setting overrides the
# Remap-UIDs/GIDs setting.
#
# remap-user = "containers"
# remap-group = "containers"
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned
# to containers configured to create automatically a user namespace. Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the maximum size for a user namespace created automatically.
# auto-userns-max-size=65536
[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids. Note multiple UIDs will be
# squashed down to the default uid in the container. These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
#ignore_chown_errors = "false"
# Inodes is used to set a maximum inodes of the container image.
# inodes = ""
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#mount_program = "/usr/bin/fuse-overlayfs"
# mountopt specifies comma separated list of extra mount options
mountopt = "nodev,metacopy=on"
# Set to skip a PRIVATE bind mount on the storage home directory.
# skip_mount_home = "false"
# Set to use composefs to mount data layers with overlay.
# use_composefs = "false"
# Size is used to set a maximum size of the container image.
# size = ""
# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
# "": No value specified.
# All files/directories, get set with the permissions identified within the
# image.
# "private": it is equivalent to 0700.
# All files/directories get set with 0700 permissions. The owner has rwx
# access to the files. No other users on the system can access the files.
# This setting could be used with networked based homedirs.
# "shared": it is equivalent to 0755.
# The owner has rwx access to the files and everyone else can read, access
# and execute them. This setting is useful for sharing containers storage
# with other users. For instance have a storage owned by root but shared
# to rootless users as an additional store.
# NOTE: All files within the image are made readable and executable by any
# user on the system. Even /etc/shadow within your image is now readable by
# any user.
#
# OCTAL: Users can experiment with other OCTAL Permissions.
#
# Note: The force_mask Flag is an experimental feature, it could change in the
# future. When "force_mask" is set the original permission mask is stored in
# the "user.containers.override_stat" xattr and the "mount_program" option must
# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
# extended attribute permissions to processes within containers rather than the
# "force_mask" permissions.
#
# force_mask = ""
Upstream Latest Release
No
Additional environment details
No response
Additional information
No response
https://bugzilla.redhat.com/show_bug.cgi?id=1965813 suggests that --setopt "*.countme=false" works better for overriding the setting for repositories whose configuration snippets enable it, and experimentally, it gets me farther.
A friendly reminder that this issue had no activity for 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}