rootlesskit icon indicating copy to clipboard operation
rootlesskit copied to clipboard
verified publisher icon rootless-containers

Unable to run buildkit. Missing binary?

Open lindhe opened this issue 5 years ago • 2 comments

Hi! Since the advent of Docker 20.10, I got exited to try out rootless for the first time. I'm quite familiar with Docker, but rootless is new territory for me.

I followed the guide, including the common first steps, and simple things works (e.g. docker run hello-world, docker run -it --rm -p 8080:80 httpd and even docker run -it --rm alpine ping -c 3 1.1.1.1). Great!

So then I wanted to see if I could get buildkit to work with me on this project. I went to https://github.com/moby/buildkit/blob/master/docs/rootless.md#running-buildkit-in-rootless-mode and checked out the instructions. Now here's when I run into troubles.

$ rootlesskit buildkitd
[rootlesskit:child ] error: command [buildkitd] exited: exec: "buildkitd": executable file not found in $PATH
[rootlesskit:parent] error: child exited: exit status 1

Fair enough, it's not in my PATH. But I have no idea where to find it. It's not in apt or snap, and it was not included in the bundle of binaries that rootlesskit helped me install in ~/bin either.

And if I try to skip that step and go right to https://github.com/moby/buildkit/blob/master/docs/rootless.md#containerized-deployment I have insufficient privileges to to a UID map:

$ docker run --name buildkitd -it --rm --privileged moby/buildkit:rootless
[rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 11 [0 1000 1 1 100000 65536] failed: newuidmap: write to uid_map failed: Operation not permitted
: exit status 1

I'm not quite sure what I should be asking for here, but it feels like there's a step missing in the instructions or perhaps I've just mucked something up. Please help me find a better issue title if you have an idea of what else this could be...

System info

OS: Ubuntu 20.04.1 LTS (Focal Fossa) Kernel: 5.4.0-58-generic systemd: 245 docker: 20.10.1 rootlesskit: 0.11.0

lindhe avatar Dec 20 '20 17:12 lindhe

Fair enough, it's not in my PATH. But I have no idea where to find it. It's not in apt or snap, and it was not included in the bundle of binaries that rootlesskit helped me install in ~/bin either.

https://github.com/moby/buildkit/releases/download/v0.8.1/buildkit-v0.8.1.linux-amd64.tar.gz

$ docker run --name buildkitd -it --rm --privileged moby/buildkit:rootless [rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 11 [0 1000 1 1 100000 65536] failed: newuidmap: write to uid_map failed: Operation not permitted : exit status 1

Please try setting sysctl values on the host

  • kernel.unprivileged_userns_clone=1
  • user.max_user_namespaces=28633 https://rootlesscontaine.rs/getting-started/common/sysctl/

AkihiroSuda avatar Dec 21 '20 05:12 AkihiroSuda

Thanks! I've downloaded those binaries now and put them in my PATH. Something works better now:

$ rootlesskit buildkitd
INFO[0000] auto snapshotter: using overlayfs            
INFO[0000] found worker "9sberhgzig3d9iajnyhyx47xw", labels=map[org.mobyproject.buildkit.worker.executor:oci org.mobyproject.buildkit.worker.hostname:blaptop org.mobyproject.buildkit.worker.snapshotter:overlayfs], platforms=[linux/amd64 linux/386] 
WARN[0000] rootless mode is not supported for containerd workers. disabling containerd worker. 
INFO[0000] found 1 workers, default="9sberhgzig3d9iajnyhyx47xw" 
WARN[0000] currently, only the default worker can be used. 
INFO[0000] running server on /run/user/1000/buildkit/buildkitd.sock

Please try setting sysctl values on the host

  • kernel.unprivileged_userns_clone=1
  • user.max_user_namespaces=28633
  • https://rootlesscontaine.rs/getting-started/common/sysctl/

Since the sysctl page says "These steps are not needed for Ubuntu." I initially skipped them. But then I tried them again when not everything worked out-of-the-box. After your additional suggestions (which I cannot find on that page), my /etc/sysctl.d/99-rootless.conf looks like this:

#kernel.unprivileged_userns_clone=1
#net.ipv4.ping_group_range = 0 2147483647
#net.ipv4.ip_unprivileged_port_start=0

kernel.unprivileged_userns_clone=1
user.max_user_namespaces=28633

I've reloaded by sudo sysctl --system and even restarted my computer. No luck; same error as before:

$ docker run --name buildkitd -it --rm --privileged moby/buildkit:rootless
[rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 12 [0 1000 1 1 100000 65536] failed: newuidmap: write to uid_map failed: Operation not permitted
: exit status 1

lindhe avatar Dec 21 '20 11:12 lindhe