Use buildah in toolbox

Dear all!

I have Fedora Silverblue 33 and a fresh created toolbox (with sudo dnf update), where I installed buildah.

But I haven’t got it to work. I tried with default /etc/sub{g,u}id, which was empty, and also with the values from man podman. It proceeds with warnings until buildah commit, which fails.

On the host ( I masked my user by <USER>):

$ cat /etc/subuid

In the toolbox:

$ cat  /proc/self/uid_map
         0          1       1000
      1000          0          1
      1001       1001      64536
$ buildah version
Version:         1.19.6
Go Version:      go1.15.8
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        0.4.0
libcni Version:
image Version:   5.10.2
Git Commit:
Built:           Thu Jan  1 01:00:00 1970
OS/Arch:         linux/amd64
$ buildah images
WARN error reading allowed ID mappings: error reading subuid mappings for user "<USER>" and subgid mappings for group "<USER>": No subuid ranges found for user "<USER>" in /etc/subuid
WARN Found no UID ranges set aside for user "<USER>" in /etc/subuid.
WARN Found no GID ranges set aside for user "<USER>" in /etc/subgid.
REPOSITORY                                           TAG      IMAGE ID       CREATED        SIZE        33       e6fddaf5336e   3 weeks ago    344 MB                              8.3      4199acc83c6a   3 weeks ago    213 MB

The same WARN are with buildah from and buildah run.
But when committing, I faced following:

error committing container "buildah-working-container-2" to "IMAGENMAE:TAG": error copying layers and metadata for container "36704fa3036c2dc5ff5a99e18b86603c46574f11b666dda4156efeaea6b67443": Error initializing source containers-storage:buildah-working-container-2: error extracting layer "2ca5c7553aad3deb2b524dbf00aeb4a958cf7ef968f6882f5bac3a22f43aee1c": lgetxattr /var/home/<USER>/.local/share/containers/storage/overlay/912e850f885fefd613a8d96260e762afa8a9b8db681fb6f53625af17b39a8a8f/merged/home/build: permission denied
ERRO exit status 125

On host:

$ ls -an /var/home/<USER>/.local/share/containers/storage/overlay/912e850f885fefd613a8d96260e762afa8a9b8db681fb6f53625af17b39a8a8f
total 24
drwx------.  4 1000 1000 4096 Mar  4 20:52 .
drwx------. 53 1000 1000 4096 Mar  4 20:52 ..
dr-xr-xr-x.  9 1000 1000 4096 Mar  4 18:08 diff
-rw-r--r--.  1 1000 1000   26 Mar  4 18:08 link
-rw-r--r--.  1 1000 1000   57 Mar  4 18:08 lower
drwx------.  2 1000 1000 4096 Mar  4 18:08 work

Do you have any useful link, hint, or idea how to solve it?

Thank you!

1 Like

So running unprivileged buildah inside a toolbox is running unprivilged buildah inside a rootless podman container which I don’t think is well supported right now. You might want to consider running podman build from outside a toolbox as a first step.

I also found:

that might help.

Thank you for the links!

My current sollution is run buildah ... in the Toolbox for all commands, except committing: flatpak-spawn --host build commit ...

Interesting: the UID and GID mapping is different between an ordinary podman run and a container started by toolbox container. In former case, other buildah commands as buildah run ... does not work (permission denied).