-
Type:
Suggestion
-
Resolution: Unresolved
-
Component/s: Pipelines - Docker Run
-
None
-
3
If you are using the Buildah OCI tool on Pipelines, Docker on Pipelines prohibits the build by blocking the unshare syscall. - https://github.com/containers/buildah
As per the fix, you will need to run Docker with Podman by providing a seccomp.json file. - https://github.com/containers/buildah/issues/1901
Without Podman:
$> docker run -ti quay.io/buildah/stable buildah info
Error during unshare(CLONE_NEWUSER): Operation not permitted
ERRO error parsing PID "": strconv.Atoi: parsing "": invalid syntax
ERRO (unable to determine exit status)
With Podman seccomp.json file:
$> docker run --security-opt seccomp=seccomp.json --rm -it quay.io/buildah/stable buildah info
{
"host": {
"CgroupVersion": "v1",
"Distribution": {
"distribution": "fedora",
"version": "31"
},....................................................................
Feature request:
It would be nice if we could revise the current allowed syscall policy and check if it's necessary to filter out unshare.