Description
Is this a bug report, feature (enhancement) request or question? (leave only one on its own line)
/kind bug
Description:
I was trying to build a aarch64-based rpm-ostree tree inside a podman container on an x86_64 based host system, which led me down a bit of a rabbit hole: rpm-ostree uses bwrap when composing a tree, but apparently, bwrap cannot create a new namespace inside the container when using qemu-user-static.
Steps to reproduce the issue:
- Build two different podman images from this Dockerfile:
FROM registry.fedoraproject.org/fedora:36
RUN dnf -y update
RUN dnf install -y bubblewrap
RUN useradd builder; \
echo builder:10000:5000 > /etc/subuid; \
echo builder:10000:5000 > /etc/subgid;
RUN chown builder:builder -R /home/builder
One of these images is built with the option --arch=arm64, the other is built for the host architecture (x86_64).
- Run for each of the images: 3.
podman run --rm --security-opt label=disable --user=builder <image> bwrap --dev-bind / / echo test
Describe the results you received:
On the container with the host architecture, the result is (as expected):
test
On the arm64 container run through qemu-user-static, the result is instead:
bwrap: Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems.
Describe the results you expected:
I expect both containers to be able to run bwrap properly and to print out "test".
Environment:
- QEMU version: qemu-6.1.0
- Container application: Podman
Output of podman version
Version: 3.4.4
API Version: 3.4.4
Go Version: go1.16.8
Built: Wed Dec 8 22:45:07 2021
OS/Arch: linux/amd64