rootless container in container build on ubuntu 22.04

[Spechal]

Description

Running into permissions issues on a rootless bud build on ubuntu 22.04

Steps to reproduce the issue:

1. docker run -it ubuntu:22.04 bash
2. apt-get update && apt-get install -y buildah sudo
3. adduser builder && usermod -aG sudo builder
4. su - builder
5. Dockerfile: FROM ubuntu:22.04 ENTRYPOINT ["/bin/bash"]
6. buildah bud .

Describe the results you received:
WARN[0000] error running newgidmap: exit status 1: newgidmap: write to gid_map failed: Operation not permitted WARN[0000] falling back to single mapping WARN[0000] error running newuidmap: exit status 1: newuidmap: write to uid_map failed: Operation not permitted WARN[0000] falling back to single mapping STEP 1/2: FROM ubuntu:22.04 Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/shortnames.conf) Trying to pull docker.io/library/ubuntu:22.04... Getting image source signatures Copying blob 5e8117c0bd28 done error creating build container: writing blob: adding layer with blob "sha256:5e8117c0bd28aecad06f7e76d4d3b64734d59c1a0a44541d18060cd8fba30c50": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument ERRO[0004] exit status 125

Describe the results you expected:
STEP 1/2: FROM ubuntu:22.04 STEP 2/2: ENTRYPOINT ["/bin/bash"] COMMIT Getting image source signatures Copying blob 8ceb9643fb36 skipped: already exists Copying blob 5f70bf18a086 [--------------------------------------] 0.0b / 0.0b Copying config 8be8aeff0a done Writing manifest to image destination Storing signatures --> 8be8aeff0a2 8be8aeff0a271bbe7cd13ac2e8f353c0693e811d7e7827b8b87f997868d0b7d2

Output of rpm -q buildah or apt list buildah:

buildah/jammy,now 1.23.1+ds1-2 amd64 [installed]

Output of buildah version:

Version:         1.23.1
Go Version:      go1.17
Image Spec:      1.0.1
Runtime Spec:    1.0.2-dev
CNI Spec:        0.4.0
libcni Version:
image Version:   5.16.0
Git Commit:
Built:           Thu Jan  1 00:00:00 1970
OS/Arch:         linux/amd64
BuildPlatform:   linux/amd64

Output of podman version if reporting a podman build issue:

(paste your output here)

Output of cat /etc/issue:

Ubuntu 22.04.3 LTS \n \l

Output of uname -a:

Linux 20887440b41d 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

file not found

I am trying to build a container within a container without root. I have spent days and tried numerous things to get this to work without root. If I use sudo buildah bud . then I get the image as expected. Guidance would be appreciated.

[rhatdan]

Take a look at https://github.com/containers/buildah/blob/main/contrib/buildahimage/Containerfile.

You need to setup a user account to run the container in, and you have to provide sufficient UIDs and GIDs in /etc/subuid and /etc/subgid to run the container with.

The container must have CAP_SETUID and CAP_SETGID of the current User Namespace to work.

[gtaylor1981]

I found the following helpful:
apt-get install -y -q libcap2-bin
setcap cap_setuid+ep /usr/bin/newuidmap && chmod u-s /usr/bin/newuidmap
setcap cap_setgid+ep /usr/bin/newgidmap && chmod u-s /usr/bin/newgidmap

A manual Ubuntu-based version of rpm --setcaps shadow-utils from the official Fedora buildah image Containerfile: