User namespace remapping breaks BuildKit-powered builds (19.03.2)

[mejedi]

With version 19.03.2, enabling user namespace remapping breaks BuildKit-powered builds.

Steps to reproduce the issue:

1. Enable user namespace remapping;
2. Dockerfile:

FROM alpine as test
RUN id

3. DOCKER_BUILDKIT=1 docker build . --progress=plain

Describe the results you received:

Build fails.

#2 [internal] load .dockerignore
#2 transferring context: 2B done
#2 DONE 0.0s

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 64B done
#1 DONE 0.0s

#3 [internal] load metadata for docker.io/library/alpine:latest
#3 DONE 0.0s

#4 [1/2] FROM docker.io/library/alpine
#4 CACHED

#5 [2/2] RUN id
#5 0.173 container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"rootfs_linux.go:58: mounting \\\"/run/runc/1argvey9yo2x2mwmd7nplwwua/notify.sock\\\" to rootfs \\\"/var/lib/docker/231072.231072/buildkit/executor/1argvey9yo2x2mwmd7nplwwua/rootfs\\\" at \\\"/run/systemd/notify\\\" caused \\\"stat /run/runc/1argvey9yo2x2mwmd7nplwwua/notify.sock: permission denied\\\"\""
#5 ERROR: executor failed running [/bin/sh -c id]: exit code: 1
------
 > [2/2] RUN id:
------
failed to solve with frontend dockerfile.v0: failed to build LLB: executor failed running [/bin/sh -c id]: exit code: 1

Describe the results you expected:

Should've succeeded.

Additional information you deem important (e.g. issue happens only occasionally):

Works just fine without either BuildKit or user namespace remapping. This is a clean install, i.e. not upgrading from a prior version.

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.2
 API version:       1.40
 Go version:        go1.12.8
 Git commit:        6a30dfc
 Built:             Thu Aug 29 05:29:11 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.2
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.8
  Git commit:       6a30dfc
  Built:            Thu Aug 29 05:27:45 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 19.03.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
  userns
 Kernel Version: 4.15.0-60-generic
 Operating System: Ubuntu 18.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 985.6MiB
 Name: kvm-experiment
 ID: WWEW:H7D5:Q7Y3:7CCW:2WON:OR4N:RQMT:6DMC:QVBF:6RME:ENUV:36MN
 Docker Root Dir: /var/lib/docker/231072.231072
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):

[AkihiroSuda]

did it work in 19.03.1?

[mejedi]

I've downgraded to 19.03.1 and this particular Dockerfile builds without issues.

[AkihiroSuda]

cc @tonistiigi @tiborvass

[urusha]

Same here. While 19.03.1 buildkit builds pushed to registry and then pulled on another host didn't work (CMD: file not found), now building fails with the mentioned error.
debian stretch amd64
Docker version 19.03.1, build 74b1e89

[tonistiigi]

Couldn't reproduce:

/foo # DOCKER_BUILDKIT=1 docker build . --progress=plain --no-cache
#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s

#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 64B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/library/alpine:latest
#3 DONE 0.3s

#4 [1/2] FROM docker.io/library/alpine@sha256:72c42ed48c3a2db31b7dafe17d275...
#4 CACHED

#5 [2/2] RUN id
#5 0.417 uid=0(root) gid=0(root)
#5 DONE 0.5s

#6 exporting to image
#6 exporting layers
#6 exporting layers 0.2s done
#6 writing image sha256:b38d3d776449731ef4eeea70fda394666d1be9e0b19c28d77290fbba49b05b6f done
#6 DONE 0.2s
/foo # docker version
Client: Docker Engine - Community
 Version:           19.03.2
 API version:       1.40
 Go version:        go1.12.8
 Git commit:        6a30dfca03
 Built:             Thu Aug 29 05:26:30 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.2
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.8
  Git commit:       6a30dfca03
  Built:            Thu Aug 29 05:32:56 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683
/foo # docker info
Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 2
 Server Version: 19.03.2
 Storage Driver: overlay
  Backing Filesystem: xfs
  Supports d_type: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
  userns
 Kernel Version: 4.19.0-0.bpo.5-amd64
 Operating System: Alpine Linux v3.10 (containerized)
 OSType: linux
 Architecture: x86_64
 CPUs: 12
 Total Memory: 4.676GiB
 Name: 53e96852a1cf
 ID: FAA7:LRRZ:KOX5:HBD3:ZYZE:J6Q6:OCGI:WJ5N:STYS:H422:53O2:MOWO
 Docker Root Dir: /var/lib/docker/100000.100000
 Debug Mode: true
  File Descriptors: 25
  Goroutines: 47
  System Time: 2019-09-05T00:24:05.286281442Z
  EventsListeners: 0
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

[mejedi]

@tonistiigi I can spot the differences in our configurations: extfs vs. zfs, kernel 4.15.0-60 vs. 4.19.0-0.

Would it be possible for you to try it in Ubuntu 18.04.3 LTS?

[urusha]

So, I've created fresh debian-stretch-amd64 box where this reproduces, then upgraded to stretch-backports version of systemd(241) and linux (4.19.0-0.bpo.5-amd64). Still reproduces.
I and @mejedi both have Storage Driver: overlay2 instead of overlay, could this be the reason?

# docker info
Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 19.03.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
  userns
 Kernel Version: 4.19.0-0.bpo.5-amd64
 Operating System: Debian GNU/Linux 9 (stretch)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 483.1MiB
 Name: kms
 ID: HDH7:GMZA:CRFK:GYJ4:C2BW:55E4:ROUO:WQDB:EKZV:VMXZ:PLOZ:DBPL
 Docker Root Dir: /var/lib/docker/100000.100000
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

[tonistiigi]

This is broken when systemd and socket activation is used because runc automatically tries to forward NOTIFY_SOCKET if it is set for the calling process even if no such mounts or environment variables exist in oci spec https://github.com/opencontainers/runc/blob/master/notify_socket.go#L48-L49 . My guess is that only reason this does not appear for regular containers is that socket activation is not enabled in the containerd unit files while it is in docker's.

@crosbymichael atm I have no way to fix this from docker or buildkit side. go-runc library always inherits all environment variables from caller with no way to customize it. One could argue that runc behavior should be much more explicit as well and require a specific flag if this modification of spec is expected. How do you want to approach this?

19.03.1 isn't really correct but undefined behavior as buildkit userns support was added only in 19.03.2 . A workaround is to disable socket activation for docker service by removing Type=notify

[mejedi]

Still failing the same way on 19.03.3