Rootless mode¶
Rootless mode allows running BuildKit daemon as a non-root user.
Distribution-specific hint¶
Using Ubuntu kernel is recommended.
Debian GNU/Linux 10¶
Add kernel.unprivileged_userns_clone=1 to /etc/sysctl.conf (or /etc/sysctl.d) and run sudo sysctl -p.
This step is not needed for Debian GNU/Linux 11 and later.
RHEL/CentOS 7¶
Add user.max_user_namespaces=28633 to /etc/sysctl.conf (or /etc/sysctl.d) and run sudo sysctl -p.
This step is not needed for RHEL/CentOS 8 and later.
Fedora, before kernel 5.13¶
You may have to disable SELinux, or run BuildKit with --oci-worker-snapshotter=fuse-overlayfs.
Container-Optimized OS from Google¶
Currently unsupported. See #879.
Known limitations¶
- Using the
overlayfssnapshotter requires kernel >= 5.11 or Ubuntu kernel. On kernel >= 4.18, thefuse-overlayfssnapshotter is used instead ofoverlayfs. On kernel < 4.18, thenativesnapshotter is used. - Network mode is always set to
network.host. - No support for
containerdworker. ("worker" here is a BuildKit term, not a Kubernetes term. Running rootless BuildKit in containerd is fully supported.)
Running BuildKit in Rootless mode¶
RootlessKit needs to be installed.
rootlesskit buildkitd
buildctl --addr unix:///run/user/$UID/buildkit/buildkitd.sock build ...
To isolate BuildKit daemon's network namespace from the host (recommended):
rootlesskit --net=slirp4netns --copy-up=/etc --disable-host-loopback buildkitd
Troubleshooting¶
Error related to overlayfs¶
Try running buildkitd with --oci-worker-snapshotter=fuse-overlayfs:
rootlesskit buildkitd --oci-worker-snapshotter=fuse-overlayfs
Error related to fuse-overlayfs¶
Try running buildkitd with --oci-worker-snapshotter=native:
rootlesskit buildkitd --oci-worker-snapshotter=native
Error related to newuidmap or /etc/subuid¶
See https://rootlesscontaine.rs/getting-started/common/subuid/
Containerized deployment¶
Kubernetes¶
Docker¶
docker run \
--name buildkitd \
-d \
--security-opt seccomp=unconfined \
--security-opt apparmor=unconfined \
--device /dev/fuse \
moby/buildkit:rootless --oci-worker-no-process-sandbox
buildctl --addr docker-container://buildkitd build ...
If you don't mind using --privileged (almost safe for rootless), the docker run flags can be shorten as follows:
docker run --name buildkitd -d --privileged moby/buildkit:rootless
About --device /dev/fuse¶
Adding --device /dev/fuse to the docker run arguments is required only if you want to use fuse-overlayfs snapshotter.
About --oci-worker-no-process-sandbox¶
By adding --oci-worker-no-process-sandbox to the buildkitd arguments, BuildKit can be executed in a container without adding --privileged to docker run arguments.
However, you still need to pass --security-opt seccomp=unconfined --security-opt apparmor=unconfined to docker run.
Note that --oci-worker-no-process-sandbox allows build executor containers to kill (and potentially ptrace depending on the seccomp configuration) an arbitrary process in the BuildKit daemon container.
To allow running rootless buildkitd without --oci-worker-no-process-sandbox, run docker run with --security-opt systempaths=unconfined. (For Kubernetes, set securityContext.procMount to Unmasked.)
The --security-opt systempaths=unconfined flag disables the masks for the /proc mount in the container and potentially allows reading and writing dangerous kernel files, but it is safe when you are running buildkitd as non-root.
Change UID/GID¶
The moby/buildkit:rootless image has the following UID/GID configuration:
| Actual ID (shown in the host and the BuildKit daemon container) | Mapped ID (shown in build executor containers) |
|---|---|
| 1000 | 0 |
| 100000 | 1 |
| ... | ... |
| 165535 | 65536 |
$ docker exec buildkitd id
uid=1000(user) gid=1000(user)
$ docker exec buildkitd ps aux
PID USER TIME COMMAND
1 user 0:00 rootlesskit buildkitd --addr tcp://0.0.0.0:1234
13 user 0:00 /proc/self/exe buildkitd --addr tcp://0.0.0.0:1234
21 user 0:00 buildkitd --addr tcp://0.0.0.0:1234
29 user 0:00 ps aux
$ docker exec cat /etc/subuid
user:100000:65536
To change the UID/GID configuration, you need to modify and build the BuildKit image manually.
$ vi Dockerfile
$ make images
$ docker run ... moby/buildkit:local-rootless ...