[Rootless] Rootless Docker install fails in a docker build due to an unneeded line *somewhere*
dillon-cullinan opened this issue · 2 comments
Details
Known Working Version: 25.0.2
Version: 26.1.3
Hello. I am running into an issue while installing rootless docker into a docker image for a use case that requires rootless-dind. I haven't done a ton of digging as I feel someone more experienced with the codebase can find and fix this easily. I'm not sure exactly what version these changes occurred on, but I know that it works on 25.0.2 and we started seeing failures in 26.1.3.
Reproducer
Simple RUN Reproducer:
RUN export SKIP_IPTABLES=1 \
&& curl -fsSL https://get.docker.com/rootless | sh
This fails with the following error:
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted
[ERROR] RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ .
Debugging
Built the container up to its failure point here and ran the install while in a privileged container and it succeeded as expected. So its possible this could be solved by running the build with insecure buildkit enabled, though this should not be needed as this is an installation, and we shouldn't need to access any host devices at build time.
When running the install script via bash -x instead of sh, we see the offending line:
rootlesskit true
This line produces the exact same failure, but this line is not required for installation, if we install an older version, then run this command, the failure pops up again. This implies that the install itself is healthy, and this is simply a verification step.
Suggested Solution
I'm not sure what underlying source is eventually calling this line, but if we could enable the ability to skip this verification step in the install script, that would be great.
Thank you!