User namespaces not setup right in podman runner
When attempting to build a container, using the unshare
user namespace capability, the container build fails with:
unshare: unshare failed: Operation not permitted
E: unable to unshare the mount namespace
Unshare should work in an unprivileged setup, in fact I've got an unprivileged podman runner that is able to do this successfully, with the exact same repository (I can provide build logs if you like, but it doesn't really show you anything, except that those errors are not produced and the jobs succeed).
User namespace support needs to be properly enabled for this to work, and it appears there is something missing in the podman setup here that is making this not work here.
Looking at my setup, the following things are done on new unpriviledged podman containers to make this work:
kernel.unprivileged_userns_clone = 1
-
fuse_overlayfs
(you are using native overlayfs, so maybe this is an important distinction?) slirp4netns
- The gitlab-runner user has /etc/subuid /etc/subgid entries on the host
-
systemctl --user --now enable podman.socket
(as the user in question) loginctl enable-linger gitlab-runner