Flatpak build fails in flatpak-builder: bwrap can't create user namespace in unprivileged runner container #313
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#313
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Follow-up to #293/#294. With the Rust 1.85 bump (#294) the Tauri binary now compiles successfully on tag runs, but the Flatpak job then fails one step later in
flatpak-builder. Confirmed on run 780.Failing step + evidence
The
carolRust binary compiles (Finished release profile [optimized] target(s) in 3m 03s), thenflatpak-builderdies on the module's first build-command:Root cause
flatpak-builderruns every modulebuild-commandinside abwrapsandbox, which mustunshare()a new unprivileged user namespace. The job runs in containerghcr.io/catthehacker/ubuntu:js-24.04on the self-hosted act_runner, and that container isn't permitted to create user namespaces →Operation not permitted. (The earlier non-fatalbwrapwarning during theorg.freedesktop.Platform.openh264install is the same cause surfacing harmlessly.) The existing--disable-rofiles-fuseflag only addresses the FUSE overlay, not the userns requirement.Fix (when we're ready to apply it)
Add
options: --privilegedto the job'scontainer:block in.forgejo/workflows/release-flatpak.yml:The minimal-cap variant (
--security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/fuse) does not by itself re-enable unprivileged userns creation, so it generally still fails with the same error.flatpak-builderhas no "disable sandbox" flag (onlyflatpak builddoes), and even a trivialinstallbuild-command runs through bwrap — so--privilegedis the standard fix.⚠️ Why this is held / not a YAML-only change
--privilegedgrants the release CI container broad host access — a deliberate posture change worth weighing for a tag-triggered release job.container.options: --privilegedis only honored if act_runner allows it. On the runner host'sconfig.yaml: …then restart act_runner. Also the host's Docker daemon must allow privileged containers and unprivileged userns (nokernel.unprivileged_userns_clone=0, no userns-remap). These are owner/runner-side actions the workflow change alone can't satisfy.Remaining latent steps (unproven — past the bwrap wall)
The build has never progressed beyond this point, so each of these could be the next failure once userns works:
carolmodule'sinstallcommands (desktop file, metainfo XML, 8 icon sizes) — files must exist next to the manifest.appstreamcli composeovertech.wynning.carol.metainfo.xml) — most likely next failure if the metainfo is malformed.flatpak build-exportandflatpak build-bundle.forge.int.wynning.techfor the same-tag release page (untested timing assumption).Verify
On the next
v*.*.*tag run, thebwrap: Creating new namespace failedline should be gone andflatpak-buildershould proceed through the remaininginstallcommands →build-bundle→.flatpakattach.Relates to #278, #293, #294, run 780.