Add buildah as container runtime

[jensrudolf]

Good Afternoon.

Podman has some limitations/features especially when run as Podman in Podman. E.g. masking of some paths in /proc for security reasons. This leads to errors like:

[1/4] STEP 12/12: RUN /output/scripts/pip_install $PYCMD
error running container: from /usr/bin/crun creating container for [/bin/sh -c /output/scripts/pip_install $PYCMD]: mount `proc` to `proc`: Operation not permitted
: exit status 

when running ansible-builder from within the Ansible Dev Tools container which itself is executed in a CI pipeline running on a docker/podman executor.

However, building the Containerfile with buildah, e.g. from quay.io/containers/buildah:lastest runs flawlessly. In the end it would be nice to have buildah also added to the dev tools container but integration into ansible-builder as selectable container runtime would be a good first step IMHO.

BR
Jens

[Shrews]

I know that in newer version of the ADT container, they made some changes to how they built that container that allows ansible-builder to work within the podman-in-podman environment. I'm not certain what version that would be in, so you'd need to either try the latest version, or check with the dev tools team for specifics.

[jensrudolf]

I am already on community-ansible-dev-tools:v2024.12.0 (latest) which was released two days ago. Unfortunately, I still get the same error: podman masks parts of /proc which results in failure of the RUN statement of the generated containerfile during podman build.

As podman is primarily for running pods and containers, wouldn't it make more sense to use buildah anyway? It is specifically engineered for building container images and that's what ansible-builder is doing at its heart.

[sivel]

Can you use ansible-builder create and then using the created context, then run buildah build using the Containerfile and supplied context?

[jensrudolf]

Yes, that is what I am already doing an what works within CI as buildah is not masking anything in /proc. Being able to run this with one command (and maybe also supplying dev-tools-containter image with buildah) would simplify the necessary steps.

Therefore, this issue is more or less a suggestion to add some flexibility and easy of use.