bubblewrap does not work in aarch64 container on x86_64 host

[Siroj42]

Is this a bug report, feature (enhancement) request or question? (leave only one on its own line)

/kind bug

Description:

I was trying to build a aarch64-based rpm-ostree tree inside a podman container on an x86_64 based host system, which led me down a bit of a rabbit hole: rpm-ostree uses bwrap when composing a tree, but apparently, bwrap cannot create a new namespace inside the container when using qemu-user-static.

Steps to reproduce the issue:

1. Build two different podman images from this Dockerfile:

FROM registry.fedoraproject.org/fedora:36

RUN dnf -y update
RUN dnf install -y bubblewrap

RUN useradd builder; \
echo builder:10000:5000 > /etc/subuid; \
echo builder:10000:5000 > /etc/subgid;

RUN chown builder:builder -R /home/builder

One of these images is built with the option --arch=arm64, the other is built for the host architecture (x86_64).

2. Run for each of the images: 3.

podman run --rm --security-opt label=disable --user=builder <image> bwrap --dev-bind / / echo test

Describe the results you received:

On the container with the host architecture, the result is (as expected):

test

On the arm64 container run through qemu-user-static, the result is instead:

bwrap: Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems.

Describe the results you expected:

I expect both containers to be able to run bwrap properly and to print out "test".

Environment:

• QEMU version: qemu-6.1.0
• Container application: Podman

Output of podman version

Version: 3.4.4
API Version: 3.4.4
Go Version: go1.16.8
Built: Wed Dec  8 22:45:07 2021
OS/Arch: linux/amd64

[ziswiler]

More that two years later I am still hitting the same issue 😓. Is there any way to overcome this? Thanks!