Use `mount` without `--privileged`?

Hello

I am trying to build a containerized cross-compilation environment (building Arm and Arm64 on x86_64) that produces non-root outputs.

uname -a
Linux ubuntu 4.4.0-131-generic #157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
docker --version
Docker version 18.06.0-ce, build 0ffa825

The environment has qemu-user-static installed which allows ARM binaries to run if /proc/sys/fs/binfmt_misc/qemu-arm is mounted by running

mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc/

No matter how I configure the container and/.or users, mount always fails with mount: only root can use "--types" option or, if using --cap-add all, something like this:

$ docker run --cap-add all -v ~/src:/src arm64
----------------------------------------------------------------
User: root
mount: binfmt_misc is write-protected, mounting read-only
mount: cannot mount binfmt_misc read-only
mount: binfmt_misc is write-protected, mounting read-only
mount: cannot mount binfmt_misc read-only
update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc.
cat: /proc/sys/fs/binfmt_misc/qemu-arm: No such file or directory
Error: No proc/sys/fs/binfmt_misc/qemu-arm.

The container CMD entry point is a script containing the following attempts to get things to work

echo "----------------------------------------------------------------"
echo "User: `(whoami)`"
#su 
mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc/
#mount
update-binfmts --enable qemu-arm 
cat /proc/sys/fs/binfmt_misc/qemu-arm
if [ ! -e "/proc/sys/fs/binfmt_misc/qemu-arm" ]; then
	echo "Error: No proc/sys/fs/binfmt_misc/qemu-arm."
	exit
fi
echo "----------------------------------------------------------------"
adduser --disabled-password --gecos '' docker
adduser docker sudo
echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# su -m docker -c /src/docker/arm64/main.sh
su -m docker -c /src/docker/arm64/main.sh

I suspect what I really need is something like that discussed here: https://github.com/moby/moby/issues/1916

Any help welcomed, Thanks for listening.

Hi, I know this is very old but I’m facing the same issue today. Do you remember if you ever figured out a workaround for this?

You need to use --platform to set the cpu architecture, if you want to run a container and handle the builds inside the container yourself.

Here is an example:

# cpu architecture of host
me@docker:~$ uname -m
x86_64

# default cpu architecture inside the container
me@docker:~$ docker run --rm -ti ubuntu:latest uname -m
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
3153aa388d02: Pull complete
Digest: sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508
Status: Downloaded newer image for ubuntu:latest
x86_64

# cpu architecture inside the container
me@docker:~$ docker run --rm -ti --platform linux/arm/v7 ubuntu:latest uname -m
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
579b5cf0e0f3: Pull complete
Digest: sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508
Status: Downloaded newer image for ubuntu:latest
armv7

Note: one you specify --platform the image tag will replace the tag for the default environment, which shows a warning like this and uses the platform the image was made for:

me@docker:~$ docker run --rm -ti ubuntu:latest uname -m
WARNING: The requested image's platform (linux/arm/v7) does not match the detected host platform (linux/amd64/v3) and no specific platform was requested
armv7

Notice how the same command now shows armv7, even though above it showed x86_64.

Though, if you are looking to build an image using a Dockerfile, you will need to use it like this:

 docker buildx build --platform  ...

See https://docs.docker.com/engine/reference/commandline/buildx_build/#platform for details.