Build containers with GitLab CI without root nor daemons by using buildkit

.gitlab-ci.yml

build-container:
  stage: build
  image:
    name: moby/buildkit:rootless
    entrypoint: [ "sh", "-c" ]
  variables:
    BUILDKITD_FLAGS: --oci-worker-no-process-sandbox
  before_script:
  - |
    mkdir ~/.docker
    auth=$(echo -n "$CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD" | base64)
    echo "{\"auths\": {\"$CI_REGISTRY\": {\"auth\": \"$auth\"}}}" > ~/.docker/config.json
  script:
  - |
    buildctl-daemonless.sh build \
        --frontend=dockerfile.v0 \
        --local context=. \
        --local dockerfile=. \
        --import-cache type=registry,ref=$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG \
        --export-cache type=inline \
        --output type=image,name=$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG,push=true

See also: https://gitlab.com/txlab/ci-templates

The runner still needs to be privileged, otherwise I get

could not connect to unix:///run/user/1000/buildkit/buildkitd.sock after 42 trials
 ========== log ==========
[rootlesskit:child ] error: failed to share mount point: /: permission denied
[rootlesskit:parent] error: child exited: exit status 1
sh: can't kill pid 52: No such process

Did anyone manage to run this without privileged?

The runner still needs to be privileged, otherwise I get

could not connect to unix:///run/user/1000/buildkit/buildkitd.sock after 42 trials
 ========== log ==========
[rootlesskit:child ] error: failed to share mount point: /: permission denied
[rootlesskit:parent] error: child exited: exit status 1
sh: can't kill pid 52: No such process

Did anyone manage to run this without privileged?

I got into the same issue, and after two days of trying things, still can't get it to work

I've tested setting privileged = true and/or security_opt = ["seccomp:unconfined"], as well as adjusting the CI hosts kernel.apparmor_restrict_unprivileged_userns=0 kernel param, all without any success. I get the following error:

time="2025-06-06T04:50:09Z" level=warning msg="[rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1" error="fork/exec /proc/self/exe: permission denied"
time="2025-06-06T04:50:09Z" level=warning msg="[rootlesskit:parent] Hint: try running the following commands:\n\n\n########## BEGIN ##########\ncat <<EOT | sudo tee \"/etc/apparmor.d/usr.bin.rootlesskit\"\n# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces\nabi <abi/4.0>,\ninclude <tunables/global>\n\n/usr/bin/rootlesskit flags=(unconfined) {\n  userns,\n\n  # Site-specific additions and overrides. See local/README for details.\n  include if exists <local/usr.bin.rootlesskit>\n}\nEOT\nsudo systemctl restart apparmor.service\n########## END ##########\n\n"
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied

I wonder if any other users have had success in migrating from Kaniko to Buildkit Rootless on self-hosted gitlab-runner? The docs indicate it should be straightforward...

I've tested setting privileged = true and/or security_opt = ["seccomp:unconfined"], as well as adjusting the CI hosts kernel.apparmor_restrict_unprivileged_userns=0 kernel param, all without any success. I get the following error:

time="2025-06-06T04:50:09Z" level=warning msg="[rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1" error="fork/exec /proc/self/exe: permission denied"
time="2025-06-06T04:50:09Z" level=warning msg="[rootlesskit:parent] Hint: try running the following commands:\n\n\n########## BEGIN ##########\ncat <<EOT | sudo tee \"/etc/apparmor.d/usr.bin.rootlesskit\"\n# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces\nabi <abi/4.0>,\ninclude <tunables/global>\n\n/usr/bin/rootlesskit flags=(unconfined) {\n  userns,\n\n  # Site-specific additions and overrides. See local/README for details.\n  include if exists <local/usr.bin.rootlesskit>\n}\nEOT\nsudo systemctl restart apparmor.service\n########## END ##########\n\n"
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied

I wonder if any other users have had success in migrating from Kaniko to Buildkit Rootless on self-hosted gitlab-runner? The docs indicate it should be straightforward...

I have the exact same issue, found a solution yet?