moby/buildkit:master-rootless just stop working

[gosharplite]

Contributing guidelines and issue reporting guide

• I've read the contributing guidelines and wholeheartedly agree. I've also read the issue reporting guide.

Well-formed report checklist

• I have found a bug that the documentation does not mention anything about my problem
• I have found a bug that there are no open or closed issues that are related to my problem
• I have provided version/information about my environment and done my best to provide a reproducer

Description of bug

Bug description

My buildkitd deployment on GKE worked fine yesterday, but stop working this morning.

I have to use an old moby/buildkit:master-rootless image saved on 2026-01-10 to make it work again. (Luckily!)

Here is the error logs.

$ k logs buildkitd-d86c577bb-k9fcm
buildkitd: rootless mode requires to be executed as the mapped root in a user namespace; you may use RootlessKit for setting up the namespace
main.main.func3
        /src/cmd/buildkitd/main.go:244
github.com/urfave/cli.HandleAction
        /src/vendor/github.com/urfave/cli/app.go:524
github.com/urfave/cli.(*App).Run
        /src/vendor/github.com/urfave/cli/app.go:286
main.main
        /src/cmd/buildkitd/main.go:431
runtime.main
        /usr/local/go/src/runtime/proc.go:285
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1693

Reproduction

Below deployment yaml used to work with image: moby/buildkit:master-rootless, now I have to use an old image: asia-east1-docker.pkg.dev/xxxxx/xxxxx/buildkit:manual-260110-1140 to make it work again.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: buildkitd
  name: buildkitd
spec:
  replicas: 1
  selector:
    matchLabels:
      app: buildkitd
  template:
    metadata:
      labels:
        app: buildkitd
    spec:
      containers:
        - name: buildkitd
          image: moby/buildkit:master-rootless
          #image: asia-east1-docker.pkg.dev/xxxxx/xxxxx/buildkit:manual-260110-1140
          args:
            - --addr
            - unix:///run/user/1000/buildkit/buildkitd.sock
            - --addr
            - tcp://0.0.0.0:1234
            - --oci-worker-no-process-sandbox
          readinessProbe:
            exec:
              command:
                - buildctl
                - debug
                - workers
            initialDelaySeconds: 5
            periodSeconds: 30
          livenessProbe:
            exec:
              command:
                - buildctl
                - debug
                - workers
            initialDelaySeconds: 5
            periodSeconds: 30
          securityContext:
            seccompProfile:
              type: Unconfined
            appArmorProfile:
              type: Unconfined
            runAsUser: 1000
            runAsGroup: 1000
          ports:
            - containerPort: 1234
          volumeMounts:
            - mountPath: /home/user/.local/share/buildkit
              name: buildkitd
      volumes:
        - name: buildkitd
          emptyDir: {}

Version information

buildctl -v
buildctl github.com/moby/buildkit v0.21.0 52b004d2afe20c5c80967cc1784e718b52d69dae

$ k version 
Client Version: v1.34.2
Kustomize Version: v5.7.1
Server Version: v1.34.1-gke.3947000

Official example

I follow deployment+service.rootless.yaml to create my GKE deployment.

Appreciate if this example can be updated with the latest changes, so we can use buildkitd on GKE again.

[petterroea]

I am seeing a similar issue on EKS, but with different output:

/usr/bin/buildctl-daemonless.sh: line 30: XDG_RUNTIME_DIR: parameter not set
cat: can't open '/tmp/buildctl-daemonless.MHCocp/pid': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/buildctl-daemonless.MHCocp/pid': No such file or directory

The problem started happening 3 hours ago so I believe the newest build breaks stuff.

Downgrading to an older rootless image removed the issue, so I have confirmed the newest image is the cause for me.

[tonistiigi]

@AkihiroSuda any ideas?

[dbene]

moby/buildkit:master-rootless seems not to be a release image but probably is based on the master branch. I kinda missed this myself and had the same error.

The latest release image is currently moby/buildkit:v0.26.3-rootless. Using this fixed the error for me.

Considering the error itself it seems to me that XDG_RUNTIME_DIR configures a dir for temp files. Within a k8s pod, especially a rootless one, write permissions for the directory seem to be missing.

I would guess setting the env XDG_RUNTIME_DIR to a directory with the correct permissions would helm. A emtydir volume may be needed.
If this is intended behaviour by the developers we should update our config when using upcoming releases.

[AkihiroSuda]

Looks like the rootful image is now accidentally tagged as rootless.

Likely to be a regression in:

• ci: use docker github builder to build binaries and images #6388

[AkihiroSuda]

Workaround: run make images and push moby/buildkit:local-rootless to your own registry

[crazy-max]

Yes this is a regression from #6388, when using set we are not setting the expected target anymore through IMAGE_TARGET env var:

buildkit/docker-bake.hcl

Line 173 in e2c5ffd

target = IMAGE_TARGET