Image I'm using:
Bottlerocket OS 1.57.0 (aws-k8s-1.35)
What I expected to happen:
Running docker build with kubernetes driver and --driver-opt rootless=true should work just fine.
What actually happened:
runc run failed: unable to get cgroup freezer state: openat2 /sys/fs/cgroup/gh36rg3acg5ulaiow518ki3tu/cgroup.freeze: permission denied
It worked in the past, as I enabled user namespaces in Bottlerocket, but stopped working around last moby/buildkit release. I guess is related to new cgroup v2 remount entrypoint in buildkit:
This error doesn't trigger when running buildkit without rootless mode.
How to reproduce the problem:
# syntax=docker.io/docker/dockerfile:1
FROM public.ecr.aws/ubuntu/ubuntu:24.04@sha256:748740465d0aadaa69ab6e6c295892f17d7a8f44a85090dbb571ec0bb8c5674f
docker buildx create --name rootless --driver kubernetes --driver-opt rootless=true --platform linux/amd64 --bootstrap --use
docker buildx build .
In docker cli it fails with:
Dockerfile:1
--------------------
1 | >>> # syntax=docker.io/docker/dockerfile:1
2 | FROM public.ecr.aws/ubuntu/ubuntu:24.04@sha256:748740465d0aadaa69ab6e6c295892f17d7a8f44a85090dbb571ec0bb8c5674f
--------------------
ERROR: failed to build: failed to solve: exit code: 1
But checking container logs of builder shows the actual problem.
runc run failed: unable to get cgroup freezer state: openat2 /sys/fs/cgroup/488z3c7ll0tvm6lop0pub9qxb/cgroup.freeze: permission denied
time="2026-04-21T09:22:34Z" level=error msg="/moby.buildkit.v1.frontend.LLBBridge/Solve returned error: rpc error: code = Unknown desc = exit code: 1" spanID=8a4050e23f5ed8e2 traceID=c3dade96c1aef744554bdbdc7bc6bb96
time="2026-04-21T09:22:34Z" level=error msg="/moby.buildkit.v1.Control/Solve returned error: rpc error: code = Unknown desc = exit code: 1" spanID=22e54fb33958746b traceID=c3dade96c1aef744554bdbdc7bc6bb96
Image I'm using:
Bottlerocket OS 1.57.0 (aws-k8s-1.35)
What I expected to happen:
Running docker build with
kubernetesdriver and--driver-opt rootless=trueshould work just fine.What actually happened:
It worked in the past, as I enabled user namespaces in Bottlerocket, but stopped working around last moby/buildkit release. I guess is related to new cgroup v2 remount entrypoint in buildkit:
This error doesn't trigger when running buildkit without rootless mode.
How to reproduce the problem:
In docker cli it fails with:
But checking container logs of builder shows the actual problem.