Arnaud Rebillout Buid container images with buildah/podman in GitLab CI
Mon 24 March 2025Oh no, it broke again!
Today, this .gitlab-ci.yml file no longer works in GitLab CI:
build-container-image:
stage: build
image: debian:testing
before_script:
- apt-get update
- apt-get install -y buildah ca-certificates
script:
- buildah build -t $CI_REGISTRY_IMAGE .
The command buildah build ... fails with this error message:
STEP 2/3: RUN apt-get update
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
error running container: did not get container start message from parent: EOF
Error: building at STEP "RUN apt-get update": setup network: netavark: nftables error: nft did not return successfully while applying ruleset
After some investigation, it's caused by the recent upload of netavark 1.14.0-2. In this version, netavark switched from iptables to nftables as the default firewall driver. That doesn't really fly on GitLab Saas shared runners.
For the complete background, refer to https://discussion.fedoraproject.org/t/125528. Note that the issue with GitLab was reported back in November, but at this point the conversation had died out.
Fortunately, it's easy to workaround, we can tell netavark to keep using
iptables via the environment variables NETAVARK_FW. The .gitlab-ci.yml file
above becomes:
build-container-image:
stage: build
image: debian:testing
variables:
# Cf. https://discussion.fedoraproject.org/t/125528/7
NETAVARK_FW: iptables
before_script:
- apt-get update
- apt-get install -y buildah ca-certificates
script:
- buildah build -t $CI_REGISTRY_IMAGE .
And everything works again!
If you're interested in this issue, feel free to fork https://gitlab.com/arnaudr/gitlab-build-container-image and try it by yourself.