opam init fails on docker

Question

I'm trying to install a simple linux environment with opam on docker:

$ type .\Dockerfile_Opam.txt
FROM ubuntu:22.04
RUN                        \
apt-get update -y       && \
apt-get install opam -y && \
opam init

Equivalent commands work fine on native linux but with docker I get an error:

$ docker build --tag host --file .\Dockerfile_Opam.txt .
# ... omitted for brevity ...
#5 48.09 [ERROR] Sandboxing is not working on your platform ubuntu:
#5 48.09         "~/.opam/opam-init/hooks/sandbox.sh build sh -c echo SUCCESS >$TMPDIR/opam-sandbox-check-out && cat $TMPDIR/opam-sandbox-check-out; rm -f $TMPDIR/opam-sandbox-check-out" exited with code 1 "bwrap: Creating new namespace failed: Operation not permitted"

corwin.amber · Accepted Answer · 2022-06-16T17:19:24.727

2

OPAM runs builds when installing packages. To guard against buggy makefiles (that might run rm -rf / by accident), OPAM uses bubblewrap to sandbox the builds. Either install bubblewrap (apt-get install bubblewrap) or, if you wish to skip, because you're running in a container anyway, initialize OPAM like this:

opam init --disable-sandboxing

edited Jun 16 '22 at 17:19

answered May 19 '22 at 10:48

corwin.amber

393
1
3
10

As an aside, not directly related to OP: in WSL, bubblewrap is dysfunctional. So go the `--disable-sandboxing` route and be on your guard. – corwin.amber May 19 '22 at 10:51
curious why did you do `apt` and not `apt-get`? – Charlie Parker Jun 16 '22 at 17:11
You are right. Definitely apt-get is preferable. – corwin.amber Jun 16 '22 at 17:18
curious, why do we need `--disable-sandboxing`? why does that work? – Charlie Parker Jun 16 '22 at 17:24
fyi this also works: ```USER root RUN apt-get update && apt-get install -y --no-install-recommends bubblewrap RUN opam init``` but not sure if its good. https://stackoverflow.com/a/72649718/1601580 – Charlie Parker Jun 16 '22 at 17:27
It is *either* install `bubblewrap` *or* disable sandboxing. The default for sandboxing is to be active, and that would not work without `bubblewrap`. The purpose of sandboxing is to protect the user's filesystem in case there is a bug in some package's build. Since I feel that a container is usually a one-off thing that does not hold data that can not otherwise be reproduced, I find it redundant to sandbox builds in Docker. But ofc you can do it if you like, it works. – corwin.amber Jun 17 '22 at 15:37

score 0 · Answer 2 · answered Jun 16 '22 at 17:27

0

This also works but idk if its safe or the cons/pros with the disabling sandbox option:

USER root
RUN apt-get update && apt-get install -y --no-install-recommends bubblewrap
RUN opam init

answered Jun 16 '22 at 17:27

Charlie Parker

5,884
57
198
323

opam init fails on docker

2 Answers2

Linked