Regression: upgrade of runc to 1.2.1 appears to break rootless builds (`cgroup: open /sys/fs/cgroup/snschvixiy3s74w74fjantrdg: no such file or directory`)

[samiam]

It looks like PR #5443 has broken rootless builds.
The problem seems related to issue #4483.

Is a container being removed twice à la double free?
These two cases illustrate the issue.

$ cat Dockerfile
FROM alpine
RUN mkdir /tmp/empty_directory

Case 1: working with 0.17.0-rootless

$ docker run \
  --name buildkitd-v17 \
  -d \
  --security-opt seccomp=unconfined \
  --security-opt apparmor=unconfined \
  moby/buildkit:v0.17.0-rootless --oci-worker-no-process-sandbox

$ buildctl --addr docker-container://buildkitd-v17 build --frontend dockerfile.v0 --local context=. --local dockerfile=.
[+] Building 7.9s (5/5) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                                   0.6s
 => => transferring dockerfile: 80B                                                                                                                                                                    0.2s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                                                                                       2.2s
 => [internal] load .dockerignore                                                                                                                                                                      0.3s
 => => transferring context: 2B                                                                                                                                                                        0.1s
 => [1/2] FROM docker.io/library/alpine:latest@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d                                                                                 2.9s
 => => resolve docker.io/library/alpine:latest@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d                                                                                 0.1s
 => => sha256:43c4264eed91be63b206e17d93e75256a6097070ce643c5e8f0379998b44f170 3.62MB / 3.62MB                                                                                                         0.5s
 => => extracting sha256:43c4264eed91be63b206e17d93e75256a6097070ce643c5e8f0379998b44f170                                                                                                              2.0s
 => [2/2] RUN mkdir /tmp/empty_directory                                                                                                                                                               1.0s

Case 2: regression with master-rootless

$ docker run \
  --name buildkitd \
  -d \
  --security-opt seccomp=unconfined \
  --security-opt apparmor=unconfined \
  moby/buildkit:master-rootless --oci-worker-no-process-sandbox

$ buildctl --addr docker-container://buildkitd build --frontend dockerfile.v0 --local context=. --local dockerfile=.
[+] Building 3.4s (5/5) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                                   0.2s
 => => transferring dockerfile: 80B                                                                                                                                                                    0.1s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                                                                                       1.0s
 => [internal] load .dockerignore                                                                                                                                                                      0.3s
 => => transferring context: 2B                                                                                                                                                                        0.2s
 => CACHED [1/2] FROM docker.io/library/alpine:latest@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d                                                                          0.2s
 => => resolve docker.io/library/alpine:latest@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d                                                                                 0.1s
 => ERROR [2/2] RUN mkdir /tmp/empty_directory                                                                                                                                                         0.9s
------
 > [2/2] RUN mkdir /tmp/empty_directory:
------
Dockerfile:2
--------------------
   1 |     FROM alpine
   2 | >>> RUN mkdir /tmp/empty_directory
   3 |
--------------------
error: failed to solve: process "/bin/sh -c mkdir /tmp/empty_directory" did not complete successfully: buildkit-runc did not terminate successfully: exit status 1: unable to destroy container: unable to remove container's cgroup: open /sys/fs/cgroup/snschvixiy3s74w74fjantrdg: no such file or directory

[AkihiroSuda]

Reported to runc:

• runc v1.2.1 appears to break Rootless BuildKit (cgroup: open /sys/fs/cgroup/snschvixiy3s74w74fjantrdg: no such file or directory) opencontainers/runc#4518

[AkihiroSuda]

Reverting runc to v1.1:

• Revert "Dockerfile: update runc binary to 1.2.1" #5506

[AkihiroSuda]

Resolved in:

• dockerfile: update runc binary to 1.2.2 #5532