Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing on destdir creation when running as non-root #1647

Open
maxgio92 opened this issue Nov 14, 2024 · 3 comments
Open

Failing on destdir creation when running as non-root #1647

maxgio92 opened this issue Nov 14, 2024 · 3 comments

Comments

@maxgio92
Copy link
Contributor

maxgio92 commented Nov 14, 2024
edited
Loading

Issue

When running as non-root, the destination dir in the workspace directory being owned by root can't be created, in the subpackage pipelines.

How to reproduce

It can be reproduced running this pipeline with the Docker runner.

Log:

...
2024/11/14 18:41:24 INFO running step "go/build"
2024/11/14 18:42:08 INFO running pipeline for subpackage openbao-compat
2024/11/14 18:42:13 INFO pod 0147b793a3a4d7da5718efe02d283f08dd0b2fa2e0ea6d6ec42f79d2bf1cb639 terminated
2024/11/14 18:42:13 INFO deleting guest dir /tmp/melange-guest-3710148864
2024/11/14 18:42:13 INFO deleting workspace dir /tmp/melange-workspace-863606971
2024/11/14 18:42:13 INFO deleting image apko.local/cache:5125b9ef6e4177faa3839e5202911825e07e9584d9283856a1bc11c77c23563a
2024/11/14 18:42:13 INFO untagged apko.local/cache:5125b9ef6e4177faa3839e5202911825e07e9584d9283856a1bc11c77c23563a
2024/11/14 18:42:13 INFO deleted sha256:aacf77f979edf8c434a5b25d431f368f62599141dcba99a4d63bd9c612a76a20
2024/11/14 18:42:13 INFO deleted sha256:2c3054dd01157c4d8b7e76f0eb41a278b1d1eeff9a7e4bc13d21aa117ff361d8
2024/11/14 18:42:13 ERRO failed to build package: mkdir /tmp/melange-workspace-863606971/melange-out: permission denied

The workspace directory is created as root because of Docker during the bind mount of it as volume.
The pipeline is run as root, but the destination directory mkdir it seems is not.

Additional info

It would be nice to reach a state where all the pipeline is run as an unprivileged user with proper permissions and ownership across all the filesystem as it happens for the Bubblewrap environment with the unshared user namespace.
@maxgio92 maxgio92 changed the title Failing on workspace cleanup when running as root Failing on destdir creation when running as non-root Nov 14, 2024
@maxgio92 maxgio92 mentioned this issue Nov 14, 2024
Draft
4 tasks
@89luca89
Copy link
Contributor

To expand on this

This happens on systems like linux where melange is ran as your $USER, while dockerd is running as root, ans $USER is in docker group.

Probably something localized in the git step, that chowns as root (which is the user running inside docker)

@wojciechka
Copy link
Member

@89luca89 There are two things - melange is using MkdirTemp that sets directory to 0700 (and it's later chown-ed to root) and also git-checkout and its use of tar overriding permissions for /home/build to 0700.

Fixed in #1646 but I am not sure if this is fully solving it - any builds that create directories / files not readable by user melange is running at will failed to be packaged.

@89luca89 89luca89 mentioned this issue Nov 15, 2024
Merged
@89luca89
Copy link
Contributor

This is basically this issue: #1254

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@89luca89 @wojciechka @maxgio92