Unable to build project inside a docker container

[fheinecke]

Hi folks,

I'm working on building out some Bottlerocket OS variants (this is related to Kata Container work). As a first step, I'm attempting to build the project as-is, with zero changes, exactly as the docs state.

I've deployed a fresh c7a.8xlarge instance in one of our dev AWS accounts and I'm using it for initial development. I'm able to build the project (thanks for your help Matt!) just fine when running directly on this EC2 instance/VM, but not from within a container image. Also as a side note, the build instructions are missing curl as a dependency which is required by the twoliter setup script.

Here is a (long) two-line command to reproduce the issue, which should be sufficient to show that this isn't due to something cached or pre-existing state of some form:

# Ensure that the docker daemon state is completely empty/"clean"
# This build process shares the docker daemon, so for reproducablility
# purge everything to show that there isn't an issue due to
# something cached
docker system prune -a -f

# Do the full build
docker run --rm -it -v "/var/run/docker.sock:/var/run/docker.sock" ubuntu sh -c 'apt update && apt install -y --no-install-recommends docker.io && docker image ls && apt install -y build-essential openssl libssl-dev pkg-config liblz4-tool && apt install -y rustup && rustup install stable ; cargo install cargo-make && apt install -y --no-install-recommends git && git clone https://github.com/bottlerocket-os/bottlerocket.git && cd bottlerocket && cargo make'

This is pretty difficult to read, so here's what the build shell command broken down in a less copy-pastable format:

apt update

# Install the docker CLI inside the image
apt install -y --no-install-recommends docker.io
docker image ls # This should show nothing, but succeed, and is just here for demonstration purposes

# From BUILDING.md
apt install -y build-essential openssl libssl-dev pkg-config liblz4-tool

# Install rust and cargo, which is not explicitly spelled out in the BUILDING.md doc but is implied by the `cargo` command
apt install -y rustup 
rustup install stable || true # This has a non-zero exit code just because `rustup` is installed via apt instead of the rust download script

# From BUILDING.md
cargo install cargo-make

# Clone the project and build it
apt install -y --no-install-recommends git
git clone https://github.com/bottlerocket-os/bottlerocket.git && cd bottlerocket
cargo make

This fails with:

[cargo-make] INFO - cargo make 0.37.14
[cargo-make] INFO - Calling cargo metadata to extract project info
[cargo-make] INFO - Cargo metadata done
[cargo-make] INFO - Build File: Makefile.toml
[cargo-make] INFO - Task: default
[cargo-make] INFO - Profile: development
[cargo-make] INFO - Running Task: install-twoliter
Installing Twoliter from binary release.
[cargo-make] INFO - Execute Command: "/bottlerocket/tools/twoliter/twoliter" "--log-level=info" "fetch" "--project-path=/bottlerocket/Twoliter.toml" "--arch=x86_64"
[2024-07-22T23:23:38Z WARN  twoliter::project] A Release.toml file was found. Release.toml is deprecated. Please remove it from your project.
d618d229d249: Already exists 
<Layer pull logs repeated for about 50 layers, omitted for brevity>
public.ecr.aws/bottlerocket/bottlerocket-core-kit@sha256:d618d229d249805986d1760db6683c6ce039a7c83748cfc66796ffaaafef498f
[cargo-make] INFO - Running Task: install-twoliter
Found Twoliter v0.4.3 installed.
Skipping installation.
[cargo-make] INFO - Execute Command: "/bottlerocket/tools/twoliter/twoliter" "--log-level=info" "make" "default" "--project-path=/bottlerocket/Twoliter.toml" "--cargo-home=/bottlerocket/.cargo" "--"
[2024-07-22T23:24:33Z WARN  twoliter::project] A Release.toml file was found. Release.toml is deprecated. Please remove it from your project.
[cargo-make][1] INFO - Calling cargo metadata to extract project info
[cargo-make][1] INFO - Cargo metadata done
[cargo-make][1] INFO - Build File: /bottlerocket/build/tools/Makefile.toml
[cargo-make][1] INFO - Task: default
[cargo-make][1] INFO - Profile: development
[cargo-make][1] INFO - Running Task: setup
[cargo-make][1] INFO - Running Task: setup-build
[cargo-make][1] INFO - Running Task: fetch-sdk
d0aab6231274: Download complete 
982dc8e9a597: Download complete 
b3c10008bdf0: Download complete 
4f4fb700ef54: Download complete 
03f448bcfe71: Download complete 
public.ecr.aws/bottlerocket/bottlerocket-sdk:v0.42.0
[cargo-make][1] INFO - Running Task: fetch-sources
    Updating crates.io index
    Updating git repository `https://github.com/bottlerocket-os/bottlerocket-settings-sdk`
  Downloaded darling_macro v0.14.4
  Downloaded windows-targets v0.48.5
  Downloaded pin-project-lite v0.2.13
  Downloaded tstr_proc_macros v0.2.2
  Downloaded windows-targets v0.52.4
  Downloaded is-terminal v0.4.12
  Downloaded ident_case v1.0.1
  Downloaded darling_macro v0.20.8
  Downloaded autocfg v1.1.0
  Downloaded unindent v0.1.11
  Downloaded abi_stable_shared v0.11.0
  Downloaded tokio-tungstenite v0.20.1
  Downloaded tinyvec v1.6.0
  Downloaded pest_meta v2.7.8
  Downloaded cargo-readme v3.3.1
  Downloaded idna v0.5.0
  Downloaded gimli v0.28.1
  Downloaded web-sys v0.3.69
  Downloaded slab v0.4.9
  Downloaded handlebars v4.5.0
  Downloaded winapi v0.3.9
  Downloaded http v0.2.12
  Downloaded encoding_rs v0.8.33
  Downloaded maplit v1.0.2
  Downloaded envy v0.4.2
  Downloaded anstyle-parse v0.2.3
  Downloaded anstyle-query v1.0.2
  Downloaded windows-sys v0.52.0
  Downloaded windows-sys v0.48.0
  Downloaded winapi-i686-pc-windows-gnu v0.4.0
  Downloaded winapi-x86_64-pc-windows-gnu v0.4.0
  Downloaded anstyle-wincon v3.0.2
  Downloaded colorchoice v1.0.0
  Downloaded utf8parse v0.2.1
  Downloaded anstream v0.6.13
  Downloaded clap_builder v4.5.2
  Downloaded clap_derive v4.5.3
  Downloaded ring v0.17.8
  Downloaded clap v4.5.3
  Downloaded tokio v1.32.1
  Downloaded windows_aarch64_msvc v0.52.4
  Downloaded windows_i686_gnu v0.52.4
  Downloaded windows_i686_msvc v0.52.4
  Downloaded windows_x86_64_gnu v0.52.4
  Downloaded windows_x86_64_msvc v0.52.4
  Downloaded windows_aarch64_msvc v0.48.5
  Downloaded windows_i686_gnu v0.48.5
  Downloaded windows_i686_msvc v0.48.5
  Downloaded windows_x86_64_gnu v0.48.5
  Downloaded windows_x86_64_msvc v0.48.5
  Downloaded regex-automata v0.4.6
  Downloaded libc v0.2.153
  Downloaded nix v0.26.4
  Downloaded rustls v0.21.11
  Downloaded windows_aarch64_gnullvm v0.52.4
  Downloaded windows_x86_64_gnullvm v0.52.4
  Downloaded windows_aarch64_gnullvm v0.48.5
  Downloaded windows_x86_64_gnullvm v0.48.5
  Downloaded abi_stable v0.11.3
  Downloaded syn v2.0.66
  Downloaded ucd-trie v0.1.6
  Downloaded sha2 v0.10.8
  Downloaded simplelog v0.12.2
  Downloaded shlex v1.3.0
  Downloaded addr2line v0.21.0
  Downloaded cc v1.0.90
  Downloaded rustc-demangle v0.1.23
  Downloaded num_cpus v1.16.0
  Downloaded tokio-macros v2.1.0
  Downloaded serde_plain v1.0.2
  Downloaded form_urlencoded v1.2.1
  Downloaded unicode-bidi v0.3.15
  Downloaded cached_proc_macro v0.20.0
  Downloaded cached_proc_macro_types v0.1.1
  Downloaded futures-channel v0.3.30
  Downloaded futures-io v0.3.30
  Downloaded futures-sink v0.3.30
  Downloaded futures-task v0.3.30
  Downloaded pin-utils v0.1.0
  Downloaded pest v2.7.8
  Downloaded block-buffer v0.10.4
  Downloaded generic-array v0.14.7
  Downloaded futures-util v0.3.30
  Downloaded object v0.32.2
  Downloaded socket2 v0.5.6
  Downloaded tinyvec_macros v0.1.1
  Downloaded unicode-normalization v0.1.23
  Downloaded percent-encoding v2.3.1
  Downloaded url v2.5.0
  Downloaded data-encoding v2.5.0
  Downloaded num-integer v0.1.46
  Downloaded num-bigint v0.4.4
  Downloaded der-parser v9.0.0
  Downloaded synstructure v0.13.1
  Downloaded asn1-rs-impl v0.2.0
  Downloaded displaydoc v0.2.4
  Downloaded num-traits v0.2.18
  Downloaded asn1-rs v0.6.1
  Downloaded minimal-lexical v0.2.1
  Downloaded nom v7.1.3
  Downloaded rusticata-macros v4.1.0
  Downloaded thiserror-impl v1.0.58
  Downloaded thiserror v1.0.58
  Downloaded deranged v0.3.11
  Downloaded powerfmt v0.2.0
  Downloaded time-core v0.1.2
  Downloaded time-macros v0.2.17
  Downloaded time v0.3.34
  Downloaded x509-parser v0.16.0
  Downloaded argh_derive v0.1.12
  Downloaded argh v0.1.12
  Downloaded futures-core v0.3.30
  Downloaded pin-project-internal v1.1.5
  Downloaded pin-project v1.1.5
  Downloaded heck v0.5.0
  Downloaded snafu-derive v0.8.3
  Downloaded snafu v0.8.3
  Downloaded same-file v1.0.6
  Downloaded walkdir v2.5.0
  Downloaded anyhow v1.0.81
  Downloaded hex v0.4.3
  Downloaded memoffset v0.7.1
  Downloaded tokio-util v0.7.10
  Downloaded h2 v0.3.26
  Downloaded http-body v0.4.6
  Downloaded httpdate v1.0.3
  Downloaded hyper v0.14.28
  Downloaded hyper-rustls v0.24.2
  Downloaded ipnet v2.9.0
  Downloaded openssl-probe v0.1.5
  Downloaded schannel v0.1.23
  Downloaded security-framework-sys v2.9.1
  Downloaded security-framework v2.9.2
  Downloaded rustls-native-certs v0.6.3
  Downloaded serde_urlencoded v0.7.1
  Downloaded core-foundation v0.9.4
  Downloaded core-foundation-sys v0.8.6
  Downloaded system-configuration v0.5.1
  Downloaded rustls-webpki v0.101.7
  Downloaded spin v0.9.8
  Downloaded sct v0.7.1
  Downloaded tokio-rustls v0.24.1
  Downloaded wasm-bindgen-futures v0.4.42
  Downloaded js-sys v0.3.69
  Downloaded bumpalo v3.15.4
  Downloaded wasm-bindgen-backend v0.2.92
  Downloaded wasm-bindgen-macro v0.2.92
  Downloaded wasm-bindgen v0.2.92
  Downloaded winreg v0.50.0
  Downloaded reqwest v0.11.26
  Downloaded signal-hook-registry v1.4.1
  Downloaded signal-hook v0.3.17
  Downloaded byteorder v1.5.0
  Downloaded httparse v1.8.0
  Downloaded sha1 v0.10.6
  Downloaded utf-8 v0.7.6
  Downloaded tungstenite v0.20.1
  Downloaded regex-syntax v0.8.2
  Downloaded darling_core v0.20.8
  Downloaded serde v1.0.203
  Downloaded serde_json v1.0.117
  Downloaded pest_generator v2.7.8
  Downloaded pest_derive v2.7.8
  Downloaded base64 v0.21.7
  Downloaded typenum v1.17.0
  Downloaded crypto-common v0.1.6
  Downloaded backtrace v0.3.69
  Downloaded bytes v1.5.0
  Downloaded mio v0.8.11
  Downloaded futures v0.3.30
  Downloaded instant v0.1.12
  Downloaded cached v0.49.2
  Downloaded dns-lookup v2.0.4
  Downloaded anstyle v1.0.6
  Downloaded clap_lex v0.7.0
  Downloaded strsim v0.11.0
  Downloaded cpufeatures v0.2.12
  Downloaded digest v0.10.7
  Downloaded adler v1.0.2
  Downloaded miniz_oxide v0.7.2
  Downloaded asn1-rs-derive v0.5.0
  Downloaded oid-registry v0.7.0
  Downloaded num_threads v0.1.7
  Downloaded argh_shared v0.1.12
  Downloaded hyper-unix-connector v0.2.2
  Downloaded try-lock v0.2.5
  Downloaded mime v0.3.17
  Downloaded rustls-pemfile v1.0.4
  Downloaded sync_wrapper v0.1.2
  Downloaded system-configuration-sys v0.5.0
  Downloaded untrusted v0.9.0
  Downloaded wasm-bindgen-shared v0.2.92
  Downloaded wasm-bindgen-macro-support v0.2.92
  Downloaded darling_core v0.14.4
  Downloaded tracing-core v0.1.32
  Downloaded tracing v0.1.40
  Downloaded humantime v2.1.0
  Downloaded log v0.4.21
  Downloaded aho-corasick v1.1.2
  Downloaded regex v1.10.3
  Downloaded wasi v0.11.0+wasi-snapshot-preview1
  Downloaded getrandom v0.2.12
  Downloaded rand v0.8.5
  Downloaded once_cell v1.19.0
  Downloaded zerocopy-derive v0.7.32
  Downloaded zerocopy v0.7.32
  Downloaded ahash v0.8.11
  Downloaded allocator-api2 v0.2.16
  Downloaded hashbrown v0.14.3
  Downloaded indexmap v2.2.5
  Downloaded memchr v2.7.1
  Downloaded winnow v0.6.5
  Downloaded toml_edit v0.22.14
  Downloaded toml v0.8.14
  Downloaded syn v1.0.109
  Downloaded abi_stable_derive v0.11.3
  Downloaded const_panic v0.2.8
  Downloaded core_extensions v1.5.3
  Downloaded crossbeam-utils v0.8.19
  Downloaded crossbeam-channel v0.5.12
  Downloaded lock_api v0.4.11
  Downloaded redox_syscall v0.4.1
  Downloaded parking_lot_core v0.9.9
  Downloaded parking_lot v0.12.1
  Downloaded semver v1.0.22
  Downloaded strsim v0.10.0
  Downloaded darling v0.20.8
  Downloaded num-conv v0.1.0
  Downloaded want v0.3.1
  Downloaded tower-service v0.3.2
  Downloaded tracing-attributes v0.1.27
  Downloaded hermit-abi v0.3.9
  Downloaded winapi-util v0.1.6
  Downloaded termcolor v1.4.1
  Downloaded env_logger v0.10.2
  Downloaded ppv-lite86 v0.2.17
  Downloaded rand_chacha v0.3.1
  Downloaded rand_core v0.6.4
  Downloaded version_check v0.9.4
  Downloaded serde_spanned v0.6.6
  Downloaded toml_datetime v0.6.6
  Downloaded as_derive_utils v0.11.0
  Downloaded typed-arena v2.0.2
  Downloaded generational-arena v0.2.9
  Downloaded libloading v0.7.4
  Downloaded bitflags v1.3.2
  Downloaded paste v1.0.14
  Downloaded tstr v0.2.4
  Downloaded repr_offset v0.2.2
  Downloaded ryu v1.0.17
  Downloaded proc-macro2 v1.0.85
  Downloaded unicode-ident v1.0.12
  Downloaded serde_derive v1.0.203
  Downloaded async-trait v0.1.78
  Downloaded darling v0.14.4
  Downloaded core_extensions_proc_macros v1.5.3
  Downloaded smallvec v1.13.1
  Downloaded fnv v1.0.7
  Downloaded lazy_static v1.4.0
  Downloaded equivalent v1.0.1
  Downloaded rustc_version v0.4.0
  Downloaded itoa v1.0.10
  Downloaded quote v1.0.36
  Downloaded scopeguard v1.2.0
  Downloaded cfg-if v1.0.0
  Downloaded 265 crates (42.6 MB) in 2.20s (largest was `ring` at 4.2 MB)
[cargo-make][1] INFO - Running Task: fetch-vendored
[cargo-make][1] INFO - Running Task: check-licenses
2024-07-22 23:26:17 [ERROR] the directory /tmp/sources doesn't contain a Cargo.toml file
Error while executing command, exit code: 1
Error: Command was unsuccessful, exit code 105
Error while executing command, exit code: 1

This exits with exit code 105.

Platform I'm building on: Ubuntu 24.04 (host and container image)

What I expected to happen: cargo make to succeed when ran inside a container

What actually happened: It failed with exit code 105 (see logs above)

How to reproduce the problem: See above

[mgsharm]

@fheinecke Thank you for bringing this to our attention. We will investigate and provide an update soon.

[rpkelly]

I spent some time looking at this today, and unfortunately I have not yet solved it. I was able to confirm that the same issue occurs when using a fedora container, so the error is unlikely to be related to the environment.

[jmt-lab]

Hello, Unfortunately you are running into a unique case of docker handoff triggered by how we do docker builds in twoliter for bottlerocket. So during build we mount the bottlerocket sources and build directories inside of a docker build context in which we perform all the builds using our build tools and the bottlerocket-sdk.

However in your case you are running the build from inside a docker container, with the docker daemon causing an interesting situation. For the purposes of this explanation lets define some terms:

HOST - Where the docker daemon is BUILD - Where twoliter is orchestrating builds (has bottlerocket-sdk as a base) using buildkit (docker buildx) CONT - Where you are running the above commands

When you run cargo make inside CONT the build flow is then trying to take folders inside of CONT's VOLUME and mount it as a volume inside of BUILD which is running on HOST. So essentially what is happening is that the build system is trying to tell another parallel docker container to mount a subsection of another docker container's volume that the daemon just fails out on. There is a possibility that this could be made to work however in the future depending on how complex handling this would be.

You should however be able to build bottlerocket using Docker-in-Docker setup. I was able to get a build to work using a similar setup to the official docker:dind image (though mine is based on fedora for ease of dependency installations, but should also work using ubuntu)

None-the-less i have created two issues in our build tool Twoliter to potentially look into improving this situation.

• https://github.com/bottlerocket-os/twoliter/issues/332
• https://github.com/bottlerocket-os/twoliter/issues/333

[fheinecke]

Thanks for the investigation @jmt-lab. To clarify, when you say "Docker-in-Docker", you mean a separate Docker daemon/socket/etc within CONT, as opposed to the Docker daemon/socket/etc within HOST, but accessed from CONT, correct?

If possible it would be convenient for us to be able to build Bottlerocket from within a container. This would help us in a couple of areas:

• It would ensure that dependencies for Bottlerocket OS itself are kept isolated from the rest of the system (standard container use case)
• Sometimes developing in containers makes it easier to track and package dev environment dependencies (I personally like to use vscode dev containers

This is definitely something that we can work around with DinD - it would just be nice to have support for building with a shared docker socket.

[jmt-lab]

Yes when i mention Docker-in-Docker I do mean using a docker daemon within CONT in a privileged container. Currently this works. I do agree that ideally your workflow should work and I'm doing some investigations today with volume mounts to see if there is a workaround that will work in the meantime before we can properly investigate a fix.

[jmt-lab]

I have made a breakthrough and figured out a way forward for this workflow and It is not as bad as I thought it would be.

First ubuntu does not by default install buildx when you install docker.io with the --no-install-recommends, we required buildx internally and i think this is part of the problem so you need to add docker-buildx to your apt install (embarassing to me that i didn't catch that earlier XD).

Second unfortunately the bottlerocket git clone needs to pre-exist on the host before you perform the build. This is because in order to improve the build time we share file descriptors into the build context. If these file descriptors are not on the host before docker runs the build context does not seem to be aware of them.

Secondly my 'trick' is to have a shared volume mount between the host and the container for the work so buildx can mount things correctly. This though requires identical paths between HOST and CONT. In addition you need to share the /tmp folder with the docker container as that is also used by the build. Below is a script i ran to successfully build a bottlerocket variant inside docker sharing a docker daemon:

#!/usr/bin/env bash
git clone https://github.com/bottlerocket-os/bottlerocket.git
cd bottlerocket
BOTTLEROCKET_PATH="$(pwd)"

cat <<EOF >> build.sh
#!/usr/bin/env bash
apt update
apt install -y --no-install-recommends docker.io docker-buildx
docker image ls
apt install -y build-essential openssl libssl-dev pkg-config liblz4-tool
apt install -y rustup git curl
rustup install stable || true
cargo install cargo-make
cd "${BOTTLEROCKET_PATH}"
cargo make
EOF

docker run --rm -it -v "/tmp:/tmp" -v "/var/run/docker.sock:/var/run/docker.sock" -v "${BOTTLEROCKET_PATH}:${BOTTLEROCKET_PATH}" ubuntu sh -c "cd ${BOTTLEROCKET_PATH} && chmod +x ./build.sh && ./build.sh"