search

chainguard-dev / melange

build APKs from source code
Apache License 2.0
429 stars 110 forks source link

Failing on destdir creation when running as non-root #1647

Open maxgio92 opened 1 week ago

maxgio92 commented 1 week ago

Issue

When running as non-root, the destination dir in the workspace directory being owned by root can't be created, in the subpackage pipelines.

How to reproduce

It can be reproduced running this pipeline with the Docker runner.

Log:

...
2024/11/14 18:41:24 INFO running step "go/build"
2024/11/14 18:42:08 INFO running pipeline for subpackage openbao-compat
2024/11/14 18:42:13 INFO pod 0147b793a3a4d7da5718efe02d283f08dd0b2fa2e0ea6d6ec42f79d2bf1cb639 terminated
2024/11/14 18:42:13 INFO deleting guest dir /tmp/melange-guest-3710148864
2024/11/14 18:42:13 INFO deleting workspace dir /tmp/melange-workspace-863606971
2024/11/14 18:42:13 INFO deleting image apko.local/cache:5125b9ef6e4177faa3839e5202911825e07e9584d9283856a1bc11c77c23563a
2024/11/14 18:42:13 INFO untagged apko.local/cache:5125b9ef6e4177faa3839e5202911825e07e9584d9283856a1bc11c77c23563a
2024/11/14 18:42:13 INFO deleted sha256:aacf77f979edf8c434a5b25d431f368f62599141dcba99a4d63bd9c612a76a20
2024/11/14 18:42:13 INFO deleted sha256:2c3054dd01157c4d8b7e76f0eb41a278b1d1eeff9a7e4bc13d21aa117ff361d8
2024/11/14 18:42:13 ERRO failed to build package: mkdir /tmp/melange-workspace-863606971/melange-out: permission denied

The workspace directory is created as root because of Docker during the bind mount of it as volume. The pipeline is run as root, but the destination directory mkdir it seems is not.

Additional info

It would be nice to reach a state where all the pipeline is run as an unprivileged user with proper permissions and ownership across all the filesystem as it happens for the Bubblewrap environment with the unshared user namespace.

89luca89 commented 1 week ago

To expand on this

This happens on systems like linux where melange is ran as your $USER, while dockerd is running as root, ans $USER is in docker group.

Probably something localized in the git step, that chowns as root (which is the user running inside docker)

wojciechka commented 1 week ago

@89luca89 There are two things - melange is using MkdirTemp that sets directory to 0700 (and it's later chown-ed to root) and also git-checkout and its use of tar overriding permissions for /home/build to 0700.

Fixed in #1646 but I am not sure if this is fully solving it - any builds that create directories / files not readable by user melange is running at will failed to be packaged.

89luca89 commented 1 week ago

This is basically this issue: https://github.com/chainguard-dev/melange/issues/1254